Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch `jetty-9.4.x` into `jetty-10.0.x` 

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

# Conflicts:
#	Jenkinsfile
#	jetty-server/src/test/java/org/eclipse/jetty/server/ForwardedRequestCustomizerTest.java
#	jetty-websocket/websocket-common/src/main/java/org/eclipse/jetty/websocket/common/io/AbstractWebSocketConnection.java
#	jetty-websocket/websocket-common/src/main/java/org/eclipse/jetty/websocket/common/io/ReadState.java
#	jetty-websocket/websocket-common/src/test/java/org/eclipse/jetty/websocket/common/io/ReadStateTest.java
#	tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/CDITests.java
This commit is contained in:
Joakim Erdfelt 2019-08-14 09:39:06 -05:00
parent bf5f4c860c 47759b3f9b
commit 3544283865
10 changed files with 692 additions and 663 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Jenkinsfile vendored
View File

@ -42,34 +42,35 @@ pipeline {
stage("Build / Test - JDK12") {
agent { node { label 'linux' } }
options { timeout(time: 120, unit: 'MINUTES') }
steps {
timeout(time: 120, unit: 'MINUTES') {
mavenBuild("jdk12", "-Pmongodb install", "maven3", true)
warnings consoleParsers: [[parserName: 'Maven'], [parserName: 'Java']]
junit testResults: '**/target/surefire-reports/*.xml,**/target/invoker-reports/TEST*.xml'
}
}
}
stage("Build Javadoc") {
agent { node { label 'linux' } }
options { timeout(time: 30, unit: 'MINUTES') }
steps {
mavenBuild("jdk11", "install javadoc:javadoc -DskipTests", "maven3", true)
timeout(time: 30, unit: 'MINUTES') {
mavenBuild("jdk11", "install javadoc:javadoc javadoc:aggregate-jar -DskipTests", "maven3", true)
warnings consoleParsers: [[parserName: 'Maven'], [parserName: 'JavaDoc'], [parserName: 'Java']]
}
}
}
stage("Checkstyle ") {
agent { node { label 'linux' } }
options { timeout(time: 30, unit: 'MINUTES') }
steps {
mavenBuild("jdk11", "install -DskipTests", "maven3", true)
timeout(time: 30, unit: 'MINUTES') {
mavenBuild("jdk11", "install -f build-resources", "maven3", true)
mavenBuild("jdk11", "install checkstyle:check -DskipTests", "maven3", true)
recordIssues(
enabledForFailure: true, aggregatingResults: true,
tools: [java(), checkStyle(pattern: '**/target/checkstyle-result.xml', reportEncoding: 'UTF-8')]
)
tools: [java(), checkStyle(pattern: '**/target/checkstyle-result.xml', reportEncoding: 'UTF-8')])
}
}
}
}
@ -91,10 +92,8 @@ pipeline {
def slackNotif() {
script {
try
{
if ( env.BRANCH_NAME == 'jetty-10.0.x' || env.BRANCH_NAME == 'jetty-9.4.x' )
{
try {
if (env.BRANCH_NAME == 'jetty-10.0.x' || env.BRANCH_NAME == 'jetty-9.4.x') {
//BUILD_USER = currentBuild.rawBuild.getCause(Cause.UserIdCause).getUserId()
// by ${BUILD_USER}
COLOR_MAP = ['SUCCESS': 'good', 'FAILURE': 'danger', 'UNSTABLE': 'danger', 'ABORTED': 'danger']
@ -128,7 +127,7 @@ def mavenBuild(jdk, cmdline, mvnName, junitPublishDisabled) {
maven: mvnName,
jdk: "$jdk",
publisherStrategy: 'EXPLICIT',
options: [junitPublisher(disabled: junitPublishDisabled),mavenLinkerPublisher(disabled: false),pipelineGraphPublisher(disabled: false)],
options: [junitPublisher(disabled: junitPublishDisabled), mavenLinkerPublisher(disabled: false), pipelineGraphPublisher(disabled: false)],
mavenOpts: mavenOpts,
mavenLocalRepo: localRepo) {
// Some common Maven command line + provided command line

9
jetty-documentation/src/main/asciidoc/embedded-guide/server/troubleshooting/security-reports.adoc
View File

