From f24fadc6240e2dcb5bcd732c91ccc03d1aa19e8a Mon Sep 17 00:00:00 2001
From: Michael McMahon <michaelm@openjdk.org>
Date: Mon, 15 Sep 2025 13:31:30 +0000
Subject: [PATCH] 8362632: Improve HttpServer Request handling

Reviewed-by: djelinski, dfuchs
---
 .../com/sun/net/httpserver/Headers.java       | 37 +++++--------------
 .../sun/net/httpserver/ExchangeImpl.java      | 19 +++++++---
 .../classes/sun/net/httpserver/Utils.java     | 33 +++++++++++++++++
 3 files changed, 57 insertions(+), 32 deletions(-)

diff --git a/src/jdk.httpserver/share/classes/com/sun/net/httpserver/Headers.java b/src/jdk.httpserver/share/classes/com/sun/net/httpserver/Headers.java
index 2decd48c806..9389aae8691 100644
--- a/src/jdk.httpserver/share/classes/com/sun/net/httpserver/Headers.java
+++ b/src/jdk.httpserver/share/classes/com/sun/net/httpserver/Headers.java
@@ -36,6 +36,7 @@ import java.util.Set;
 import java.util.function.BiFunction;
 import java.util.stream.Collectors;
 import sun.net.httpserver.UnmodifiableHeaders;
+import sun.net.httpserver.Utils;
 
 /**
  * HTTP request and response headers are represented by this class which
@@ -216,8 +217,13 @@ public class Headers implements Map<String, List<String>> {
 
     @Override
     public List<String> put(String key, List<String> value) {
+        // checkHeader is called in this class to fail fast
+        // It also must be called in sendResponseHeaders because
+        // Headers instances internal state can be modified
+        // external to these methods.
+        Utils.checkHeader(key, false);
         for (String v : value)
-            checkValue(v);
+            Utils.checkHeader(v, true);
         return map.put(normalize(key), value);
     }
 
@@ -229,7 +235,8 @@ public class Headers implements Map<String, List<String>> {
      * @param value the value to add to the header
      */
     public void add(String key, String value) {
-        checkValue(value);
+        Utils.checkHeader(key, false);
+        Utils.checkHeader(value, true);
         String k = normalize(key);
         List<String> l = map.get(k);
         if (l == null) {
@@ -239,30 +246,6 @@ public class Headers implements Map<String, List<String>> {
         l.add(value);
     }
 
-    private static void checkValue(String value) {
-        int len = value.length();
-        for (int i=0; i<len; i++) {
-            char c = value.charAt(i);
-            if (c == '\r') {
-                // is allowed if it is followed by \n and a whitespace char
-                if (i >= len - 2) {
-                    throw new IllegalArgumentException("Illegal CR found in header");
-                }
-                char c1 = value.charAt(i+1);
-                char c2 = value.charAt(i+2);
-                if (c1 != '\n') {
-                    throw new IllegalArgumentException("Illegal char found after CR in header");
-                }
-                if (c2 != ' ' && c2 != '\t') {
-                    throw new IllegalArgumentException("No whitespace found after CRLF in header");
-                }
-                i+=2;
-            } else if (c == '\n') {
-                throw new IllegalArgumentException("Illegal LF found in header");
-            }
-        }
-    }
-
     /**
      * Sets the given {@code value} as the sole header value for the given
      * {@code key}. If the mapping does not already exist, then it is created.
@@ -304,7 +287,7 @@ public class Headers implements Map<String, List<String>> {
     public void replaceAll(BiFunction<? super String, ? super List<String>, ? extends List<String>> function) {
         var f = function.andThen(values -> {
             Objects.requireNonNull(values);
-            values.forEach(Headers::checkValue);
+            values.forEach(value -> Utils.checkHeader(value, true));
             return values;
         });
         Map.super.replaceAll(f);
diff --git a/src/jdk.httpserver/share/classes/sun/net/httpserver/ExchangeImpl.java b/src/jdk.httpserver/share/classes/sun/net/httpserver/ExchangeImpl.java
index 8da98cdcfa5..ad6805938a2 100644
--- a/src/jdk.httpserver/share/classes/sun/net/httpserver/ExchangeImpl.java
+++ b/src/jdk.httpserver/share/classes/sun/net/httpserver/ExchangeImpl.java
@@ -207,6 +207,8 @@ class ExchangeImpl {
         return uos_orig;
     }
 
