Validate Connection: Upgrade on protocol switch responses

arturobernalg · fitekonea · commit 6073c213978c · 2026-04-07T09:51:47.000+02:00
ProtocolSwitchStrategy now rejects 101 Switching Protocols responses that
advertise Upgrade without the required Connection: Upgrade token.
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/ProtocolSwitchStrategy.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/ProtocolSwitchStrategy.java
@@ -70,6 +70,10 @@ public InternalProtocolException(final ProtocolException cause) {
     }
 
     public ProtocolVersion switchProtocol(final HttpMessage response) throws ProtocolException {
+        if (!containsConnectionUpgrade(response)) {
+            throw new ProtocolException("Invalid protocol switch response: missing Connection: Upgrade");
+        }
+
         final AtomicReference<ProtocolVersion> tlsUpgrade = new AtomicReference<>();
 
         parseHeaders(response, HttpHeaders.UPGRADE, (buffer, cursor) -> {
@@ -91,6 +95,49 @@ public ProtocolVersion switchProtocol(final HttpMessage response) throws Protoco
         }
     }
 
+    private boolean containsConnectionUpgrade(final HttpMessage message) throws ProtocolException {
+        final Iterator<Header> it = message.headerIterator(HttpHeaders.CONNECTION);
+        while (it.hasNext()) {
+            final Header header = it.next();
+            if (header instanceof FormattedHeader) {
+                final CharArrayBuffer buf = ((FormattedHeader) header).getBuffer();
+                final ParserCursor cursor = new ParserCursor(0, buf.length());
+                cursor.updatePos(((FormattedHeader) header).getValuePos());
+                if (containsUpgradeToken(buf, cursor)) {
+                    return true;
+                }
+            } else {
+                final String value = header.getValue();
+                if (value == null) {
+                    continue;
+                }
+                final ParserCursor cursor = new ParserCursor(0, value.length());
+                if (containsUpgradeToken(value, cursor)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    private boolean containsUpgradeToken(final CharSequence buffer, final ParserCursor cursor) throws ProtocolException {
+        while (!cursor.atEnd()) {
+            TOKENIZER.skipWhiteSpace(buffer, cursor);
+            final String token = TOKENIZER.parseToken(buffer, cursor, UPGRADE_TOKEN_DELIMITER);
+            if (token.equalsIgnoreCase("upgrade")) {
+                return true;
+            }
+            TOKENIZER.skipWhiteSpace(buffer, cursor);
+            if (!cursor.atEnd()) {
+                final char ch = buffer.charAt(cursor.getPos());
+                if (ch == ',') {
+                    cursor.updatePos(cursor.getPos() + 1);
+                }
+            }
+        }
+        return false;
+    }
+
     private ProtocolVersion parseProtocolVersion(final CharSequence buffer, final ParserCursor cursor) throws ProtocolException {
         TOKENIZER.skipWhiteSpace(buffer, cursor);
         final String proto = TOKENIZER.parseToken(buffer, cursor, LAX_PROTO_DELIMITER);
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/impl/TestProtocolSwitchStrategy.java b/httpclient5/src/test/java/org/apache/hc/client5/http/impl/TestProtocolSwitchStrategy.java
@@ -52,30 +52,36 @@ void setUp() {
     @Test
     void testSwitchToTLS() throws Exception {
         final HttpResponse response1 = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response1.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response1.addHeader(HttpHeaders.UPGRADE, "TLS");
         Assertions.assertEquals(TLS.V_1_2.getVersion(), switchStrategy.switchProtocol(response1));
 
         final HttpResponse response2 = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response2.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response2.addHeader(HttpHeaders.UPGRADE, "TLS/1.3");
         Assertions.assertEquals(TLS.V_1_3.getVersion(), switchStrategy.switchProtocol(response2));
     }
 