@ -28,6 +28,15 @@ If you would like to report a security issue please follow these link:#security-
|=======================================================================
|yyyy/mm/dd |ID |Exploitable |Severity |Affects |Fixed Version |Comment
|2019/04/11 |CVE-2019-10247 |Med |Med |< = 9.4.16 |9.2.28, 9.3.27, 9.4.17
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247[If no webapp was mounted to the root namespace and a 404 was encountered, an HTML page would be generated displaying the fully qualified base resource location for each context.]
|2019/04/11 |CVE-2019-10246 |High |High |< = 9.4.16 |9.2.28, 9.3.27, 9.4.17
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246[Use of `DefaultServlet` or `ResourceHandler` with indexing was vulnerable to XSS behaviors to expose the directory listing on Windows operating systems.]
|2019/04/11 |CVE-2019-10241 |High |High |< = 9.4.15 |9.2.27, 9.3.26, 9.4.16
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241[Use of `DefaultServlet` or `ResourceHandler` with indexing was vulnerable to XSS behaviors to expose the directory listing.]
|2018/06/25 |CVE-2018-12538 |High |High |>= 9.4.0, < = 9.4.8 |9.4.9
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538[`HttpSessions` present specifically in the FileSystems storage could be hijacked/accessed by an unauthorized user.]

62
jetty-server/src/main/java/org/eclipse/jetty/server/ForwardedRequestCustomizer.java
View File

