argouml-tigris-org/argouml

Handle http/https redirects when fetching using URL - security-caused problem

linustolke opened this issue · 0 comments

When moving from argouml.tigris.org to github the following code suddenly caused problems:

URL url = anURL;
InputStream stream
try {
    stream = url.openStream();
} catch (IOException e) {
    ...act on the URL not existing ...
}
...act on the URL existing...

The problem is that when redirecting from http: to https:, as from http://argouml.org to https://argouml-tigris-org.github.io, java does not follow that redirect when opening the stream, so the stream is invalid and no Exception is thrown.

I have fixed this for the simplest case, in getValidURL in XmiReferenceResolverImpl.java, where it caused a test to fail (bf30ff1). There are a lot of other places in the code where a similar pattern is used and they should also be fixed or at least protected with asserts to make sure that it is not an http- or an https-url.