Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
(Java) V4 4.6.0, (Java) V4 4.7.0, (Java) V4 4.8.0
-
None
-
None
Description
In some cases the ODataHttpHandlerImpl in server-core tries to determine the start of the ODataPath (seperating the protocol/host from the odata part) by String matching a given ContextPath/ServletPath against the raw URI.
If the hostname contains the same String used by the ServletPath as a substring, the used indexOf() function returns a wrong index (first match wins) and the URL is split up (and consequently parsed) wrong. A part of the hostname is mistaken for the start of the ODataPath.
The offending lines are:
org.apache.olingo.server.core.ODataHttpHandlerImpl:278 (github link)
}else if(!"".equals(httpRequest.getServletPath())) { int beginIndex = rawRequestUri.indexOf(httpRequest.getServletPath()) + httpRequest.getServletPath().length(); rawODataPath = rawRequestUri.substring(beginIndex); }
org.apache.olingo.server.core.ODataHttpHandlerImpl:281 (github link)
}else if(!"".equals(httpRequest.getContextPath())) { int beginIndex = rawRequestUri.indexOf(httpRequest.getContextPath()) + httpRequest.getContextPath().length(); rawODataPath = rawRequestUri.substring(beginIndex); }
This is relevant as it prevents URLs such as "test.demo.org:8080/test/" from being used when a ContextPath/ServletPath is set (e.g. in Spring environments). OLingo will always throw anUriParserSyntaxException("Unexpected start of resource-path segment.") for every request. In Docker environments the host ist also often given as plaintext, e.g. "demoservice:8081/demo" for a container named demoservice, which also breaks du to wrong matching
Suggested Fixes:
- Do not rely upon simple String matching with indexOf() for seperating protocol/host/ContextPath/ServletPath from ODataPath.