Class UriCompliance
java.lang.Object
org.eclipse.jetty.http.UriCompliance
- All Implemented Interfaces:
ComplianceViolation.Mode
URI compliance modes for Jetty request handling.
A Compliance mode consists of a set of
UriCompliance.Violations which are allowed
when the mode is enabled.-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic enumThese are URI compliance "violations", which may be allowed by the compliance mode. -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Set<UriCompliance.Violation> Set of violations that can trigger a HttpURI.isAmbiguous violation.static final UriCompliancestatic final UriComplianceJETTY_11 compliance mode that models Jetty 11 DEFAULT behavior by allowing:UriCompliance.Violation.AMBIGUOUS_PATH_SEGMENTUriCompliance.Violation.AMBIGUOUS_PATH_SEPARATORUriCompliance.Violation.AMBIGUOUS_PATH_ENCODINGUriCompliance.Violation.SUSPICIOUS_PATH_CHARACTERSUriCompliance.Violation.TRUNCATED_UTF8_ENCODINGUriCompliance.Violation.UTF16_ENCODINGSUriCompliance.Violation.USER_INFOstatic final UriComplianceLEGACY compliance mode that models pre Jetty 12 LEGACY behaviors by allowing:UriCompliance.Violation.AMBIGUOUS_PATH_SEGMENTUriCompliance.Violation.AMBIGUOUS_PATH_SEPARATORUriCompliance.Violation.AMBIGUOUS_PATH_ENCODINGUriCompliance.Violation.AMBIGUOUS_EMPTY_SEGMENTUriCompliance.Violation.SUSPICIOUS_PATH_CHARACTERSUriCompliance.Violation.TRUNCATED_UTF8_ENCODINGUriCompliance.Violation.UTF16_ENCODINGSUriCompliance.Violation.USER_INFOstatic final Set<UriCompliance.Violation> static final UriComplianceCompliance mode that exactly follows RFC3986, excluding all URI Violations.static final UriComplianceCompliance mode that allows all unambiguous violations.static final UriComplianceCompliance mode that allows all URI Violations, including allowing ambiguous paths in non-canonical form, and illegal characters. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionbooleanallows(ComplianceViolation violation) static StringcheckUriCompliance(UriCompliance compliance, HttpURI uri, ComplianceViolation.Listener listener) static UriComplianceCreate compliance set from string.static UriCompliancefrom(Set<UriCompliance.Violation> violations) Create compliance set from a set of allowed Violations.Get the set ofUriCompliance.Violations allowed by this compliance mode.getKnown()getName()static booleanisAmbiguous(Set<UriCompliance.Violation> violations) static booleanisPathViolation(UriCompliance.Violation violation) Test if violation is referencing a HttpURI.path violation.toString()static UriCompliancewith(String name, UriCompliance.Violation... violations) Create a new UriCompliance mode that includes the passedUriCompliance.Violations.without(String name, UriCompliance.Violation... violations) Create a new UriCompliance mode that excludes the passedUriCompliance.Violations.
-
Field Details
-
NO_VIOLATION
-
AMBIGUOUS_VIOLATIONS
Set of violations that can trigger a HttpURI.isAmbiguous violation. -
RFC3986
Compliance mode that exactly follows RFC3986, excluding all URI Violations. -
UNAMBIGUOUS
Compliance mode that allows all unambiguous violations. -
DEFAULT
-
JETTY_11
JETTY_11 compliance mode that models Jetty 11 DEFAULT behavior by allowing:UriCompliance.Violation.AMBIGUOUS_PATH_SEGMENTUriCompliance.Violation.AMBIGUOUS_PATH_SEPARATORUriCompliance.Violation.AMBIGUOUS_PATH_ENCODINGUriCompliance.Violation.SUSPICIOUS_PATH_CHARACTERSUriCompliance.Violation.TRUNCATED_UTF8_ENCODINGUriCompliance.Violation.UTF16_ENCODINGSUriCompliance.Violation.USER_INFO
Note: this mode allows URL/URIs that the Servlet spec will reject.
