1 /*
2 * Copyright 2012 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * https://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16 package io.netty.handler.codec.http;
17
18 import io.netty.buffer.ByteBuf;
19 import io.netty.buffer.Unpooled;
20 import io.netty.channel.ChannelPipeline;
21
22 /**
23 * Decodes {@link ByteBuf}s into {@link HttpResponse}s and
24 * {@link HttpContent}s.
25 *
26 * <h3>Parameters that prevents excessive memory consumption</h3>
27 * <table border="1">
28 * <tr>
29 * <th>Name</th><th>Meaning</th>
30 * </tr>
31 * <tr>
32 * <td>{@code maxInitialLineLength}</td>
33 * <td>The maximum length of the initial line (e.g. {@code "HTTP/1.0 200 OK"})
34 * If the length of the initial line exceeds this value, a
35 * {@link TooLongHttpLineException} will be raised.</td>
36 * </tr>
37 * <tr>
38 * <td>{@code maxHeaderSize}</td>
39 * <td>The maximum length of all headers. If the sum of the length of each
40 * header exceeds this value, a {@link TooLongHttpHeaderException} will be raised.</td>
41 * </tr>
42 * <tr>
43 * <td>{@code maxChunkSize}</td>
44 * <td>The maximum length of the content or each chunk. If the content length
45 * exceeds this value, the transfer encoding of the decoded response will be
46 * converted to 'chunked' and the content will be split into multiple
47 * {@link HttpContent}s. If the transfer encoding of the HTTP response is
48 * 'chunked' already, each chunk will be split into smaller chunks if the
49 * length of the chunk exceeds this value. If you prefer not to handle
50 * {@link HttpContent}s in your handler, insert {@link HttpObjectAggregator}
51 * after this decoder in the {@link ChannelPipeline}.</td>
52 * </tr>
53 * </table>
54 *
55 * <h3>Parameters that control parsing behavior</h3>
56 * <table border="1">
57 * <tr>
58 * <th>Name</th><th>Default value</th><th>Meaning</th>
59 * </tr>
60 * <tr>
61 * <td>{@code allowDuplicateContentLengths}</td>
62 * <td>{@value #DEFAULT_ALLOW_DUPLICATE_CONTENT_LENGTHS}</td>
63 * <td>When set to {@code false}, will reject any messages that contain multiple Content-Length header fields.
64 * When set to {@code true}, will allow multiple Content-Length headers only if they are all the same decimal value.
65 * The duplicated field-values will be replaced with a single valid Content-Length field.
66 * See <a href="https://tools.ietf.org/html/rfc7230#section-3.3.2">RFC 7230, Section 3.3.2</a>.</td>
67 * </tr>
68 * <tr>
69 * <td>{@code allowPartialChunks}</td>
70 * <td>{@value #DEFAULT_ALLOW_PARTIAL_CHUNKS}</td>
71 * <td>If the length of a chunk exceeds the {@link ByteBuf}s readable bytes and {@code allowPartialChunks}
72 * is set to {@code true}, the chunk will be split into multiple {@link HttpContent}s.
73 * Otherwise, if the chunk size does not exceed {@code maxChunkSize} and {@code allowPartialChunks}
74 * is set to {@code false}, the {@link ByteBuf} is not decoded into an {@link HttpContent} until
75 * the readable bytes are greater or equal to the chunk size.</td>
76 * </tr>
77 * </table>
78 *
79 * <h3>Decoding a response for a <tt>HEAD</tt> request</h3>
80 * <p>
81 * Unlike other HTTP requests, the successful response of a <tt>HEAD</tt>
82 * request does not have any content even if there is <tt>Content-Length</tt>
83 * header. Because {@link HttpResponseDecoder} is not able to determine if the
84 * response currently being decoded is associated with a <tt>HEAD</tt> request,
85 * you must override {@link #isContentAlwaysEmpty(HttpMessage)} to return
86 * <tt>true</tt> for the response of the <tt>HEAD</tt> request.
87 * </p><p>
88 * If you are writing an HTTP client that issues a <tt>HEAD</tt> request,
89 * please use {@link HttpClientCodec} instead of this decoder. It will perform
90 * additional state management to handle the responses for <tt>HEAD</tt>
91 * requests correctly.
92 * </p>
93 *
94 * <h3>Decoding a response for a <tt>CONNECT</tt> request</h3>
95 * <p>
96 * You also need to do additional state management to handle the response of a
97 * <tt>CONNECT</tt> request properly, like you did for <tt>HEAD</tt>. One
98 * difference is that the decoder should stop decoding completely after decoding
99 * the successful 200 response since the connection is not an HTTP connection
100 * anymore.
