Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8274779

HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST

XMLWordPrintable

    • b21
    • Verified

        URLConnection pools HttpClient / HttpsClient to serve connections to the same server. When picking up the HttpClient/HttpsClient from the pool, the check is performed whether the connection is still usable. However, this logic is broken for POST requests.

        https://github.com/openjdk/jdk/blob/722d639fad2e4fc6eb2aabd427e2719501899cfe/src/java.base/share/classes/sun/net/www/http/HttpClient.java#L310

        - this line checks for literal value of "POST", whereas it should check for equality.
        As a consequence, the check is performed as intended only if the request method is set using a literal string "POST". The check is not performed, if the request method is set to "POST", but the string is constructed - e.g. read from a property or extracted from configuration.
        A similar issue exists in HttpsClient.

        Expected behaviour:
        The connection liveness check behaviour should be identical, irrespective of how the request method is set.

        Proof:
        A patch for application-side code checking whether the request method is equal to "POST", and setting the requestMethod to a literal "POST", solves the issue on the application side.

              ewhelan Evan Whelan (Inactive)
              shadowbug Shadow Bug
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: