[GH-ISSUE #433] HTTP requests may be made to wrong URL #304

New issue

Open

opened 2026-02-28 01:24:04 +03:00 by kerem · 3 comments

kerem commented 2026-02-28 01:24:04 +03:00

Owner

Copy link

Originally created by @alxndrsn on GitHub (Apr 8, 2016).
Original GitHub issue: https://github.com/ushahidi/SMSSync/issues/433

Both HTTP client implementations in the codebase, AppHttpClient and MessageHttpClient, depend on the same base class, BaseHttpClient.

Usage

MessageHttpClient

MessageHttpClient is mostly used in PostMessage. PostMessage is a singleton, and maintains a single reference to MessageHttpClient.

AppHttpClient

This class is mostly used by ProcessMessageResult, which is also a singleton and maintains a single reference to AppHttpClient.

The Problem

BaseHttpClient stores the URL to be contacted in a class property, which is done at various places:

• https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/MessageHttpClient.java#L113
• https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/AppHttpClient.java#L70
• https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/BaseHttpClient.java#L70

This value is then read later in BaseHttpClient.execute() (in prepareRequest()).

In the intervening time between BaseHttpClient.mUrl being set in setUrl(), and being read in execute(), its value may have changed on another thread.

---

I had initially missed that both HTTP client classes are declared as singletons:

• https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/AppHttpClient.java#L50
• https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/MessageHttpClient.java#L53

This presumably means that a single instance is shared wherever DI is used (which seems currently to cover all uses of these classes).

Originally created by @alxndrsn on GitHub (Apr 8, 2016). Original GitHub issue: https://github.com/ushahidi/SMSSync/issues/433 Both HTTP client implementations in the codebase, [`AppHttpClient`](https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/AppHttpClient.java) and [`MessageHttpClient`](https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/MessageHttpClient.java), depend on the same base class, [`BaseHttpClient`](https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/BaseHttpClient.java). # Usage ## `MessageHttpClient` `MessageHttpClient` is mostly used in `PostMessage`. [`PostMessage` is a singleton](https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/message/PostMessage.java#L56), and [maintains a single reference to `MessageHttpClient`](https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/message/PostMessage.java#L59). ## `AppHttpClient` This class is mostly used by [`ProcessMessageResult`](https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/message/ProcessMessageResult.java), which [is also a singleton](https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/message/ProcessMessageResult.java#L59) and maintains a single reference to `AppHttpClient`. # The Problem `BaseHttpClient` stores the URL to be contacted [in a class property](https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/BaseHttpClient.java#L70), which is done at various places: - https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/MessageHttpClient.java#L113 - https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/AppHttpClient.java#L70 - https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/BaseHttpClient.java#L70 This value is then read later in [`BaseHttpClient.execute()`](https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/BaseHttpClient.java#L70) (in `prepareRequest()`). In the intervening time between `BaseHttpClient.mUrl` being set in `setUrl()`, and being read in `execute()`, its value may have changed on another thread. --- I had initially missed that both HTTP client classes are declared as singletons: - https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/AppHttpClient.java#L50 - https://github.com/ushahidi/SMSSync/blob/master/smssync/src/main/java/org/addhen/smssync/data/net/MessageHttpClient.java#L53 This presumably means that a single instance is shared wherever DI is used (which seems currently to cover all uses of these classes).

kerem commented 2026-02-28 01:24:05 +03:00

Author

Owner

Copy link

@eyedol commented on GitHub (Apr 22, 2016):

@alxndrsn I really don't understand this. Could you be clear on what needs changing or fixing? I need coffee :-)

<!-- gh-comment-id:213274682 --> @eyedol commented on GitHub (Apr 22, 2016): @alxndrsn I really don't understand this. Could you be clear on what needs changing or fixing? I need coffee :-)

kerem commented 2026-02-28 01:24:05 +03:00

Author

Owner

Copy link

@alxndrsn commented on GitHub (Apr 22, 2016):

I think the simplest fix would be to use a fresh instance of MessageHttpClient/AppHttpClient for each request.

<!-- gh-comment-id:213340615 --> @alxndrsn commented on GitHub (Apr 22, 2016): I think the simplest fix would be to use a fresh instance of `MessageHttpClient`/`AppHttpClient` for each request.

kerem commented 2026-02-28 01:24:05 +03:00

Author

Owner

Copy link

@eyedol commented on GitHub (Apr 27, 2016):

Got it

<!-- gh-comment-id:214925603 --> @eyedol commented on GitHub (Apr 27, 2016): Got it

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix-local-web-client-ssl-error

473-add-firebase-crash-reporting-support

fix-duplicate-messages

fix-app-crashes

466-add-link-to-privacy-policy

461-fix-multiple-sync-of-a-message

447-upgrade-raiburari

415-remove-read-phone-state-permission

420-dont-log-misleading-mesgs

414-whitelist-causes-dup-sync

410-remove-unused-fields

440-add-support-for-github-templates

364-secret-key-getting-duplicated

gh-pages

legacy-2.x.x

v3.1.1

v3.1.0

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.8.0-rc.1

v2.8.0-beta.1

v2.8.0-alpha.3

v2.8.0-alpha.2

v2.8.0-alpha.1

v2.7.3

v2.7.2

v2.7.1

v2.7

v2.6.1

v2.6

v2.5.1

v2.5

v2.4

v2.4-alpha-3

v2.4-alpha-2

v2.4-alpha-1

v2.3

v2.0.2

v2.0.1

v2.0.0

v1.1.9

v1.0.9

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0

Labels

Clear labels   

Bug report

  

Code improvement

  

Concern

  

Feature request

  

Feature request

  

Good first issue to work on

  

In progress

  

Needs info

  

Question

  

Ready

  

Translation

  

User Experience

  

User Experience

  

Website

  

pull-request

Mirrored from GitHub Pull Request

No labels

Bug report

Code improvement

Concern

Feature request

Feature request

Good first issue to work on

In progress

Needs info

Question

Ready

Translation

User Experience

User Experience

Website

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/SMSSync#304

No description provided.