     @Test
     void testSwitchToHTTP11AndTLS() throws Exception {
         final HttpResponse response1 = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response1.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response1.addHeader(HttpHeaders.UPGRADE, "TLS, HTTP/1.1");
         Assertions.assertEquals(TLS.V_1_2.getVersion(), switchStrategy.switchProtocol(response1));
 
         final HttpResponse response2 = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response2.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response2.addHeader(HttpHeaders.UPGRADE, ",, HTTP/1.1, TLS, ");
         Assertions.assertEquals(TLS.V_1_2.getVersion(), switchStrategy.switchProtocol(response2));
 
         final HttpResponse response3 = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response3.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response3.addHeader(HttpHeaders.UPGRADE, "HTTP/1.1");
         response3.addHeader(HttpHeaders.UPGRADE, "TLS/1.2");
         Assertions.assertEquals(TLS.V_1_2.getVersion(), switchStrategy.switchProtocol(response3));
 
         final HttpResponse response4 = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response4.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response4.addHeader(HttpHeaders.UPGRADE, "HTTP/1.1");
         response4.addHeader(HttpHeaders.UPGRADE, "TLS/1.2, TLS/1.3");
         Assertions.assertEquals(TLS.V_1_3.getVersion(), switchStrategy.switchProtocol(response4));
@@ -84,42 +90,58 @@ void testSwitchToHTTP11AndTLS() throws Exception {
     @Test
     void testSwitchInvalid() {
         final HttpResponse response1 = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response1.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response1.addHeader(HttpHeaders.UPGRADE, "Crap");
         Assertions.assertThrows(ProtocolException.class, () -> switchStrategy.switchProtocol(response1));
 
         final HttpResponse response2 = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response2.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response2.addHeader(HttpHeaders.UPGRADE, "TLS, huh?");
         Assertions.assertThrows(ProtocolException.class, () -> switchStrategy.switchProtocol(response2));
 
         final HttpResponse response3 = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response3.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response3.addHeader(HttpHeaders.UPGRADE, ",,,");
         Assertions.assertThrows(ProtocolException.class, () -> switchStrategy.switchProtocol(response3));
     }
 
+    @Test
+    void testNullToken() throws ProtocolException {
+        final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
+        response.addHeader(HttpHeaders.UPGRADE, "TLS,");
+        response.addHeader(HttpHeaders.UPGRADE, null);
+        Assertions.assertEquals(TLS.V_1_2.getVersion(), switchStrategy.switchProtocol(response));
+    }
+
     @Test
     void testWhitespaceOnlyToken() throws ProtocolException {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "   , TLS");
         Assertions.assertEquals(TLS.V_1_2.getVersion(), switchStrategy.switchProtocol(response));
     }
 
     @Test
     void testUnsupportedTlsVersion() throws Exception {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "TLS/1.4");
         Assertions.assertEquals(new ProtocolVersion("TLS", 1, 4), switchStrategy.switchProtocol(response));
     }
 
     @Test
     void testUnsupportedTlsMajorVersion() throws Exception {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "TLS/2.0");
         Assertions.assertEquals(new ProtocolVersion("TLS", 2, 0), switchStrategy.switchProtocol(response));
     }
 
