Merge branch `jetty-9.2.x` into `jetty-9.3.x`

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

# Conflicts:
#	jetty-http-spi/src/main/java/org/eclipse/jetty/http/spi/HttpSpiContextHandler.java
#	jetty-http-spi/src/main/java/org/eclipse/jetty/http/spi/JettyHttpServerProvider.java
#	jetty-maven-plugin/src/main/java/org/eclipse/jetty/maven/plugin/JettyDeployWar.java
#	jetty-security/src/test/java/org/eclipse/jetty/security/AliasedConstraintTest.java
#	jetty-server/src/main/java/org/eclipse/jetty/server/handler/ResourceHandler.java
#	jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java
#	jetty-start/src/test/java/org/eclipse/jetty/start/BaseHomeTest.java
#	jetty-start/src/test/java/org/eclipse/jetty/start/ConfigurationAssert.java
#	jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java

examples/embedded/src/main/java/org/eclipse/jetty/embedded/FastFileServer.java

@@ -25,7 +25,6 @@ import java.nio.ByteBuffer;
 import java.nio.channels.FileChannel;
 import java.nio.channels.FileChannel.MapMode;
 import java.nio.file.StandardOpenOption;
-
 import javax.servlet.AsyncContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -116,7 +115,8 @@ public class FastFileServer
                 }
                 String listing = Resource.newResource(file).getListHTML(
                         request.getRequestURI(),
-                        request.getPathInfo().lastIndexOf("/") > 0);
+                        request.getPathInfo().lastIndexOf("/") > 0,
+                        request.getQueryString());
                 response.setContentType("text/html; charset=utf-8");
                 response.getWriter().println(listing);
                 return;

jetty-server/src/main/java/org/eclipse/jetty/server/handler/ResourceHandler.java

@@ -23,7 +23,6 @@ import java.io.OutputStream;
 import java.net.MalformedURLException;
 import java.nio.ByteBuffer;
 import java.nio.channels.ReadableByteChannel;
-
 import javax.servlet.AsyncContext;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletException;
@@ -592,7 +591,7 @@ public class ResourceHandler extends HandlerWrapper implements ResourceFactory
     {
         if (_directory)
         {
-            String listing = resource.getListHTML(request.getRequestURI(),request.getPathInfo().lastIndexOf("/") > 0);
+            String listing = resource.getListHTML(request.getRequestURI(),request.getPathInfo().lastIndexOf("/") > 0, request.getQueryString());
             response.setContentType("text/html;charset=utf-8");
             response.getWriter().println(listing);
         }

jetty-servlet/src/main/java/org/eclipse/jetty/servlet/DefaultServlet.java

@@ -18,9 +18,6 @@
 
 package org.eclipse.jetty.servlet;
 
-import static org.eclipse.jetty.http.GzipHttpContent.ETAG_GZIP_QUOTE;
-import static org.eclipse.jetty.http.GzipHttpContent.removeGzipFromETag;
-
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
@@ -33,7 +30,6 @@ import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.List;
 import java.util.StringTokenizer;
-
 import javax.servlet.AsyncContext;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletContext;
@@ -72,6 +68,9 @@ import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.resource.ResourceCollection;
 import org.eclipse.jetty.util.resource.ResourceFactory;
 
+import static org.eclipse.jetty.http.GzipHttpContent.ETAG_GZIP_QUOTE;
+import static org.eclipse.jetty.http.GzipHttpContent.removeGzipFromETag;
+
 
 /** 
  * The default servlet.
@@ -869,7 +868,7 @@ public class DefaultServlet extends HttpServlet implements ResourceFactory
         else if (_contextHandler.getBaseResource() instanceof ResourceCollection)
             resource=_contextHandler.getBaseResource().addPath(pathInContext);
 
-        String dir = resource.getListHTML(base,pathInContext.length()>1);
+        String dir = resource.getListHTML(base,pathInContext.length()>1, request.getQueryString());
         if (dir==null)
         {
             response.sendError(HttpServletResponse.SC_FORBIDDEN,

jetty-servlet/src/test/java/org/eclipse/jetty/servlet/DefaultServletTest.java

@@ -18,13 +18,6 @@
 
 package org.eclipse.jetty.servlet;
 
-import static org.hamcrest.CoreMatchers.anyOf;
-import static org.hamcrest.CoreMatchers.containsString;
-import static org.hamcrest.CoreMatchers.is;
-import static org.hamcrest.CoreMatchers.not;
-import static org.junit.Assert.assertThat;
-import static org.junit.Assert.assertTrue;
-
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -34,7 +27,6 @@ import java.nio.file.Files;
 import java.util.EnumSet;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-
 import javax.servlet.DispatcherType;
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -65,6 +57,13 @@ import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 
+import static org.hamcrest.CoreMatchers.anyOf;
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.not;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+
 public class DefaultServletTest
 {
     @Rule
@@ -144,9 +143,14 @@ public class DefaultServletTest
         /* create some content in the docroot */
         File resBase = testdir.getPathFile("docroot").toFile();
         FS.ensureDirExists(resBase);
-        assertTrue(new File(resBase, "one").mkdir());
+        File one = new File(resBase, "one");
+        assertTrue(one.mkdir());
         assertTrue(new File(resBase, "two").mkdir());
         assertTrue(new File(resBase, "three").mkdir());
+
+        File alert = new File(one, "onmouseclick='alert(oops)'");
+        FS.touch(alert);
+
         if (!OS.IS_WINDOWS)
         {
             assertTrue("Creating dir 'f??r' (Might not work in Windows)", new File(resBase, "f??r").mkdir());
@@ -166,6 +170,15 @@ public class DefaultServletTest
         String response = connector.getResponses(req1.toString());
 
         assertResponseNotContains("<script>", response);
+
+
+        req1 = new StringBuffer();
+        req1.append("GET /context/one/;\"onmouseover='alert(document.location)' HTTP/1.0\n");
+        req1.append("\n");
+
+        response = connector.getResponses(req1.toString());
+
+        assertResponseNotContains("\"onmouseover", response);
     }
 
     @Test

jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java

@@ -30,19 +30,23 @@ import java.net.URL;
 import java.nio.channels.ReadableByteChannel;
 import java.text.DateFormat;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Date;
+import java.util.List;
 
 import org.eclipse.jetty.util.B64Code;
 import org.eclipse.jetty.util.IO;
 import org.eclipse.jetty.util.Loader;
+import org.eclipse.jetty.util.MultiMap;
 import org.eclipse.jetty.util.StringUtil;
 import org.eclipse.jetty.util.URIUtil;
 import org.eclipse.jetty.util.UrlEncoded;
 import org.eclipse.jetty.util.log.Log;
 import org.eclipse.jetty.util.log.Logger;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+
 
 /* ------------------------------------------------------------ */
 /** 
@@ -540,64 +544,228 @@ public abstract class Resource implements ResourceFactory, Closeable
      * @return String of HTML
      * @throws IOException if unable to get the list of resources as HTML
      */
-    public String getListHTML(String base,boolean parent)
+    public String getListHTML(String base, boolean parent) throws IOException
-        throws IOException
+    {
+        return getListHTML(base, parent, null);
+    }
+
+    /** Get the resource list as a HTML directory listing.
+     * @param base The base URL
+     * @param parent True if the parent directory should be included
+     * @param query query params
+     * @return String of HTML
+     */
+    public String getListHTML(String base, boolean parent, String query) throws IOException
     {
         base=URIUtil.canonicalPath(base);
         if (base==null || !isDirectory())
             return null;
 
