All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.netty.handler.codec.http.HttpServerCodec Maven / Gradle / Ivy

There is a newer version: 5.0.0.Alpha2
Show newest version
/*
 * Copyright 2012 The Netty Project
 *
 * The Netty Project licenses this file to you under the Apache License,
 * version 2.0 (the "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at:
 *
 *   https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations
 * under the License.
 */
package io.netty.handler.codec.http;

import io.netty.buffer.ByteBuf;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.CombinedChannelDuplexHandler;

import java.util.ArrayDeque;
import java.util.List;
import java.util.Queue;

import static io.netty.handler.codec.http.HttpObjectDecoder.DEFAULT_MAX_CHUNK_SIZE;
import static io.netty.handler.codec.http.HttpObjectDecoder.DEFAULT_MAX_HEADER_SIZE;
import static io.netty.handler.codec.http.HttpObjectDecoder.DEFAULT_MAX_INITIAL_LINE_LENGTH;
import static io.netty.handler.codec.http.HttpObjectDecoder.DEFAULT_VALIDATE_HEADERS;

/**
 * A combination of {@link HttpRequestDecoder} and {@link HttpResponseEncoder}
 * which enables easier server side HTTP implementation.
 *
 * 

Header Validation

* * It is recommended to always enable header validation. *

* Without header validation, your system can become vulnerable to * * CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') * . *

* This recommendation stands even when both peers in the HTTP exchange are trusted, * as it helps with defence-in-depth. * * @see HttpClientCodec */ public final class HttpServerCodec extends CombinedChannelDuplexHandler implements HttpServerUpgradeHandler.SourceCodec { /** A queue that is used for correlating a request and a response. */ private final Queue queue = new ArrayDeque(); /** * Creates a new instance with the default decoder options * ({@code maxInitialLineLength (4096)}, {@code maxHeaderSize (8192)}, and * {@code maxChunkSize (8192)}). */ public HttpServerCodec() { this(DEFAULT_MAX_INITIAL_LINE_LENGTH, DEFAULT_MAX_HEADER_SIZE, DEFAULT_MAX_CHUNK_SIZE); } /** * Creates a new instance with the specified decoder options. */ public HttpServerCodec(int maxInitialLineLength, int maxHeaderSize, int maxChunkSize) { this(new HttpDecoderConfig() .setMaxInitialLineLength(maxInitialLineLength) .setMaxHeaderSize(maxHeaderSize) .setMaxChunkSize(maxChunkSize)); } /** * Creates a new instance with the specified decoder options. * * @deprecated Prefer the {@link #HttpServerCodec(HttpDecoderConfig)} constructor, * to always enable header validation. */ @Deprecated public HttpServerCodec(int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean validateHeaders) { this(new HttpDecoderConfig() .setMaxInitialLineLength(maxInitialLineLength) .setMaxHeaderSize(maxHeaderSize) .setMaxChunkSize(maxChunkSize) .setValidateHeaders(validateHeaders)); } /** * Creates a new instance with the specified decoder options. * * @deprecated Prefer the {@link #HttpServerCodec(HttpDecoderConfig)} constructor, to always enable header * validation. */ @Deprecated public HttpServerCodec(int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean validateHeaders, int initialBufferSize) { this(new HttpDecoderConfig() .setMaxInitialLineLength(maxInitialLineLength) .setMaxHeaderSize(maxHeaderSize) .setMaxChunkSize(maxChunkSize) .setValidateHeaders(validateHeaders) .setInitialBufferSize(initialBufferSize)); } /** * Creates a new instance with the specified decoder options. * * @deprecated Prefer the {@link #HttpServerCodec(HttpDecoderConfig)} constructor, * to always enable header validation. */ @Deprecated public HttpServerCodec(int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean validateHeaders, int initialBufferSize, boolean allowDuplicateContentLengths) { this(new HttpDecoderConfig() .setMaxInitialLineLength(maxInitialLineLength) .setMaxHeaderSize(maxHeaderSize) .setMaxChunkSize(maxChunkSize) .setValidateHeaders(validateHeaders) .setInitialBufferSize(initialBufferSize) .setAllowDuplicateContentLengths(allowDuplicateContentLengths)); } /** * Creates a new instance with the specified decoder options. * * @deprecated Prefer the {@link #HttpServerCodec(HttpDecoderConfig)} constructor, * to always enable header validation. */ @Deprecated public HttpServerCodec(int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean validateHeaders, int initialBufferSize, boolean allowDuplicateContentLengths, boolean allowPartialChunks) { this(new HttpDecoderConfig() .setMaxInitialLineLength(maxInitialLineLength) .setMaxHeaderSize(maxHeaderSize) .setMaxChunkSize(maxChunkSize) .setValidateHeaders(validateHeaders) .setInitialBufferSize(initialBufferSize) .setAllowDuplicateContentLengths(allowDuplicateContentLengths) .setAllowPartialChunks(allowPartialChunks)); } /** * Creates a new instance with the specified decoder configuration. */ public HttpServerCodec(HttpDecoderConfig config) { init(new HttpServerRequestDecoder(config), new HttpServerResponseEncoder()); } /** * Upgrades to another protocol from HTTP. Removes the {@link HttpRequestDecoder} and * {@link HttpResponseEncoder} from the pipeline. */ @Override public void upgradeFrom(ChannelHandlerContext ctx) { ctx.pipeline().remove(this); } private final class HttpServerRequestDecoder extends HttpRequestDecoder { HttpServerRequestDecoder(HttpDecoderConfig config) { super(config); } @Override protected void decode(ChannelHandlerContext ctx, ByteBuf buffer, List out) throws Exception { int oldSize = out.size(); super.decode(ctx, buffer, out); int size = out.size(); for (int i = oldSize; i < size; i++) { Object obj = out.get(i); if (obj instanceof HttpRequest) { queue.add(((HttpRequest) obj).method()); } } } } private final class HttpServerResponseEncoder extends HttpResponseEncoder { private HttpMethod method; @Override protected void sanitizeHeadersBeforeEncode(HttpResponse msg, boolean isAlwaysEmpty) { if (!isAlwaysEmpty && HttpMethod.CONNECT.equals(method) && msg.status().codeClass() == HttpStatusClass.SUCCESS) { // Stripping Transfer-Encoding: // See https://tools.ietf.org/html/rfc7230#section-3.3.1 msg.headers().remove(HttpHeaderNames.TRANSFER_ENCODING); return; } super.sanitizeHeadersBeforeEncode(msg, isAlwaysEmpty); } @Override protected boolean isContentAlwaysEmpty(@SuppressWarnings("unused") HttpResponse msg) { method = queue.poll(); return HttpMethod.HEAD.equals(method) || super.isContentAlwaysEmpty(msg); } } }