Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-22313

Invalid content-range header returned from Nexus Repo 2.x.

    XMLWordPrintable

    Details

    • Notability:
      3

      Description

      Nexus Repo 2.x returns the "Content-Range" header in an invalid format. This can cause requesting clients to drop the connection. To reproduce:

      curl -vH "Range: bytes=10-20" http://localhost:8081/nexus/content/repositories/central/commons-lang/commons-lang/2.6/commons-lang-2.6.jar -o /dev/null
      

      Observe that this returns:

      Content-Range: 10-20/284220
      

      Note that it is missing the range unit, as in:

      Content-Range: bytes 10-20/284220
      

      The range unit is not optional:

      https://tools.ietf.org/html/rfc7233#section-4.2

      The problematic code is here:

      https://github.com/sonatype/nexus-public/blob/release-2.14.15-01/plugins/basic/nexus-content-plugin/src/main/java/org/sonatype/nexus/content/internal/ContentServlet.java#L541

      This can be trivially fixed with:

      --- a/plugins/basic/nexus-content-plugin/src/main/java/org/sonatype/nexus/content/internal/ContentServlet.java
      +++ b/plugins/basic/nexus-content-plugin/src/main/java/org/sonatype/nexus/content/internal/ContentServlet.java
      @@ -538,7 +538,7 @@ public class ContentServlet
             response.setStatus(SC_PARTIAL_CONTENT);
             response.setHeader("Content-Length", String.valueOf(bodySize));
             response.setHeader("Content-Range",
      -          range.lowerEndpoint() + "-" + range.upperEndpoint() + "/" + file.getLength());
      +          "bytes " + range.lowerEndpoint() + "-" + range.upperEndpoint() + "/" + file.getLength());
             if (contentNeeded) {
               try (final InputStream in = file.getInputStream()) {
                 in.skip(range.lowerEndpoint());
      

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dbradicich Damian Bradicich
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Michael Prescott Michael Prescott
              Team:
              NXRM - Neo
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title