Tolerate absolute-form request targets
We've seen S3 clients expecting to be able to send request lines like GET https://cluster.domain/bucket/key HTTP/1.1 instead of the expected GET /bucket/key HTTP/1.1 Testing against other, independent servers with something like ( echo -n $'GET https://www.google.com/ HTTP/1.1\r\nHost: www.google.com\r\nConnection: close\r\n\r\n' ; sleep 1 ) | openssl s_client -connect www.google.com:443 suggests that it may be reasonable to accept them; the RFC even goes so far as to say > To allow for transition to the absolute-form for all requests in some > future version of HTTP, a server MUST accept the absolute-form in > requests, even though HTTP/1.1 clients will only send them in > requests to proxies. (See https://datatracker.ietf.org/doc/html/rfc7230#section-5.3.2) Fix it at the protocol level, so everywhere else we can mostly continue to assume that PATH_INFO starts with a / like we always have. Co-Authored-By: Clay Gerrard <clay.gerrard@gmail.com> Change-Id: I04012e523f01e910f41d5a41cdd86d3d2a1b9c59
This commit is contained in:
5 changed files with 164 additions and 0 deletions
@@ -17,6 +17,7 @@ import os
import requests
from swift.common.bufferedhttp import http_connect_raw
from swift.common.middleware.s3api.etree import fromstring
import test.functional as tf
@@ -223,6 +224,35 @@ class TestS3ApiPresignedUrls(S3ApiBase):
status, _junk, _junk = self.conn.make_request('DELETE', bucket)
self.assertEqual(status, 204)
def test_absolute_form_request(self):
bucket = 'test-bucket'
put_url, headers = self.conn.generate_url_and_headers(
'PUT', bucket)
resp = http_connect_raw(
self.conn.host,
self.conn.port,
'PUT',
put_url, # whole URL, not just the path/query!
headers=headers,
ssl=put_url.startswith('https:'),
).getresponse()
self.assertEqual(resp.status, 200,
'Got %d%s' % (resp.status, resp.read()))
delete_url, headers = self.conn.generate_url_and_headers(
'DELETE', bucket)
resp = http_connect_raw(
self.conn.host,
self.conn.port,
'DELETE',
delete_url, # whole URL, not just the path/query!
headers=headers,
ssl=delete_url.startswith('https:'),
).getresponse()
self.assertEqual(resp.status, 204,
'Got %d%s' % (resp.status, resp.read()))
class TestS3ApiPresignedUrlsSigV4(TestS3ApiPresignedUrls):
@classmethod
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.