@ -35,8 +35,6 @@ import org.eclipse.jetty.util.ArrayTrie;
import org.eclipse.jetty.util.HostPort;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.Trie;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import static java.lang.invoke.MethodType.methodType;
@ -63,8 +61,6 @@ import static java.lang.invoke.MethodType.methodType;
*/
public class ForwardedRequestCustomizer implements Customizer
{
private static final Logger LOG = Log.getLogger(ForwardedRequestCustomizer.class);
private HostPortHttpField _forcedHost;
private boolean _proxyAsAuthority = false;
private boolean _forwardedPortAsAuthority = true;
@ -236,7 +232,7 @@ public class ForwardedRequestCustomizer implements Customizer
public String getForwardedPortHeader()
{
return _forwardedHostHeader;
return _forwardedPortHeader;
}
/**
@ -244,9 +240,9 @@ public class ForwardedRequestCustomizer implements Customizer
*/
public void setForwardedPortHeader(String forwardedPortHeader)
{
if (_forwardedHostHeader == null || !_forwardedHostHeader.equalsIgnoreCase(forwardedPortHeader))
if (_forwardedPortHeader == null || !_forwardedPortHeader.equalsIgnoreCase(forwardedPortHeader))
{
_forwardedHostHeader = forwardedPortHeader;
_forwardedPortHeader = forwardedPortHeader;
updateHandles();
}
}
@ -456,32 +452,32 @@ public class ForwardedRequestCustomizer implements Customizer
{
int size = 0;
MethodHandles.Lookup lookup = MethodHandles.lookup();
MethodType type = methodType(Void.TYPE, HttpField.class);
// Loop to grow capacity of ArrayTrie for all headers
while (true)
{
try
{
size += 128;
size += 128; // experimented good baseline size
_handles = new ArrayTrie<>(size);
if (_forwardedCipherSuiteHeader != null && !_handles.put(_forwardedCipherSuiteHeader, lookup.findVirtual(Forwarded.class, "handleCipherSuite", type)))
if (updateForwardedHandle(lookup, getForwardedCipherSuiteHeader(), "handleCipherSuite"))
continue;
if (_forwardedSslSessionIdHeader != null && !_handles.put(_forwardedSslSessionIdHeader, lookup.findVirtual(Forwarded.class, "handleSslSessionId", type)))
if (updateForwardedHandle(lookup, getForwardedSslSessionIdHeader(), "handleSslSessionId"))
continue;
if (_forwardedHeader != null && !_handles.put(_forwardedHeader, lookup.findVirtual(Forwarded.class, "handleRFC7239", type)))
if (updateForwardedHandle(lookup, getForwardedHeader(), "handleRFC7239"))
continue;
if (_forwardedForHeader != null && !_handles.put(_forwardedForHeader, lookup.findVirtual(Forwarded.class, "handleFor", type)))
if (updateForwardedHandle(lookup, getForwardedForHeader(), "handleFor"))
continue;
if (_forwardedPortHeader != null && !_handles.put(_forwardedPortHeader, lookup.findVirtual(Forwarded.class, "handlePort", type)))
if (updateForwardedHandle(lookup, getForwardedPortHeader(), "handlePort"))
continue;
if (_forwardedHostHeader != null && !_handles.put(_forwardedHostHeader, lookup.findVirtual(Forwarded.class, "handleHost", type)))
if (updateForwardedHandle(lookup, getForwardedHostHeader(), "handleHost"))
continue;
if (_forwardedProtoHeader != null && !_handles.put(_forwardedProtoHeader, lookup.findVirtual(Forwarded.class, "handleProto", type)))
if (updateForwardedHandle(lookup, getForwardedProtoHeader(), "handleProto"))
continue;
if (_forwardedHttpsHeader != null && !_handles.put(_forwardedHttpsHeader, lookup.findVirtual(Forwarded.class, "handleHttps", type)))
if (updateForwardedHandle(lookup, getForwardedHttpsHeader(), "handleHttps"))
continue;
if (_forwardedServerHeader != null && !_handles.put(_forwardedServerHeader, lookup.findVirtual(Forwarded.class, "handleServer", type)))
if (updateForwardedHandle(lookup, getForwardedServerHeader(), "handleServer"))
continue;
break;
}
@ -492,6 +488,16 @@ public class ForwardedRequestCustomizer implements Customizer
}
}
private boolean updateForwardedHandle(MethodHandles.Lookup lookup, String headerName, String forwardedMethodName) throws NoSuchMethodException, IllegalAccessException
{
final MethodType type = methodType(void.class, HttpField.class);
if (StringUtil.isBlank(headerName))
return false;
return !_handles.put(headerName, lookup.findVirtual(Forwarded.class, forwardedMethodName, type));
}
private static class ForcedHostPort extends HostPort
{
ForcedHostPort(String authority)
@ -548,6 +554,7 @@ public class ForwardedRequestCustomizer implements Customizer
_host = _forcedHost.getHostPort();
}
@SuppressWarnings("unused")
public void handleCipherSuite(HttpField field)
{
_request.setAttribute("javax.servlet.request.cipher_suite", field.getValue());
@ -558,6 +565,7 @@ public class ForwardedRequestCustomizer implements Customizer
}
}
@SuppressWarnings("unused")
public void handleSslSessionId(HttpField field)
{
_request.setAttribute("javax.servlet.request.ssl_session_id", field.getValue());
@ -570,7 +578,7 @@ public class ForwardedRequestCustomizer implements Customizer
public void handleHost(HttpField field)
{
if (_forwardedPortAsAuthority && !StringUtil.isEmpty(_forwardedPortHeader))
if (getForwardedPortAsAuthority() && !StringUtil.isEmpty(getForwardedPortHeader()))
{
if (_host == null)
_host = new PossiblyPartialHostPort(getLeftMost(field.getValue()));
@ -583,22 +591,25 @@ public class ForwardedRequestCustomizer implements Customizer
}
}
@SuppressWarnings("unused")
public void handleServer(HttpField field)
{
if (_proxyAsAuthority)
if (getProxyAsAuthority())
return;
handleHost(field);
}
@SuppressWarnings("unused")
public void handleProto(HttpField field)
{
if (_proto == null)
_proto = getLeftMost(field.getValue());
}
@SuppressWarnings("unused")
public void handleFor(HttpField field)
{
if (!_forwardedPortAsAuthority && !StringUtil.isEmpty(_forwardedPortHeader))
if (!getForwardedPortAsAuthority() && !StringUtil.isEmpty(getForwardedPortHeader()))
{
if (_for == null)
_for = new PossiblyPartialHostPort(getLeftMost(field.getValue()));
@ -611,9 +622,10 @@ public class ForwardedRequestCustomizer implements Customizer
}
}
@SuppressWarnings("unused")
public void handlePort(HttpField field)
{
if (!_forwardedPortAsAuthority)
if (!getForwardedPortAsAuthority())
{
if (_for == null)
_for = new PortSetHostPort(_request.getRemoteHost(), field.getIntValue());
@ -629,12 +641,14 @@ public class ForwardedRequestCustomizer implements Customizer
}
}
@SuppressWarnings("unused")
public void handleHttps(HttpField field)
{
if (_proto == null && ("on".equalsIgnoreCase(field.getValue()) || "true".equalsIgnoreCase(field.getValue())))
_proto = HttpScheme.HTTPS.asString();
}
@SuppressWarnings("unused")
public void handleRFC7239(HttpField field)
{
addValue(field.getValue());
@ -650,11 +664,11 @@ public class ForwardedRequestCustomizer implements Customizer
switch (name)
{
case "by":
if (!_proxyAsAuthority)
if (!getProxyAsAuthority())
break;
if (value.startsWith("_") || "unknown".equals(value))
break;
if (_proxyAsAuthority && (_host == null || !(_host instanceof Rfc7239HostPort)))
if (_host == null || !(_host instanceof Rfc7239HostPort))
_host = new Rfc7239HostPort(value);
break;
case "for":