+    private static final byte[] CRLF = new byte[] {0x0D, 0x0A};
+
     public void sendResponseHeaders(int rCode, long contentLen)
     throws IOException
     {
@@ -215,10 +217,11 @@ class ExchangeImpl {
             throw new IOException("headers already sent");
         }
         this.rcode = rCode;
-        String statusLine = "HTTP/1.1 " + rCode + Code.msg(rCode) + "\r\n";
+        String statusLine = "HTTP/1.1 " + rCode + Code.msg(rCode);
         ByteArrayOutputStream tmpout = new ByteArrayOutputStream();
         PlaceholderOutputStream o = getPlaceholderResponseBody();
-        tmpout.write(bytes(statusLine, 0), 0, statusLine.length());
+        tmpout.write(bytes(statusLine, false, 0), 0, statusLine.length());
+        tmpout.write(CRLF);
         boolean noContentToSend = false; // assume there is content
         boolean noContentLengthHeader = false; // must not send Content-length is set
         rspHdrs.set("Date", FORMATTER.format(Instant.now()));
@@ -305,11 +308,11 @@ class ExchangeImpl {
             List<String> values = entry.getValue();
             for (String val : values) {
                 int i = key.length();
-                buf = bytes(key, 2);
+                buf = bytes(key, true, 2);
                 buf[i++] = ':';
                 buf[i++] = ' ';
                 os.write(buf, 0, i);
-                buf = bytes(val, 2);
+                buf = bytes(val, false, 2);
                 i = val.length();
                 buf[i++] = '\r';
                 buf[i++] = '\n';
@@ -327,8 +330,14 @@ class ExchangeImpl {
      * Make sure that at least "extra" bytes are free at end
      * of rspbuf. Reallocate rspbuf if not big enough.
      * caller must check return value to see if rspbuf moved
+     *
+     * Header values are supposed to be limited to 7-bit ASCII
+     * but 8-bit has to be allowed (for ISO_8859_1). For efficiency
+     * we just down cast 16 bit Java chars to byte. We don't allow
+     * any character that can't be encoded in 8 bits.
      */
-    private byte[] bytes(String s, int extra) {
+    private byte[] bytes(String s, boolean isKey, int extra) throws IOException {
+        Utils.checkHeader(s, !isKey);
         int slen = s.length();
         if (slen+extra > rspbuf.length) {
             int diff = slen + extra - rspbuf.length;
diff --git a/src/jdk.httpserver/share/classes/sun/net/httpserver/Utils.java b/src/jdk.httpserver/share/classes/sun/net/httpserver/Utils.java
index 43dadb84a90..41834172f27 100644
--- a/src/jdk.httpserver/share/classes/sun/net/httpserver/Utils.java
+++ b/src/jdk.httpserver/share/classes/sun/net/httpserver/Utils.java
@@ -88,4 +88,37 @@ public class Utils {
         }
         return true;
     }
+
+    /* Throw IAE if illegal character found.  isValue is true if String is
+     * a value. Otherwise it is header name
+     */
+    public static void checkHeader(String str, boolean isValue) {
+        int len = str.length();
+        for (int i=0; i<len; i++) {
+            char c = str.charAt(i);
+            if (c == '\r') {
+                if (!isValue) {
+                    throw new IllegalArgumentException("Illegal CR found in header");
+                }
+                // is allowed if it is followed by \n and a whitespace char
+                if (i >= len - 2) {
+                    throw new IllegalArgumentException("Illegal CR found in header");
+                }
+                char c1 = str.charAt(i+1);
+                char c2 = str.charAt(i+2);
+                if (c1 != '\n') {
+                    throw new IllegalArgumentException("Illegal char found after CR in header");
+                }
+                if (c2 != ' ' && c2 != '\t') {
+                    throw new IllegalArgumentException("No whitespace found after CRLF in header");
+                }
+                i+=2;
+            } else if (c == '\n') {
+                throw new IllegalArgumentException("Illegal LF found in header");
+            } else if (c > 255) {
+                throw new IllegalArgumentException("Illegal character found in header");
+            }
+        }
+    }
+
 }