BlueMap

What i did / Steps to reproduce

set up a ~~socks5~~ or http proxy in your local host
set up bluemap as usual
curl -v -x <your proxy address> <bluemap address>

Expected result

bluemap returns an html file to curl.

Actual result

bluemap returns http 404 to curl.

Context

BlueMap Version:
latest

this is the code that parses the HTTP request path

BlueMap/common/src/main/java/de/bluecolored/bluemap/common/web/FileRequestHandler.java

Lines 66 to 79 in 05f0987

    
           private HttpResponse generateResponse(HttpRequest request) throws IOException { 
        
               String path = request.getPath(); 
        
               // normalize path 
        
               if (path.startsWith("/")) path = path.substring(1); 
        
               if (path.endsWith("/")) path = path.substring(0, path.length() - 1); 
        
               Path filePath; 
        
               try { 
        
                   filePath = webRoot.resolve(path); 
        
               } catch (InvalidPathException e){ 
        
                   return new HttpResponse(HttpStatusCode.NOT_FOUND); 
        
               }

however, it does not account for the absolute form specified in the HTTP RFC https://datatracker.ietf.org/doc/html/rfc9112#name-absolute-form

namely, when a request GET http://www.example.org/pub/WWW/TheProject.html HTTP/1.1 goes to bluemap, bluemap will instantly treat http://www.example.org/pub/WWW/TheProject.html as a file path, instead of extracting /pub/WWW/TheProject.html

for reference, if you dont have a proxy at hand, here are the requests captured by me with/without using a proxy

# using proxy
GET http://www.example.com:12345/ HTTP/1.1
Host: www.example.com:12345
User-Agent: curl/8.15.0
Accept: */*
Proxy-Connection: Keep-Alive

###

# noproxy
GET / HTTP/1.1
Host: www.example.com:12345
User-Agent: curl/8.15.0
Accept: */*

a thought on how to identify the absolute form by either:

use a uri library
check the ":" substring right after the schema (e.g., "http")
ref: https://datatracker.ietf.org/doc/html/rfc3986#appendix-A

While this is a bug in BlueMap (it should be able to handle those as per spec), shouldn't your proxy transform absolute-form to origin-form before forwarding to the target server? Not really a required thing but I imagine that is something desired...?

absolutely true and this is definitely a bug in my craft; i just realized that this is a thing in the http spec lol

correction: using a socks5 proxy, curl won't send in the absolute-form; it happens while using a http proxy instead

Could you explain reproduce-step 1 a bit more for the people who don't know about this stuff?
What software do you use to do something like that? And which configurations?

i use the proxy that i wrote for myself so this is not a popular software by any means. this is the link to the software: https://github.com/Banyc/proxy

this is a better example for a broader audience: https://datatracker.ietf.org/doc/html/rfc1928

in our context, the "server" is the said "proxy software", and the "target host" is the bluemap endpoint that accepts http requests.

	private HttpResponse generateResponse(HttpRequest request) throws IOException {
	String path = request.getPath();

	// normalize path
	if (path.startsWith("/")) path = path.substring(1);
	if (path.endsWith("/")) path = path.substring(0, path.length() - 1);

	Path filePath;
	try {
	filePath = webRoot.resolve(path);
	} catch (InvalidPathException e){
	return new HttpResponse(HttpStatusCode.NOT_FOUND);
	}

Share to

What i did / Steps to reproduce

Expected result

Actual result

Context