Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch `jetty-9.4.x` into `jetty-10.0.x` 

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

# Conflicts:
#	Jenkinsfile
#	jetty-server/src/test/java/org/eclipse/jetty/server/ForwardedRequestCustomizerTest.java
#	jetty-websocket/websocket-common/src/main/java/org/eclipse/jetty/websocket/common/io/AbstractWebSocketConnection.java
#	jetty-websocket/websocket-common/src/main/java/org/eclipse/jetty/websocket/common/io/ReadState.java
#	jetty-websocket/websocket-common/src/test/java/org/eclipse/jetty/websocket/common/io/ReadStateTest.java
#	tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/CDITests.java
This commit is contained in:
Joakim Erdfelt 2019-08-14 09:39:06 -05:00
parent bf5f4c860c 47759b3f9b
commit 3544283865
10 changed files with 692 additions and 663 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Jenkinsfile vendored
View File

@ -42,34 +42,35 @@ pipeline {
stage("Build / Test - JDK12") { stage("Build / Test - JDK12") {
agent { node { label 'linux' } } agent { node { label 'linux' } }
options { timeout(time: 120, unit: 'MINUTES') }
steps { steps {
timeout(time: 120, unit: 'MINUTES') {
mavenBuild("jdk12", "-Pmongodb install", "maven3", true) mavenBuild("jdk12", "-Pmongodb install", "maven3", true)
warnings consoleParsers: [[parserName: 'Maven'], [parserName: 'Java']] warnings consoleParsers: [[parserName: 'Maven'], [parserName: 'Java']]
junit testResults: '**/target/surefire-reports/*.xml,**/target/invoker-reports/TEST*.xml' junit testResults: '**/target/surefire-reports/*.xml,**/target/invoker-reports/TEST*.xml'
} }
} }
}
stage("Build Javadoc") { stage("Build Javadoc") {
agent { node { label 'linux' } } agent { node { label 'linux' } }
options { timeout(time: 30, unit: 'MINUTES') }
steps { steps {
mavenBuild("jdk11", "install javadoc:javadoc -DskipTests", "maven3", true) timeout(time: 30, unit: 'MINUTES') {
mavenBuild("jdk11", "install javadoc:javadoc javadoc:aggregate-jar -DskipTests", "maven3", true)
warnings consoleParsers: [[parserName: 'Maven'], [parserName: 'JavaDoc'], [parserName: 'Java']] warnings consoleParsers: [[parserName: 'Maven'], [parserName: 'JavaDoc'], [parserName: 'Java']]
} }
} }
}
stage("Checkstyle ") { stage("Checkstyle ") {
agent { node { label 'linux' } } agent { node { label 'linux' } }
options { timeout(time: 30, unit: 'MINUTES') }
steps { steps {
mavenBuild("jdk11", "install -DskipTests", "maven3", true) timeout(time: 30, unit: 'MINUTES') {
mavenBuild("jdk11", "install -f build-resources", "maven3", true) mavenBuild("jdk11", "install -f build-resources", "maven3", true)
mavenBuild("jdk11", "install checkstyle:check -DskipTests", "maven3", true) mavenBuild("jdk11", "install checkstyle:check -DskipTests", "maven3", true)
recordIssues( recordIssues(
enabledForFailure: true, aggregatingResults: true, enabledForFailure: true, aggregatingResults: true,
tools: [java(), checkStyle(pattern: '**/target/checkstyle-result.xml', reportEncoding: 'UTF-8')] tools: [java(), checkStyle(pattern: '**/target/checkstyle-result.xml', reportEncoding: 'UTF-8')])
) }
} }
} }
} }
@ -91,10 +92,8 @@ pipeline {
def slackNotif() { def slackNotif() {
script { script {
try try {
{ if (env.BRANCH_NAME == 'jetty-10.0.x' || env.BRANCH_NAME == 'jetty-9.4.x') {
if ( env.BRANCH_NAME == 'jetty-10.0.x' || env.BRANCH_NAME == 'jetty-9.4.x' )
{
//BUILD_USER = currentBuild.rawBuild.getCause(Cause.UserIdCause).getUserId() //BUILD_USER = currentBuild.rawBuild.getCause(Cause.UserIdCause).getUserId()
// by ${BUILD_USER} // by ${BUILD_USER}
COLOR_MAP = ['SUCCESS': 'good', 'FAILURE': 'danger', 'UNSTABLE': 'danger', 'ABORTED': 'danger'] COLOR_MAP = ['SUCCESS': 'good', 'FAILURE': 'danger', 'UNSTABLE': 'danger', 'ABORTED': 'danger']
@ -128,7 +127,7 @@ def mavenBuild(jdk, cmdline, mvnName, junitPublishDisabled) {
maven: mvnName, maven: mvnName,
jdk: "$jdk", jdk: "$jdk",
publisherStrategy: 'EXPLICIT', publisherStrategy: 'EXPLICIT',
options: [junitPublisher(disabled: junitPublishDisabled),mavenLinkerPublisher(disabled: false),pipelineGraphPublisher(disabled: false)], options: [junitPublisher(disabled: junitPublishDisabled), mavenLinkerPublisher(disabled: false), pipelineGraphPublisher(disabled: false)],
mavenOpts: mavenOpts, mavenOpts: mavenOpts,
mavenLocalRepo: localRepo) { mavenLocalRepo: localRepo) {
// Some common Maven command line + provided command line // Some common Maven command line + provided command line