101 * </p><p>
102 * {@link HttpClientCodec} also handles this edge case correctly, so you have to
103 * use {@link HttpClientCodec} if you are writing an HTTP client that issues a
104 * <tt>CONNECT</tt> request.
105 * </p>
106 *
107 * <h3>Header Validation</h3>
108 *
109 * It is recommended to always enable header validation.
110 * <p>
111 * Without header validation, your system can become vulnerable to
112 * <a href="https://cwe.mitre.org/data/definitions/113.html">
113 * CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
114 * </a>.
115 * <p>
116 * This recommendation stands even when both peers in the HTTP exchange are trusted,
117 * as it helps with defence-in-depth.
118 */
119 public class HttpResponseDecoder extends HttpObjectDecoder {
120
121 private static final HttpResponseStatus UNKNOWN_STATUS = new HttpResponseStatus(999, "Unknown");
122
123 /**
124 * Creates a new instance with the default
125 * {@code maxInitialLineLength (4096)}, {@code maxHeaderSize (8192)}, and
126 * {@code maxChunkSize (8192)}.
127 */
128 public HttpResponseDecoder() {
129 }
130
131 /**
132 * Creates a new instance with the specified parameters.
133 */
134 public HttpResponseDecoder(
135 int maxInitialLineLength, int maxHeaderSize, int maxChunkSize) {
136 super(new HttpDecoderConfig()
137 .setMaxInitialLineLength(maxInitialLineLength)
138 .setMaxHeaderSize(maxHeaderSize)
139 .setMaxChunkSize(maxChunkSize));
140 }
141
142 /**
143 * @deprecated Prefer the {@link #HttpResponseDecoder(HttpDecoderConfig)} constructor.
144 */
145 @Deprecated
146 public HttpResponseDecoder(
147 int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean validateHeaders) {
148 super(maxInitialLineLength, maxHeaderSize, maxChunkSize, DEFAULT_CHUNKED_SUPPORTED, validateHeaders);
149 }
150
151 /**
152 * @deprecated Prefer the {@link #HttpResponseDecoder(HttpDecoderConfig)} constructor.
153 */
154 @Deprecated
155 public HttpResponseDecoder(
156 int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean validateHeaders,
157 int initialBufferSize) {
158 super(maxInitialLineLength, maxHeaderSize, maxChunkSize, DEFAULT_CHUNKED_SUPPORTED, validateHeaders,
159 initialBufferSize);
160 }
161
162 /**
163 * @deprecated Prefer the {@link #HttpResponseDecoder(HttpDecoderConfig)} constructor.
164 */
165 @Deprecated
166 public HttpResponseDecoder(
167 int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean validateHeaders,
168 int initialBufferSize, boolean allowDuplicateContentLengths) {
169 super(maxInitialLineLength, maxHeaderSize, maxChunkSize, DEFAULT_CHUNKED_SUPPORTED, validateHeaders,
170 initialBufferSize, allowDuplicateContentLengths);
171 }
172
173 /**
174 * @deprecated Prefer the {@link #HttpResponseDecoder(HttpDecoderConfig)} constructor.
175 */
176 @Deprecated
177 public HttpResponseDecoder(
178 int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean validateHeaders,
179 int initialBufferSize, boolean allowDuplicateContentLengths, boolean allowPartialChunks) {
180 super(maxInitialLineLength, maxHeaderSize, maxChunkSize, DEFAULT_CHUNKED_SUPPORTED, validateHeaders,
181 initialBufferSize, allowDuplicateContentLengths, allowPartialChunks);
182 }
183
184 /**
185 * Creates a new instance with the specified configuration.
186 */
187 public HttpResponseDecoder(HttpDecoderConfig config) {
188 super(config);
189 }
190
191 @Override
192 protected HttpMessage createMessage(String[] initialLine) {
193 return new DefaultHttpResponse(
194 // Do strict version checking
195 HttpVersion.valueOf(initialLine[0], true),
196 HttpResponseStatus.valueOf(Integer.parseInt(initialLine[1]), initialLine[2]), headersFactory);
197 }
198
199 @Override
200 protected HttpMessage createInvalidMessage() {
201 return new DefaultFullHttpResponse(HttpVersion.HTTP_1_0, UNKNOWN_STATUS, Unpooled.buffer(0),
202 headersFactory, trailersFactory);
203 }
204
205 @Override
206 protected boolean isDecodingRequest() {
207 return false;
208 }
209 }