Not validating path and query params when returning the full URL, to avoid issues with noncompliant HTTP clients

jekh · jekh · commit f46e14e0a748 · 2016-03-13T15:05:57.000-07:00
diff --git a/browsermob-core-littleproxy/src/main/java/net/lightbody/bmp/filters/HttpsAwareFiltersAdapter.java b/browsermob-core-littleproxy/src/main/java/net/lightbody/bmp/filters/HttpsAwareFiltersAdapter.java
@@ -58,12 +58,18 @@ public String getFullUrl(HttpRequest modifiedRequest) {
         }
 
         // To get the full URL, we need to retrieve the Scheme, Host + Port, Path, and Query Params from the request.
-        // Scheme: the scheme (HTTP/HTTPS) may or may not be part of the request, and so must be generated based on the
-        //   type of connection.
+        // If the request URI starts with http:// or https://, it is already a full URL and can be returned directly.
+        if (BrowserMobHttpUtil.startsWithHttpOrHttps(modifiedRequest.getUri())) {
+            return modifiedRequest.getUri();
+        }
+
+        // The URI did not include the scheme and host, so examine the request to obtain them:
+        // Scheme: the scheme (HTTP/HTTPS) are based on the type of connection, obtained from isHttps()
         // Host and Port: available for HTTP and HTTPS requests using the getHostAndPort() helper method.
-        // Path + Query Params + Fragment: these elements are contained in the HTTP request for both HTTP and HTTPS
+        // Path + Query Params: since the request URI doesn't start with the scheme, we can safely assume that the URI
+        //    contains only the path and query params.
         String hostAndPort = getHostAndPort(modifiedRequest);
-        String path = BrowserMobHttpUtil.getRawPathAndParamsFromRequest(modifiedRequest);
+        String path = modifiedRequest.getUri();
         String url;
         if (isHttps()) {
             url = "https://" + hostAndPort + path;
diff --git a/browsermob-core/src/main/java/net/lightbody/bmp/util/BrowserMobHttpUtil.java b/browsermob-core/src/main/java/net/lightbody/bmp/util/BrowserMobHttpUtil.java
@@ -246,18 +246,19 @@ public static String getHostAndPortFromRequest(HttpRequest httpRequest) {
      *
      * @param httpRequest HTTP request
      * @return the unescaped path + query string from the HTTP request
+     * @throws URISyntaxException if the path could not be parsed (due to invalid characters in the URI, etc.)
      */
-    public static String getRawPathAndParamsFromRequest(HttpRequest httpRequest) {
+    public static String getRawPathAndParamsFromRequest(HttpRequest httpRequest) throws URISyntaxException {
         // if this request's URI contains a full URI (including scheme, host, etc.), strip away the non-path components
         if (startsWithHttpOrHttps(httpRequest.getUri())) {
-            try {
-                return getRawPathAndParamsFromUri(httpRequest.getUri());
-            } catch (URISyntaxException e) {
-                // could not parse the URI, so fall through and return the URI as-is
-            }
-        }
+            return getRawPathAndParamsFromUri(httpRequest.getUri());
+        } else {
+            // to provide consistent validation behavior for URIs that contain a scheme and those that don't, attempt to parse
+            // the URI, even though we discard the parsed URI object
+            new URI(httpRequest.getUri());
 
-        return httpRequest.getUri();
+            return httpRequest.getUri();
+        }
     }
 
     /**