See point 10 "Rejecting Suspicious Sequences" in Section 3.5.2. URI Path Canonicalization,
and Jetty Documentation: Servlet URI Compliance Modes. -
LEGACY
LEGACY compliance mode that models pre Jetty 12 LEGACY behaviors by allowing:UriCompliance.Violation.AMBIGUOUS_PATH_SEGMENTUriCompliance.Violation.AMBIGUOUS_PATH_SEPARATORUriCompliance.Violation.AMBIGUOUS_PATH_ENCODINGUriCompliance.Violation.AMBIGUOUS_EMPTY_SEGMENTUriCompliance.Violation.SUSPICIOUS_PATH_CHARACTERSUriCompliance.Violation.TRUNCATED_UTF8_ENCODINGUriCompliance.Violation.UTF16_ENCODINGSUriCompliance.Violation.USER_INFO
Note: this mode allows URL/URIs that the Servlet spec will reject.
See point 10 "Rejecting Suspicious Sequences" in Section 3.5.2. URI Path Canonicalization,
and Jetty Documentation: Servlet URI Compliance Modes. -
UNSAFE
Compliance mode that allows all URI Violations, including allowing ambiguous paths in non-canonical form, and illegal characters.Note: this mode allows URL/URIs that the Servlet spec will reject.
See point 10 "Rejecting Suspicious Sequences" in Section 3.5.2. URI Path Canonicalization,
and Jetty Documentation: Servlet URI Compliance Modes.
-
-
Constructor Details
-
UriCompliance
-
-
Method Details
-
isAmbiguous
-
valueOf
-
from
Create compliance set from a set of allowed Violations.- Parameters:
violations- A string of violations to allow:- Returns:
- the compliance from the string spec
-
from
Create compliance set from string.Format: <BASE>[,[-]<violation>]...
BASE is one of:
- 0
- No
UriCompliance.Violations - *
- All
UriCompliance.Violations - <name>
- The name of a static instance of UriCompliance (e.g.
RFC3986).
The remainder of the list can contain then names of
UriCompliance.Violations to include them in the mode, or prefixed with a '-' to exclude them from the mode. Examples are:0,AMBIGUOUS_PATH_PARAMETER- Only allow
UriCompliance.Violation.AMBIGUOUS_PATH_PARAMETER *,-AMBIGUOUS_PATH_PARAMETER- Only all except
UriCompliance.Violation.AMBIGUOUS_PATH_PARAMETER RFC3986,AMBIGUOUS_PATH_PARAMETER- Same as RFC3986 plus
UriCompliance.Violation.AMBIGUOUS_PATH_PARAMETER
- Parameters:
spec- A string describing the compliance- Returns:
- the UriCompliance instance derived from the string description
-
allows
- Specified by:
allowsin interfaceComplianceViolation.Mode- Parameters:
violation- TheComplianceViolationto test- Returns:
- true iff the violation is allowed by this mode.
-
getName
- Specified by:
getNamein interfaceComplianceViolation.Mode- Returns:
- The name of the compliance violation mode.
-
getAllowed
Get the set ofUriCompliance.Violations allowed by this compliance mode.- Specified by:
getAllowedin interfaceComplianceViolation.Mode- Returns:
- The immutable set of
UriCompliance.Violations allowed by this compliance mode.
-
getKnown
- Specified by:
getKnownin interfaceComplianceViolation.Mode- Returns:
- The immutable set of all known violations for this mode.
-
with
Create a new UriCompliance mode that includes the passedUriCompliance.Violations.- Parameters:
name- The name of the new modeviolations- The violations to include- Returns:
- A new
UriCompliancemode.
-
without
Create a new UriCompliance mode that excludes the passedUriCompliance.Violations.- Parameters:
name- The name of the new modeviolations- The violations to exclude- Returns:
- A new
UriCompliancemode.
-
isPathViolation
Test if violation is referencing a HttpURI.path violation.- Parameters:
violation- the violation to test.- Returns:
- true if violation is a path violation.
-
toString
-
checkUriCompliance
public static String checkUriCompliance(UriCompliance compliance, HttpURI uri, ComplianceViolation.Listener listener)
-