From 49d3dfc3966cd206e468ca27fa201331a45d7d32 Mon Sep 17 00:00:00 2001 From: mohammed adib Date: Wed, 15 Jul 2026 13:00:58 +0530 Subject: [PATCH] reject backslash in the parsed URI authority --- .../org/asynchttpclient/uri/UriParser.java | 9 +++++++++ .../java/org/asynchttpclient/uri/UriTest.java | 18 ++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/client/src/main/java/org/asynchttpclient/uri/UriParser.java b/client/src/main/java/org/asynchttpclient/uri/UriParser.java index 066584313..4b5d55c0c 100644 --- a/client/src/main/java/org/asynchttpclient/uri/UriParser.java +++ b/client/src/main/java/org/asynchttpclient/uri/UriParser.java @@ -334,6 +334,15 @@ private void parseAuthority() { currentIndex += 2; String nonNullAuthority = computeAuthority(); + + // A backslash is not allowed in the authority (RFC 3986). Left as an ordinary character it + // slips past the '@' userinfo split below, so "https://trusted.com\@evil.com/" resolves the + // host to evil.com here while java.net.URI rejects it and a WHATWG parser reads trusted.com. + // Reject it so the host we connect to cannot disagree with a host the caller already checked. + if (nonNullAuthority.indexOf('\\') != -1) { + throw new IllegalArgumentException("Invalid authority field: " + nonNullAuthority); + } + computeUserInfo(nonNullAuthority); if (host != null) { diff --git a/client/src/test/java/org/asynchttpclient/uri/UriTest.java b/client/src/test/java/org/asynchttpclient/uri/UriTest.java index 288594f69..bfa19dfc7 100644 --- a/client/src/test/java/org/asynchttpclient/uri/UriTest.java +++ b/client/src/test/java/org/asynchttpclient/uri/UriTest.java @@ -295,6 +295,24 @@ public void creatingUriWithMissingHostThrowsIllegalArgumentException() { assertThrows(IllegalArgumentException.class, () -> Uri.create("http://")); } + @RepeatedIfExceptionsTest(repeats = 5) + public void creatingUriWithBackslashInAuthorityThrowsIllegalArgumentException() { + assertThrows(IllegalArgumentException.class, () -> Uri.create("https://trusted.com\\@evil.com/")); + } + + @RepeatedIfExceptionsTest(repeats = 5) + public void creatingUriWithBackslashInSchemeRelativeAuthorityThrows() { + Uri context = Uri.create("https://trusted.com/app"); + assertThrows(IllegalArgumentException.class, () -> Uri.create(context, "//trusted.com\\@evil.com/")); + } + + @RepeatedIfExceptionsTest(repeats = 5) + public void backslashInPathIsPreserved() { + Uri uri = Uri.create("https://trusted.com/a\\b"); + assertEquals("trusted.com", uri.getHost()); + assertEquals("/a\\b", uri.getPath()); + } + @RepeatedIfExceptionsTest(repeats = 5) public void testGetAuthority() { Uri uri = Uri.create("http://stackoverflow.com/questions/17814461/jacoco-maven-testng-0-test-coverage");