currently jwebserver just ignores the host / authority part of the request.
Absolute URLs are used in proxy requests. Jwebserver is not a proxy, and should reject these requests.
Steps to reproduce:
- start jwebserver (by default it starts on 127.0.0.1:8000)
- send a request to a different server using 127.0.0.1 as a proxy
example:
curl -v -x http://127.0.0.1:8000 http://example.com
internally sends:
> GET http://example.com/ HTTP/1.1
> Host: example.com
expected response:
some sort of error; Google uses 404 Not found
actual response:
Success: server returns the directory listing
Absolute URLs are used in proxy requests. Jwebserver is not a proxy, and should reject these requests.
Steps to reproduce:
- start jwebserver (by default it starts on 127.0.0.1:8000)
- send a request to a different server using 127.0.0.1 as a proxy
example:
curl -v -x http://127.0.0.1:8000 http://example.com
internally sends:
> GET http://example.com/ HTTP/1.1
> Host: example.com
expected response:
some sort of error; Google uses 404 Not found
actual response:
Success: server returns the directory listing
- relates to
-
JDK-8320412 NullPointerException in HttpServer on CONNECT attempts
-
- Open
-