9
jetty-documentation/src/main/asciidoc/embedded-guide/server/troubleshooting/security-reports.adoc
View File

@ -28,6 +28,15 @@ If you would like to report a security issue please follow these link:#security-
|======================================================================= |=======================================================================
|yyyy/mm/dd |ID |Exploitable |Severity |Affects |Fixed Version |Comment |yyyy/mm/dd |ID |Exploitable |Severity |Affects |Fixed Version |Comment
|2019/04/11 |CVE-2019-10247 |Med |Med |< = 9.4.16 |9.2.28, 9.3.27, 9.4.17
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247[If no webapp was mounted to the root namespace and a 404 was encountered, an HTML page would be generated displaying the fully qualified base resource location for each context.]
|2019/04/11 |CVE-2019-10246 |High |High |< = 9.4.16 |9.2.28, 9.3.27, 9.4.17
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246[Use of `DefaultServlet` or `ResourceHandler` with indexing was vulnerable to XSS behaviors to expose the directory listing on Windows operating systems.]
|2019/04/11 |CVE-2019-10241 |High |High |< = 9.4.15 |9.2.27, 9.3.26, 9.4.16
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241[Use of `DefaultServlet` or `ResourceHandler` with indexing was vulnerable to XSS behaviors to expose the directory listing.]
|2018/06/25 |CVE-2018-12538 |High |High |>= 9.4.0, < = 9.4.8 |9.4.9 |2018/06/25 |CVE-2018-12538 |High |High |>= 9.4.0, < = 9.4.8 |9.4.9
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538[`HttpSessions` present specifically in the FileSystems storage could be hijacked/accessed by an unauthorized user.] |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538[`HttpSessions` present specifically in the FileSystems storage could be hijacked/accessed by an unauthorized user.]

62
jetty-server/src/main/java/org/eclipse/jetty/server/ForwardedRequestCustomizer.java
View File

