Re: [Httpunit-develop] Two possible refinements
Brought to you by:
russgold
From: Russell G. <rus...@ht...> - 2008-08-18 03:44:48
|
These sound reasonable. Would you be able to code them? Or at least some unit tests that demonstrate the behavior changes you are seeking? On Aug 17, 2008, at 6:34 PM, James Courtney wrote: > Hello to all involved in the development of HTTPUnit. I am fairly > new to the HTTPUnit product and this is my first post to the list > but I’ve been making use of HTTPUnit this week for an integration > task I’m performing. During this time I’ve run into two separate > issues which I think might be worth considering for improvements to > the HTTPUnit library and I wanted to bring my question to the > developers as either I’m right and there are some tweaks to me made > or I’m wrong and need some help understanding some subtleties. > Both are real possibilities☺ > > At any rate, here it goes: > > > ***** ISSUE #1 ***** > > com.meterware.httpunit.cookies.Cookie: > > Line 250 in the acceptHost method uses the following logic when > validating : > > return hostPattern.equalsIgnoreCase( hostName ) || > (hostPattern.startsWith( "." ) && > hostName.endsWith( hostPattern )); > > This logic seems to have a couple of problems: > 1) In the second part of the comparison case is NOT ignored. > 2) No consideration is given to the > CookieProperties.isDomainMatchingStrict setting > - This seems odd since CookieProperties.isPathMatchingStrict is > considered > in the acceptPath method a few lines earlier and is required to > handle certain > less than compliant web sites (groups.yahoo.com for example). > 3) Should the acceptPath method maybe be static as the acceptHost > method is? > > > ***** ISSUE #2 ***** > > com.meterware.httpunit.WebWindow: > > Line 383 of the shouldFollowRedirect method compares URLs using > URL.equals (HashSet search). > This can result in a somewhat phony loop detection. For example > groups.yahoo.com redirects to the correct subgroup (like > tech.groups.yahoo.com) presumably for housekeeping, possible load > balancing, future modularity, etc. Currently these domains resolve > to the same IP address which causes the URL.equals to return true. > Is there any harm here in simply doing a string compare on the URL > since, with the exception of domain name, that's what's currently > being done by URL.equals? Sure someone could redirect from domain > name to domain name with the same IP but how many distinct domain > names are they likely to come up with. I think the case like what > Yahoo is doing where a site performs sort of a virtual redirect for > whatever reason that isn't malicious is more likely. To be more > secure one could add a maximum size to the redirect set and if X > redirects are reached terminate. > > Additionally, in just above this code block, still in the > shouldFollowResult method there is a MalformedURLException swallowed > with no logging. I don't see how this is good behavior as the url, > possibly malformed, is used in the subsequent code. > > > Thank you all for the consideration of these points. > > Best regards, > > James Courtney > > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win > great prizes > Grand prize is a trip for two to an Open Source event anywhere in > the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Httpunit-develop mailing list > Htt...@li... > https://lists.sourceforge.net/lists/listinfo/httpunit-develop |