Handle http/https redirects when fetching using URL - security-caused problem
linustolke opened this issue · 0 comments
linustolke commented
When moving from argouml.tigris.org to github the following code suddenly caused problems:
URL url = anURL;
InputStream stream
try {
stream = url.openStream();
} catch (IOException e) {
...act on the URL not existing ...
}
...act on the URL existing...
The problem is that when redirecting from http: to https:, as from http://argouml.org to https://argouml-tigris-org.github.io, java does not follow that redirect when opening the stream, so the stream is invalid and no Exception is thrown.
I have fixed this for the simplest case, in getValidURL in XmiReferenceResolverImpl.java, where it caused a test to fail (bf30ff1). There are a lot of other places in the code where a similar pattern is used and they should also be fixed or at least protected with asserts to make sure that it is not an http- or an https-url.