diff options
| author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-10-25 10:30:54 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-25 10:30:54 +0200 |
| commit | 70026cc89de5a1586f7b70e261d0f09c437a2263 (patch) | |
| tree | ce445364afd313f5336d7addac3a6398d8b704a7 | |
| parent | c1199cb33a06987916085c0ef267c7f3e2d6acff (diff) | |
| parent | 0e18f25fe4b7df72d602c377c3b97afe06993a7f (diff) | |
Merge pull request #24559 from vespa-engine/bjorncs/access-log-hardening
Fallback to 'Host' header for invalid requests using relative path MERGEOK
| -rw-r--r-- | container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java index 3506d8b991f..13a63efeaa9 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/AccessLogRequestLog.java @@ -76,7 +76,7 @@ class AccessLogRequestLog extends AbstractLifeCycle implements org.eclipse.jetty addNonNullValue(builder, request.getProtocol(), RequestLogEntry.Builder::httpVersion); addNonNullValue(builder, request.getScheme(), RequestLogEntry.Builder::scheme); addNonNullValue(builder, request.getHeader("User-Agent"), RequestLogEntry.Builder::userAgent); - addNonNullValue(builder, request.getServerName(), RequestLogEntry.Builder::hostString); + addNonNullValue(builder, getServerName(request), RequestLogEntry.Builder::hostString); addNonNullValue(builder, request.getHeader("Referer"), RequestLogEntry.Builder::referer); addNonNullValue(builder, request.getQueryString(), RequestLogEntry.Builder::rawQuery); @@ -131,6 +131,19 @@ class AccessLogRequestLog extends AbstractLifeCycle implements org.eclipse.jetty } } + private static String getServerName(Request request) { + try { + return request.getServerName(); + } catch (IllegalArgumentException e) { + /* + * getServerName() may throw IllegalArgumentException for invalid requests where request line contains a URI with relative path. + * Jetty correctly responds with '400 Bad Request' prior to invoking our request log implementation. + */ + logger.log(Level.FINE, e, () -> "Fallback to 'Host' header"); + return request.getHeader("Host"); + } + } + private String getRemoteAddress(HttpServletRequest request) { for (String header : remoteAddressHeaders) { String value = request.getHeader(header); |