-        String[] ls = list();
+        String[] rawListing = list();
-        if (ls==null)
+        if (rawListing == null)
+        {
             return null;
-        Arrays.sort(ls);
+        }
+
+        boolean sortOrderAscending = true;
+        String sortColumn = "N"; // name (or "M" for Last Modified, or "S" for Size)
+
+        // check for query
+        if (query != null)
+        {
+            MultiMap<String> params = new MultiMap<>();
+            byte[] rawQuery = query.getBytes(UTF_8);
+            UrlEncoded.decodeUtf8To(rawQuery, 0, query.length(), params);
+
+            String paramO = params.getString("O");
+            String paramC = params.getString("C");
+            if (StringUtil.isNotBlank(paramO))
+            {
+                if (paramO.equals("A"))
+                {
+                    sortOrderAscending = true;
+                }
+                else if (paramO.equals("D"))
+                {
+                    sortOrderAscending = false;
+                }
+            }
+            if (StringUtil.isNotBlank(paramC))
+            {
+                if (paramC.equals("N") || paramC.equals("M") || paramC.equals("S"))
+                {
+                    sortColumn = paramC;
+                }
+            }
+        }
+
+        // Gather up entries
+        List<Resource> items = new ArrayList<>();
+        for (String l : rawListing)
+        {
+            Resource item = addPath(l);
+            items.add(item);
+        }
+
+        // Perform sort
+        if (sortColumn.equals("M"))
+        {
+            Collections.sort(items, ResourceCollators.byLastModified(sortOrderAscending));
+        }
+        else if (sortColumn.equals("S"))
+        {
+            Collections.sort(items, ResourceCollators.bySize(sortOrderAscending));
+        }
+        else
+        {
+            Collections.sort(items, ResourceCollators.byName(sortOrderAscending));
+        }
 
         String decodedBase = URIUtil.decodePath(base);
         String title = "Directory: " + deTag(decodedBase);
 
         StringBuilder buf = new StringBuilder(4096);
-        buf.append("<HTML><HEAD>");
-        buf.append("<LINK HREF=\"").append("jetty-dir.css").append("\" REL=\"stylesheet\" TYPE=\"text/css\"/><TITLE>");
-        buf.append(title);
-        buf.append("</TITLE></HEAD><BODY>\n<H1>");
-        buf.append(title);
-        buf.append("</H1>\n<TABLE BORDER=0>\n");
 
-        if (parent)
+        // Doctype Declaration (HTML5)
+        buf.append("<!DOCTYPE html>\n");
+        buf.append("<html lang=\"en\">\n");
+
+        // HTML Header
+        buf.append("<head>\n");
+        buf.append("<meta charset=\"utf-8\">\n");
+        buf.append("<link href=\"jetty-dir.css\" rel=\"stylesheet\" />\n");
+        buf.append("<title>");
+        buf.append(title);
+        buf.append("</title>\n");
+        buf.append("</head>\n");
+
+        // HTML Body
+        buf.append("<body>\n");
+        buf.append("<h1 class=\"title\">").append(title).append("</h1>\n");
+
+        // HTML Table
+        final String ARROW_DOWN = "&nbsp; &#8681;";
+        final String ARROW_UP = "&nbsp; &#8679;";
+        String arrow;
+        String order;
+
+        buf.append("<table class=\"listing\">\n");
+        buf.append("<thead>\n");
+
+        arrow = "";
+        order = "A";
+        if (sortColumn.equals("N"))
         {
-            buf.append("<TR><TD><A HREF=\"");
+            if(sortOrderAscending)
-            buf.append(URIUtil.addEncodedPaths(base,"../"));
+            {
-            buf.append("\">Parent Directory</A></TD><TD></TD><TD></TD></TR>\n");
+                order = "D";
+                arrow = ARROW_UP;
             }
+            else
+            {
+                order = "A";
+                arrow = ARROW_DOWN;
+            }
+        }
+
+        buf.append("<tr><th class=\"name\"><a href=\"?C=N&O=").append(order).append("\">");
+        buf.append("Name").append(arrow);
+        buf.append("</a></th>");
+
+        arrow = "";
+        order = "A";
+        if (sortColumn.equals("M"))
+        {
+            if(sortOrderAscending)
+            {
+                order = "D";
+                arrow = ARROW_UP;
+            }
+            else
+            {
+                order = "A";
+                arrow = ARROW_DOWN;
+            }
+        }
+
+        buf.append("<th class=\"lastmodified\"><a href=\"?C=M&O=").append(order).append("\">");
+        buf.append("Last Modified").append(arrow);
+        buf.append("</a></th>");
+
+        arrow = "";
+        order = "A";
+        if (sortColumn.equals("S"))
+        {
+            if(sortOrderAscending)
+            {
+                order = "D";
+                arrow = ARROW_UP;
+            }
+            else
+            {
+                order = "A";
+                arrow = ARROW_DOWN;
+            }
+        }
+        buf.append("<th class=\"size\"><a href=\"?C=S&O=").append(order).append("\">");
+        buf.append("Size").append(arrow);
+        buf.append("</a></th></tr>\n");
+        buf.append("</thead>\n");
+
+        buf.append("<tbody>\n");
 
