Receiving X-Forwarded-Port header containing anything else than a number breaks the servlet

[mormegil-cz]

When a request containing a HTTP header X-Forwarded-Port, containing anything else than a valid int value (like… e.g. two port numbers separated by a comma, “443,80”), an exception is thrown and the servlet does not work.

See https://github.com/restlet/restlet-framework-java/blob/0af3e483fd4d06cf10b0463a1ecee3e88baefef1/modules/org.restlet/src/main/java/org/restlet/engine/util/ReferenceUtils.java#L114 where the header value is unconditionally parsed using Integer.parseInt which throws on any non-int input, with the exception not being caught.

This is wrong, 1. The header is nonstandard, you cannot assume its format in such a strict way. 2. Our infrastructure/microservice architecture causes the requests to pass through multiple layers of proxies/LBs, with the final request containing a list of forwarding agents in the X-Forwarded- headers (cf. MDN’s description of X-Forwarded-For). And… restlet crashes when multiple port numbers are received in the X-Forwarded-Port header.

You might want to extract a single (welll… the first one? the last one?) value from the list? But anyway, never crash on receiving an invalid non-standard header (not even for X-Forwarded-Port: foo,bar,?).

[thboileau]

Hi @mormegil-cz can you tell us which version of the framework are you using?

[mormegil-cz]

2.3.12