From ce7ef4396f3ca8edca2ae3cf6bdf6e8578a1aed0 Mon Sep 17 00:00:00 2001
From: Lachlan Roberts <lachlan@webtide.com>
Date: Wed, 27 May 2020 14:05:36 +1000
Subject: [PATCH 1/2] Issue #4913 - jetty-maven-plugin recursively delete
 target jetty-base

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
---
 .../java/org/eclipse/jetty/maven/plugin/JettyRunDistro.java    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/jetty-maven-plugin/src/main/java/org/eclipse/jetty/maven/plugin/JettyRunDistro.java b/jetty-maven-plugin/src/main/java/org/eclipse/jetty/maven/plugin/JettyRunDistro.java
index a166ff38636..59d682ec931 100644
--- a/jetty-maven-plugin/src/main/java/org/eclipse/jetty/maven/plugin/JettyRunDistro.java
+++ b/jetty-maven-plugin/src/main/java/org/eclipse/jetty/maven/plugin/JettyRunDistro.java
@@ -341,7 +341,8 @@ public class JettyRunDistro extends JettyRunMojo
 
         targetBase = new File(target, "jetty-base");
         Path targetBasePath = targetBase.toPath();
-        Files.deleteIfExists(targetBase.toPath());
+        if (Files.exists(targetBasePath))
+            IO.delete(targetBase);
 
         targetBase.mkdirs();
 

From 84cb97e6bda1ae300a43a6138a096d9e4e979266 Mon Sep 17 00:00:00 2001
From: Jan Bartel <janb@webtide.com>
Date: Thu, 28 May 2020 10:51:40 +0200
Subject: [PATCH 2/2] Issue #4885 do not allow cookies to be set from an
 include (#4915)

Signed-off-by: Jan Bartel <janb@webtide.com>
---
 .../org/eclipse/jetty/server/Response.java    | 42 ++++++++++---------
 .../eclipse/jetty/server/ResponseTest.java    | 18 ++++++++
 2 files changed, 41 insertions(+), 19 deletions(-)

diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/Response.java b/jetty-server/src/main/java/org/eclipse/jetty/server/Response.java
index 86dcc473e67..94148f3b5b5 100644
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/Response.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/Response.java
@@ -280,27 +280,31 @@ public class Response implements HttpServletResponse
 
     @Override
     public void addCookie(Cookie cookie)
-    {
-        if (StringUtil.isBlank(cookie.getName()))
-            throw new IllegalArgumentException("Cookie.name cannot be blank/null");
+    { 
+        //Servlet Spec 9.3 Include method: cannot set a cookie if handling an include
+        if (isMutable())
+        {
+            if (StringUtil.isBlank(cookie.getName()))
+                throw new IllegalArgumentException("Cookie.name cannot be blank/null");
 
-        String comment = cookie.getComment();
-        // HttpOnly was supported as a comment in cookie flags before the java.net.HttpCookie implementation so need to check that
-        boolean httpOnly = cookie.isHttpOnly() || HttpCookie.isHttpOnlyInComment(comment);
-        SameSite sameSite = HttpCookie.getSameSiteFromComment(comment);
-        comment = HttpCookie.getCommentWithoutAttributes(comment);
+            String comment = cookie.getComment();
+            // HttpOnly was supported as a comment in cookie flags before the java.net.HttpCookie implementation so need to check that
+            boolean httpOnly = cookie.isHttpOnly() || HttpCookie.isHttpOnlyInComment(comment);
+            SameSite sameSite = HttpCookie.getSameSiteFromComment(comment);
+            comment = HttpCookie.getCommentWithoutAttributes(comment);
 
-        addCookie(new HttpCookie(
-            cookie.getName(),
-            cookie.getValue(),
-            cookie.getDomain(),
-            cookie.getPath(),
-            (long)cookie.getMaxAge(),
-            httpOnly,
-            cookie.getSecure(),
-            comment,
-            cookie.getVersion(),
-            sameSite));
+            addCookie(new HttpCookie(
+                cookie.getName(),
+                cookie.getValue(),
+                cookie.getDomain(),
+                cookie.getPath(),
+                (long)cookie.getMaxAge(),
+                httpOnly,
+                cookie.getSecure(),
+                comment,
+                cookie.getVersion(),
+                sameSite));
+        }
     }
 
     @Override
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ResponseTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ResponseTest.java
index 490c15f783f..08e48bac746 100644
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/ResponseTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ResponseTest.java
@@ -89,6 +89,7 @@ import static org.hamcrest.Matchers.startsWith;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
@@ -967,6 +968,23 @@ public class ResponseTest
         assertEquals("name=value; Path=/path; Domain=domain; Secure; HttpOnly", set);
     }
     
+    @Test
+    public void testAddCookieInInclude() throws Exception
+    {
+        Response response = getResponse();
+        response.include();
+
+        Cookie cookie = new Cookie("naughty", "value");
+        cookie.setDomain("domain");
+        cookie.setPath("/path");
+        cookie.setSecure(true);
+        cookie.setComment("comment__HTTP_ONLY__");
+
+        response.addCookie(cookie);
+
+        assertNull(response.getHttpFields().get("Set-Cookie"));
+    }
+    
     @Test
     public void testAddCookieSameSiteDefault() throws Exception
     {