         String encodedBase = hrefEncodeURI(base);
         
+        if (parent)
+        {
+            // Name
+            buf.append("<tr><td class=\"name\"><a href=\"");
+            buf.append(URIUtil.addPaths(encodedBase,"../"));
+            buf.append("\">Parent Directory</a></td>");
+            // Last Modified
+            buf.append("<td class=\"lastmodified\">-</td>");
+            // Size
+            buf.append("<td>-</td>");
+            buf.append("</tr>\n");
+        }
+
         DateFormat dfmt=DateFormat.getDateTimeInstance(DateFormat.MEDIUM,
                                                        DateFormat.MEDIUM);
-        for (int i=0 ; i< ls.length ; i++)
+        for (Resource item: items)
         {
-            Resource item = addPath(ls[i]);
+            String name = item.getName();
-            
+            int slashIdx = name.lastIndexOf('/');
-            buf.append("\n<TR><TD><A HREF=\"");
+            if (slashIdx != -1)
-            String path=URIUtil.addEncodedPaths(encodedBase,URIUtil.encodePath(ls[i]));
+            {
-            
+                name = name.substring(slashIdx + 1);
-            buf.append(path);
-            
-            if (item.isDirectory() && !path.endsWith("/"))
-                buf.append(URIUtil.SLASH);
-            
-            // URIUtil.encodePath(buf,path);
-            buf.append("\">");
-            buf.append(deTag(ls[i]));
-            buf.append("&nbsp;");
-            buf.append("</A></TD><TD ALIGN=right>");
-            buf.append(item.length());
-            buf.append(" bytes&nbsp;</TD><TD>");
-            buf.append(dfmt.format(new Date(item.lastModified())));
-            buf.append("</TD></TR>");
             }
-        buf.append("</TABLE>\n");
+            if (item.isDirectory() && !name.endsWith("/"))
-        buf.append("</BODY></HTML>\n");
+            {
+                name += URIUtil.SLASH;
+            }
+
+            // Name
+            buf.append("<tr><td class=\"name\"><a href=\"");
+            String path=URIUtil.addPaths(encodedBase,URIUtil.encodePath(name));
+            buf.append(path);
+            buf.append("\">");
+            buf.append(deTag(name));
+            buf.append("&nbsp;");
+            buf.append("</a></td>");
+
+            // Last Modified
+            buf.append("<td class=\"lastmodified\">");
+            buf.append(dfmt.format(new Date(item.lastModified())));
+            buf.append("</td>");
+
+            // Size
+            buf.append("<td class=\"size\">");
+            buf.append(String.format("%,d", item.length()));
+            buf.append(" bytes&nbsp;</td></tr>\n");
+        }
+        buf.append("</tbody>\n");
+        buf.append("</table>\n");
+        buf.append("</body></html>\n");
 