@ -35,8 +35,6 @@ import org.eclipse.jetty.util.ArrayTrie;
import org.eclipse.jetty.util.HostPort; import org.eclipse.jetty.util.HostPort;
import org.eclipse.jetty.util.StringUtil; import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.Trie; import org.eclipse.jetty.util.Trie;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import static java.lang.invoke.MethodType.methodType; import static java.lang.invoke.MethodType.methodType;
@ -63,8 +61,6 @@ import static java.lang.invoke.MethodType.methodType;
*/ */
public class ForwardedRequestCustomizer implements Customizer public class ForwardedRequestCustomizer implements Customizer
{ {
private static final Logger LOG = Log.getLogger(ForwardedRequestCustomizer.class);
private HostPortHttpField _forcedHost; private HostPortHttpField _forcedHost;
private boolean _proxyAsAuthority = false; private boolean _proxyAsAuthority = false;
private boolean _forwardedPortAsAuthority = true; private boolean _forwardedPortAsAuthority = true;
@ -236,7 +232,7 @@ public class ForwardedRequestCustomizer implements Customizer
public String getForwardedPortHeader() public String getForwardedPortHeader()
{ {
return _forwardedHostHeader; return _forwardedPortHeader;
} }
/** /**
@ -244,9 +240,9 @@ public class ForwardedRequestCustomizer implements Customizer
*/ */
public void setForwardedPortHeader(String forwardedPortHeader) public void setForwardedPortHeader(String forwardedPortHeader)
{ {
if (_forwardedHostHeader == null || !_forwardedHostHeader.equalsIgnoreCase(forwardedPortHeader)) if (_forwardedPortHeader == null || !_forwardedPortHeader.equalsIgnoreCase(forwardedPortHeader))
{ {
_forwardedHostHeader = forwardedPortHeader; _forwardedPortHeader = forwardedPortHeader;
updateHandles(); updateHandles();
} }
} }
@ -456,32 +452,32 @@ public class ForwardedRequestCustomizer implements Customizer
{ {
int size = 0; int size = 0;
MethodHandles.Lookup lookup = MethodHandles.lookup(); MethodHandles.Lookup lookup = MethodHandles.lookup();
MethodType type = methodType(Void.TYPE, HttpField.class);
// Loop to grow capacity of ArrayTrie for all headers
while (true) while (true)
{ {
try try
{ {
size += 128; size += 128; // experimented good baseline size
_handles = new ArrayTrie<>(size); _handles = new ArrayTrie<>(size);
if (_forwardedCipherSuiteHeader != null && !_handles.put(_forwardedCipherSuiteHeader, lookup.findVirtual(Forwarded.class, "handleCipherSuite", type))) if (updateForwardedHandle(lookup, getForwardedCipherSuiteHeader(), "handleCipherSuite"))
continue; continue;
if (_forwardedSslSessionIdHeader != null && !_handles.put(_forwardedSslSessionIdHeader, lookup.findVirtual(Forwarded.class, "handleSslSessionId", type))) if (updateForwardedHandle(lookup, getForwardedSslSessionIdHeader(), "handleSslSessionId"))
continue; continue;
if (_forwardedHeader != null && !_handles.put(_forwardedHeader, lookup.findVirtual(Forwarded.class, "handleRFC7239", type))) if (updateForwardedHandle(lookup, getForwardedHeader(), "handleRFC7239"))
continue; continue;
if (_forwardedForHeader != null && !_handles.put(_forwardedForHeader, lookup.findVirtual(Forwarded.class, "handleFor", type))) if (updateForwardedHandle(lookup, getForwardedForHeader(), "handleFor"))
continue; continue;
if (_forwardedPortHeader != null && !_handles.put(_forwardedPortHeader, lookup.findVirtual(Forwarded.class, "handlePort", type))) if (updateForwardedHandle(lookup, getForwardedPortHeader(), "handlePort"))
continue; continue;
if (_forwardedHostHeader != null && !_handles.put(_forwardedHostHeader, lookup.findVirtual(Forwarded.class, "handleHost", type))) if (updateForwardedHandle(lookup, getForwardedHostHeader(), "handleHost"))
continue; continue;
if (_forwardedProtoHeader != null && !_handles.put(_forwardedProtoHeader, lookup.findVirtual(Forwarded.class, "handleProto", type))) if (updateForwardedHandle(lookup, getForwardedProtoHeader(), "handleProto"))
continue; continue;
if (_forwardedHttpsHeader != null && !_handles.put(_forwardedHttpsHeader, lookup.findVirtual(Forwarded.class, "handleHttps", type))) if (updateForwardedHandle(lookup, getForwardedHttpsHeader(), "handleHttps"))
continue; continue;
if (_forwardedServerHeader != null && !_handles.put(_forwardedServerHeader, lookup.findVirtual(Forwarded.class, "handleServer", type))) if (updateForwardedHandle(lookup, getForwardedServerHeader(), "handleServer"))
continue; continue;
break; break;
} }
@ -492,6 +488,16 @@ public class ForwardedRequestCustomizer implements Customizer
} }
} }