1079
jetty-server/src/test/java/org/eclipse/jetty/server/ForwardedRequestCustomizerTest.java
View File

File diff suppressed because it is too large Load Diff

9
pom.xml
View File

@ -304,7 +304,7 @@
<id>attach-sources</id>
<phase>process-classes</phase>
<goals>
<goal>jar-no-fork</goal>
<goal>jar</goal>
</goals>
<configuration>
<archive>
@ -548,11 +548,6 @@
</archive>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
@ -1267,7 +1262,6 @@
</execution>
</executions>
</plugin>
<!-- already part of the release-jetty.sh script
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
@ -1282,7 +1276,6 @@
</execution>
</executions>
</plugin>
-->
</plugins>
</build>
</profile>

2
scripts/release-jetty.sh
View File

@ -167,7 +167,7 @@ if proceedyn "Are you sure you want to release using above? (y/N)" n; then
# This is equivalent to 'mvn release:perform'
if proceedyn "Build/Deploy from tag $TAG_NAME? (Y/n)" y; then
git checkout $TAG_NAME
mvn clean package gpg:sign javadoc:aggregate-jar deploy \
mvn clean package source:jar javadoc:jar gpg:sign javadoc:aggregate-jar deploy \
-Peclipse-release $DEPLOY_OPTS
reportMavenTestFailures
git checkout $GIT_BRANCH_ID

9
tests/test-distribution/src/test/java/org/eclipse/jetty/tests/distribution/CDITests.java
View File

@ -42,12 +42,13 @@ public class CDITests extends AbstractDistributionTest
// Tests from here use these parameters
public static Stream<Arguments> tests()
{
Consumer<DistributionTester> removeJettyWebXml = d ->
Consumer<DistributionTester> renameJettyWebOwbXml = d ->
{
try
{
Path jettyWebOwbXml = d.getJettyBase().resolve("webapps/demo/WEB-INF/jetty-web-owb.xml");
Path jettyWebXml = d.getJettyBase().resolve("webapps/demo/WEB-INF/jetty-web.xml");
Files.deleteIfExists(jettyWebXml);
Files.move(jettyWebOwbXml, jettyWebXml);
}
catch(IOException e)
{
@ -62,7 +63,7 @@ public class CDITests extends AbstractDistributionTest
// TODO Arguments.of("weld", "cdi-decorate", null), // Weld >= 3.1.3
// -- Apache OpenWebBeans --
Arguments.of("owb", "cdi-spi", removeJettyWebXml)
Arguments.of("owb", "jsp", renameJettyWebOwbXml)
// Arguments.of("owb", "decorate", null), // Not supported
// Arguments.of("owb", "cdi-decorate", null) // Not supported
);
@ -85,7 +86,7 @@ public class CDITests extends AbstractDistributionTest
String[] args1 = {
"--create-startd",
"--approve-all-licenses",
"--add-to-start=http,deploy,annotations,jsp,"+integration
"--add-to-start=http,deploy,annotations,jsp" + (integration==null?"":(","+integration))
};
try (DistributionTester.Run run1 = distribution.start(args1))
{

2
tests/test-webapps/test-cdi-common-webapp/src/main/webapp/index.html
View File

@ -1,4 +1,4 @@
<H1>OWB CDI Test Webapp</H1>
<H1>CDI Test Webapp</H1>
<H2>CDI Info</H2>
<iframe src="info" width="100%" height="60%"></iframe>

2
tests/test-webapps/test-owb-cdi-webapp/pom.xml
View File

@ -16,7 +16,7 @@
</properties>
<build>
<finalName>weld-owb-demo</finalName>
<finalName>owb-cdi-demo</finalName>
</build>
<dependencies>

2
tests/test-webapps/test-owb-cdi-webapp/src/main/webapp/WEB-INF/jetty-web.xml → tests/test-webapps/test-owb-cdi-webapp/src/main/webapp/WEB-INF/jetty-web-owb.xml
View File

@ -1,7 +1,7 @@
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
<Configure id="wac" class="org.eclipse.jetty.webapp.WebAppContext">
<!-- This file is only needed for cdi2 integration and should be removed if using the cdi module -->
<!-- Rename this file to jetty-web.xml if the cdi-spi module is not used-->
<Get id="wal" name="classLoader"/>
<Get id="objf" name="objectFactory">
<Call name="addDecorator">