     @Test
     void testUnsupportedHttpVersion() {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "HTTP/2.0");
         final ProtocolException ex = Assertions.assertThrows(ProtocolException.class, () ->
                 switchStrategy.switchProtocol(response));
@@ -129,6 +151,7 @@ void testUnsupportedHttpVersion() {
     @Test
     void testInvalidTlsFormat() {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "TLS/abc");
         final ProtocolException ex = Assertions.assertThrows(ProtocolException.class, () ->
                 switchStrategy.switchProtocol(response));
@@ -138,6 +161,7 @@ void testInvalidTlsFormat() {
     @Test
     void testHttp11Only() {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "HTTP/1.1");
         final ProtocolException ex = Assertions.assertThrows(ProtocolException.class, () ->
                 switchStrategy.switchProtocol(response));
@@ -147,6 +171,7 @@ void testHttp11Only() {
     @Test
     void testSwitchToTlsValid_TLS_1_2() throws Exception {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "TLS/1.2");
         final ProtocolVersion result = switchStrategy.switchProtocol(response);
         Assertions.assertEquals(TLS.V_1_2.getVersion(), result);
@@ -155,6 +180,7 @@ void testSwitchToTlsValid_TLS_1_2() throws Exception {
     @Test
     void testSwitchToTlsValid_TLS_1_0() throws Exception {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "TLS/1.0");
         final ProtocolVersion result = switchStrategy.switchProtocol(response);
         Assertions.assertEquals(TLS.V_1_0.getVersion(), result);
@@ -163,6 +189,7 @@ void testSwitchToTlsValid_TLS_1_0() throws Exception {
     @Test
     void testSwitchToTlsValid_TLS_1_1() throws Exception {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "TLS/1.1");
         final ProtocolVersion result = switchStrategy.switchProtocol(response);
         Assertions.assertEquals(TLS.V_1_1.getVersion(), result);
@@ -171,6 +198,7 @@ void testSwitchToTlsValid_TLS_1_1() throws Exception {
     @Test
     void testInvalidTlsFormat_NoSlash() {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "TLSv1");
         final ProtocolException ex = Assertions.assertThrows(ProtocolException.class, () ->
                 switchStrategy.switchProtocol(response));
@@ -180,6 +208,7 @@ void testInvalidTlsFormat_NoSlash() {
     @Test
     void testSwitchToTlsValid_TLS_1() throws Exception {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "TLS/1");
         final ProtocolVersion result = switchStrategy.switchProtocol(response);
         Assertions.assertEquals(TLS.V_1_0.getVersion(), result);
@@ -188,6 +217,7 @@ void testSwitchToTlsValid_TLS_1() throws Exception {
     @Test
     void testInvalidTlsFormat_MissingMajor() {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "TLS/.1");
         final ProtocolException ex = Assertions.assertThrows(ProtocolException.class, () ->
                 switchStrategy.switchProtocol(response));
@@ -197,6 +227,7 @@ void testInvalidTlsFormat_MissingMajor() {
     @Test
     void testMultipleHttp11Tokens() {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "HTTP/1.1, HTTP/1.1");
         final ProtocolException ex = Assertions.assertThrows(ProtocolException.class, () ->
                 switchStrategy.switchProtocol(response));
@@ -206,6 +237,7 @@ void testMultipleHttp11Tokens() {
     @Test
     void testMixedInvalidAndValidTokens() {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, "Crap, TLS/1.2, Invalid");
         final ProtocolException ex = Assertions.assertThrows(ProtocolException.class, () ->
                 switchStrategy.switchProtocol(response));
@@ -215,10 +247,41 @@ void testMixedInvalidAndValidTokens() {
     @Test
     void testInvalidTlsFormat_NoProtocolName() {
         final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "Upgrade");
         response.addHeader(HttpHeaders.UPGRADE, ",,/1.1");
         final ProtocolException ex = Assertions.assertThrows(ProtocolException.class, () ->
                 switchStrategy.switchProtocol(response));
         Assertions.assertEquals("Invalid protocol; error at offset 2: <,,/1.1>", ex.getMessage());
     }
 
+    @Test
+    void testMissingConnectionUpgradeRejected() {
+        final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.UPGRADE, "TLS/1.2");
+
+        final ProtocolException ex = Assertions.assertThrows(ProtocolException.class, () ->
+                switchStrategy.switchProtocol(response));
+        Assertions.assertEquals("Invalid protocol switch response: missing Connection: Upgrade", ex.getMessage());
+    }
+
+    @Test
+    void testConnectionWithoutUpgradeTokenRejected() {
+        final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "keep-alive");
+        response.addHeader(HttpHeaders.UPGRADE, "TLS/1.2");
+
+        final ProtocolException ex = Assertions.assertThrows(ProtocolException.class, () ->
+                switchStrategy.switchProtocol(response));
+        Assertions.assertEquals("Invalid protocol switch response: missing Connection: Upgrade", ex.getMessage());
+    }
+
+    @Test
+    void testConnectionWithUpgradeTokenInListAccepted() throws Exception {
+        final HttpResponse response = new BasicHttpResponse(HttpStatus.SC_SWITCHING_PROTOCOLS);
+        response.addHeader(HttpHeaders.CONNECTION, "keep-alive, Upgrade");
+        response.addHeader(HttpHeaders.UPGRADE, "TLS/1.2");
+
+        Assertions.assertEquals(TLS.V_1_2.getVersion(), switchStrategy.switchProtocol(response));
+    }
+
 }