private boolean updateForwardedHandle(MethodHandles.Lookup lookup, String headerName, String forwardedMethodName) throws NoSuchMethodException, IllegalAccessException
{
final MethodType type = methodType(void.class, HttpField.class);
if (StringUtil.isBlank(headerName))
return false;
return !_handles.put(headerName, lookup.findVirtual(Forwarded.class, forwardedMethodName, type));
}
private static class ForcedHostPort extends HostPort private static class ForcedHostPort extends HostPort
{ {
ForcedHostPort(String authority) ForcedHostPort(String authority)
@ -548,6 +554,7 @@ public class ForwardedRequestCustomizer implements Customizer
_host = _forcedHost.getHostPort(); _host = _forcedHost.getHostPort();
} }
@SuppressWarnings("unused")
public void handleCipherSuite(HttpField field) public void handleCipherSuite(HttpField field)
{ {
_request.setAttribute("javax.servlet.request.cipher_suite", field.getValue()); _request.setAttribute("javax.servlet.request.cipher_suite", field.getValue());
@ -558,6 +565,7 @@ public class ForwardedRequestCustomizer implements Customizer
} }
} }
@SuppressWarnings("unused")
public void handleSslSessionId(HttpField field) public void handleSslSessionId(HttpField field)
{ {
_request.setAttribute("javax.servlet.request.ssl_session_id", field.getValue()); _request.setAttribute("javax.servlet.request.ssl_session_id", field.getValue());
@ -570,7 +578,7 @@ public class ForwardedRequestCustomizer implements Customizer
public void handleHost(HttpField field) public void handleHost(HttpField field)
{ {
if (_forwardedPortAsAuthority && !StringUtil.isEmpty(_forwardedPortHeader)) if (getForwardedPortAsAuthority() && !StringUtil.isEmpty(getForwardedPortHeader()))
{ {
if (_host == null) if (_host == null)
_host = new PossiblyPartialHostPort(getLeftMost(field.getValue())); _host = new PossiblyPartialHostPort(getLeftMost(field.getValue()));
@ -583,22 +591,25 @@ public class ForwardedRequestCustomizer implements Customizer
} }
} }
@SuppressWarnings("unused")
public void handleServer(HttpField field) public void handleServer(HttpField field)
{ {
if (_proxyAsAuthority) if (getProxyAsAuthority())
return; return;
handleHost(field); handleHost(field);
} }
@SuppressWarnings("unused")
public void handleProto(HttpField field) public void handleProto(HttpField field)
{ {
if (_proto == null) if (_proto == null)
_proto = getLeftMost(field.getValue()); _proto = getLeftMost(field.getValue());
} }
@SuppressWarnings("unused")
public void handleFor(HttpField field) public void handleFor(HttpField field)
{ {
if (!_forwardedPortAsAuthority && !StringUtil.isEmpty(_forwardedPortHeader)) if (!getForwardedPortAsAuthority() && !StringUtil.isEmpty(getForwardedPortHeader()))
{ {
if (_for == null) if (_for == null)
_for = new PossiblyPartialHostPort(getLeftMost(field.getValue())); _for = new PossiblyPartialHostPort(getLeftMost(field.getValue()));
@ -611,9 +622,10 @@ public class ForwardedRequestCustomizer implements Customizer
} }
} }
@SuppressWarnings("unused")
public void handlePort(HttpField field) public void handlePort(HttpField field)
{ {
if (!_forwardedPortAsAuthority) if (!getForwardedPortAsAuthority())
{ {
if (_for == null) if (_for == null)
_for = new PortSetHostPort(_request.getRemoteHost(), field.getIntValue()); _for = new PortSetHostPort(_request.getRemoteHost(), field.getIntValue());
@ -629,12 +641,14 @@ public class ForwardedRequestCustomizer implements Customizer
} }
} }
@SuppressWarnings("unused")
public void handleHttps(HttpField field) public void handleHttps(HttpField field)
{ {
if (_proto == null && ("on".equalsIgnoreCase(field.getValue()) || "true".equalsIgnoreCase(field.getValue()))) if (_proto == null && ("on".equalsIgnoreCase(field.getValue()) || "true".equalsIgnoreCase(field.getValue())))
_proto = HttpScheme.HTTPS.asString(); _proto = HttpScheme.HTTPS.asString();
} }
@SuppressWarnings("unused")
public void handleRFC7239(HttpField field) public void handleRFC7239(HttpField field)
{ {
addValue(field.getValue()); addValue(field.getValue());
@ -650,11 +664,11 @@ public class ForwardedRequestCustomizer implements Customizer
switch (name) switch (name)
{ {
case "by": case "by":
if (!_proxyAsAuthority) if (!getProxyAsAuthority())
break; break;
if (value.startsWith("_") || "unknown".equals(value)) if (value.startsWith("_") || "unknown".equals(value))
break; break;
if (_proxyAsAuthority && (_host == null || !(_host instanceof Rfc7239HostPort))) if (_host == null || !(_host instanceof Rfc7239HostPort))
_host = new Rfc7239HostPort(value); _host = new Rfc7239HostPort(value);
break; break;
case "for": case "for":