         return buf.toString();
     }

jetty-util/src/main/java/org/eclipse/jetty/util/resource/ResourceCollators.java

@@ -0,0 +1,105 @@
+//
+//  ========================================================================
+//  Copyright (c) 1995-2018 Mort Bay Consulting Pty. Ltd.
+//  ------------------------------------------------------------------------
+//  All rights reserved. This program and the accompanying materials
+//  are made available under the terms of the Eclipse Public License v1.0
+//  and Apache License v2.0 which accompanies this distribution.
+//
+//      The Eclipse Public License is available at
+//      http://www.eclipse.org/legal/epl-v10.html
+//
+//      The Apache License v2.0 is available at
+//      http://www.opensource.org/licenses/apache2.0.php
+//
+//  You may elect to redistribute this code under either of these licenses.
+//  ========================================================================
+//
+
+package org.eclipse.jetty.util.resource;
+
+import java.text.Collator;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.Locale;
+
+public class ResourceCollators
+{
+    private static Comparator<? super Resource> BY_NAME_ASCENDING =
+            new Comparator<Resource>()
+            {
+                private final Collator collator = Collator.getInstance(Locale.ENGLISH);
+
+                @Override
+                public int compare(Resource o1, Resource o2)
+                {
+                    return collator.compare(o1.getName(), o2.getName());
+                }
+            };
+
+    private static Comparator<? super Resource> BY_NAME_DESCENDING =
+            Collections.reverseOrder(BY_NAME_ASCENDING);
+
+    private static Comparator<? super Resource> BY_LAST_MODIFIED_ASCENDING =
+            new Comparator<Resource>()
+            {
+                @Override
+                public int compare(Resource o1, Resource o2)
+                {
+                    return Long.compare(o1.lastModified(), o2.lastModified());
+                }
+            };
+
+    private static Comparator<? super Resource> BY_LAST_MODIFIED_DESCENDING =
+            Collections.reverseOrder(BY_LAST_MODIFIED_ASCENDING);
+
+    private static Comparator<? super Resource> BY_SIZE_ASCENDING =
+            new Comparator<Resource>()
+            {
+                @Override
+                public int compare(Resource o1, Resource o2)
+                {
+                    return Long.compare(o1.length(), o2.length());
+                }
+            };
+
+    private static Comparator<? super Resource> BY_SIZE_DESCENDING =
+            Collections.reverseOrder(BY_SIZE_ASCENDING);
+
+
+    public static Comparator<? super Resource> byLastModified(boolean sortOrderAscending)
+    {
+        if (sortOrderAscending)
+        {
+            return BY_LAST_MODIFIED_ASCENDING;
+        }
+        else
+        {
+            return BY_LAST_MODIFIED_DESCENDING;
+        }
+    }
+
+    public static Comparator<? super Resource> byName(boolean sortOrderAscending)
+    {
+        if (sortOrderAscending)
+        {
+            return BY_NAME_ASCENDING;
+        }
+        else
+        {
+            return BY_NAME_DESCENDING;
+        }
+    }
+
+    public static Comparator<? super Resource> bySize(boolean sortOrderAscending)
+    {
+        if (sortOrderAscending)
+        {
+            return BY_SIZE_ASCENDING;
+        }
+        else
+        {
+            return BY_SIZE_DESCENDING;
+        }
+    }
+}

jetty-util/src/main/resources/jetty-dir.css

@@ -1,19 +1,38 @@
-body 
+body {
-{
 	background-color: #FFFFFF;
 	margin: 10px;
 	padding: 5px;
+	font-family: sans-serif;
 }
 
-h1
+h1.title {
-{
 	text-shadow: #000000 -1px -1px 1px;
 	color: #FC390E;
 	font-weight: bold;
 }
 
-a
+table.listing {
-{
+	border: 0px;
+}
+
+thead a {
+	color: blue;
+}
+
+thead th {
+	border-bottom: black 1px solid;
+}
+
+.name, .lastmodified {
+	text-align: left;
+	padding-right: 15px;
+}
+
+.size {
+	text-align: right;
+}
+
+a {
 	color: #7036be;
 	font-weight: bold;
 	font-style: normal;
@@ -21,10 +40,9 @@ a
 	font-size:inherit;
 }
 
-td
+td {
-{
 	font-style: italic;
-	padding: 2px 15px 2px 0px;
+	padding: 2px;
 }