1079
jetty-server/src/test/java/org/eclipse/jetty/server/ForwardedRequestCustomizerTest.java
View File

File diff suppressed because it is too large Load Diff

9
pom.xml
View File

@ -304,7 +304,7 @@
<id>attach-sources</id> <id>attach-sources</id>
<phase>process-classes</phase> <phase>process-classes</phase>
<goals> <goals>
<goal>jar-no-fork</goal> <goal>jar</goal>
</goals> </goals>
<configuration> <configuration>
<archive> <archive>
@ -548,11 +548,6 @@
</archive> </archive>
</configuration> </configuration>
</plugin> </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.6</version>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId> <artifactId>maven-javadoc-plugin</artifactId>
@ -1267,7 +1262,6 @@
</execution> </execution>
</executions> </executions>
</plugin> </plugin>
<!-- already part of the release-jetty.sh script
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId> <artifactId>maven-gpg-plugin</artifactId>
@ -1282,7 +1276,6 @@
</execution> </execution>
</executions> </executions>
</plugin> </plugin>
-->
</plugins> </plugins>
</build> </build>
</profile> </profile>

2
scripts/release-jetty.sh
View File

@ -167,7 +167,7 @@ if proceedyn "Are you sure you want to release using above? (y/N)" n; then
# This is equivalent to 'mvn release:perform' # This is equivalent to 'mvn release:perform'
if proceedyn "Build/Deploy from tag $TAG_NAME? (Y/n)" y; then if proceedyn "Build/Deploy from tag $TAG_NAME? (Y/n)" y; then
git checkout $TAG_NAME git checkout $TAG_NAME
mvn clean package gpg:sign javadoc:aggregate-jar deploy \ mvn clean package source:jar javadoc:jar gpg:sign javadoc:aggregate-jar deploy \
-Peclipse-release $DEPLOY_OPTS -Peclipse-release $DEPLOY_OPTS
reportMavenTestFailures reportMavenTestFailures
git checkout $GIT_BRANCH_ID git checkout $GIT_BRANCH_ID

9
tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/CDITests.java
View File

@ -42,12 +42,13 @@ public class CDITests extends AbstractDistributionTest
// Tests from here use these parameters // Tests from here use these parameters
public static Stream<Arguments> tests() public static Stream<Arguments> tests()
{ {
Consumer<DistributionTester> removeJettyWebXml = d -> Consumer<DistributionTester> renameJettyWebOwbXml = d ->
{ {
try try
{ {
Path jettyWebOwbXml = d.getJettyBase().resolve("webapps/demo/WEB-INF/jetty-web-owb.xml");
Path jettyWebXml = d.getJettyBase().resolve("webapps/demo/WEB-INF/jetty-web.xml"); Path jettyWebXml = d.getJettyBase().resolve("webapps/demo/WEB-INF/jetty-web.xml");
Files.deleteIfExists(jettyWebXml); Files.move(jettyWebOwbXml, jettyWebXml);
} }
catch(IOException e) catch(IOException e)
{ {
@ -62,7 +63,7 @@ public class CDITests extends AbstractDistributionTest
// TODO Arguments.of("weld", "cdi-decorate", null), // Weld >= 3.1.3 // TODO Arguments.of("weld", "cdi-decorate", null), // Weld >= 3.1.3
// -- Apache OpenWebBeans -- // -- Apache OpenWebBeans --
Arguments.of("owb", "cdi-spi", removeJettyWebXml) Arguments.of("owb", "jsp", renameJettyWebOwbXml)
// Arguments.of("owb", "decorate", null), // Not supported // Arguments.of("owb", "decorate", null), // Not supported
// Arguments.of("owb", "cdi-decorate", null) // Not supported // Arguments.of("owb", "cdi-decorate", null) // Not supported
); );
@ -85,7 +86,7 @@ public class CDITests extends AbstractDistributionTest
String[] args1 = { String[] args1 = {
"--create-startd", "--create-startd",
"--approve-all-licenses", "--approve-all-licenses",
"--add-to-start=http,deploy,annotations,jsp,"+integration "--add-to-start=http,deploy,annotations,jsp" + (integration==null?"":(","+integration))
}; };
try (DistributionTester.Run run1 = distribution.start(args1)) try (DistributionTester.Run run1 = distribution.start(args1))
{ {

2
tests/test-webapps/test-cdi-common-webapp/src/main/webapp/index.html
View File

@ -1,4 +1,4 @@
<H1>OWB CDI Test Webapp</H1> <H1>CDI Test Webapp</H1>
<H2>CDI Info</H2> <H2>CDI Info</H2>
<iframe src="info" width="100%" height="60%"></iframe> <iframe src="info" width="100%" height="60%"></iframe>

2
tests/test-webapps/test-owb-cdi-webapp/pom.xml
View File

@ -16,7 +16,7 @@
</properties> </properties>
<build> <build>
<finalName>weld-owb-demo</finalName> <finalName>owb-cdi-demo</finalName>
</build> </build>
<dependencies> <dependencies>

2
tests/test-webapps/test-owb-cdi-webapp/src/main/webapp/WEB-INF/jetty-web.xml → tests/test-webapps/test-owb-cdi-webapp/src/main/webapp/WEB-INF/jetty-web-owb.xml
View File

@ -1,7 +1,7 @@
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd"> <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
<Configure id="wac" class="org.eclipse.jetty.webapp.WebAppContext"> <Configure id="wac" class="org.eclipse.jetty.webapp.WebAppContext">
<!-- This file is only needed for cdi2 integration and should be removed if using the cdi module --> <!-- Rename this file to jetty-web.xml if the cdi-spi module is not used-->
<Get id="wal" name="classLoader"/> <Get id="wal" name="classLoader"/>
<Get id="objf" name="objectFactory"> <Get id="objf" name="objectFactory">
<Call name="addDecorator"> <Call name="addDecorator">