From 976d6e2203d10c38a50fba8eb6ae5dde2476da35 Mon Sep 17 00:00:00 2001
From: Jan Bartel <janb@intalio.com>
Date: Fri, 23 Nov 2012 10:46:17 +1100
Subject: [PATCH 1/4] 394870 Make enablement of remote access to test webapp
 configurable in override-web.xml

---
 .../config/contexts/test.d/override-web.xml     | 17 +++++++++++++++++
 .../src/main/java/com/acme/TestListener.java    |  9 ++++++---
 test-jetty-webapp/src/main/webapp/remote.html   | 15 +++++++--------
 3 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/test-jetty-webapp/src/main/config/contexts/test.d/override-web.xml b/test-jetty-webapp/src/main/config/contexts/test.d/override-web.xml
index 7b7f9e43126..512ce2b0c2e 100644
--- a/test-jetty-webapp/src/main/config/contexts/test.d/override-web.xml
+++ b/test-jetty-webapp/src/main/config/contexts/test.d/override-web.xml
@@ -37,6 +37,23 @@
     <servlet-class>com.acme.SessionDump</servlet-class>
     <load-on-startup>5</load-on-startup>
   </servlet>
+
+  <!-- Uncomment to override the setup of the test filter -->
+  <!-- 
+  <filter>
+    <filter-name>TestFilter</filter-name>
+    <filter-class>com.acme.TestFilter</filter-class>
+    <async-support>true</async-support>
+    <init-param>
+      <param-name>remote</param-name>
+      <param-value>false</param-value>
+    </init-param>
+  </filter>
+  <filter-mapping>
+     <filter-name>TestFilter</filter-name>
+     <url-pattern>/*</url-pattern>
+  </filter-mapping>
+  -->
   
 </web-app>
 
diff --git a/test-jetty-webapp/src/main/java/com/acme/TestListener.java b/test-jetty-webapp/src/main/java/com/acme/TestListener.java
index 02674b48820..27505cd9ad2 100644
--- a/test-jetty-webapp/src/main/java/com/acme/TestListener.java
+++ b/test-jetty-webapp/src/main/java/com/acme/TestListener.java
@@ -90,12 +90,15 @@ public class TestListener implements HttpSessionListener,  HttpSessionAttributeL
 
     	/* For servlet 3.0 */
     	FilterRegistration.Dynamic registration = sce.getServletContext().addFilter("TestFilter",TestFilter.class.getName());
-    	registration.setInitParameter("remote", "false");
-    	registration.setAsyncSupported(true);
-    	registration.addMappingForUrlPatterns(
+        if (registration != null) //otherwise it was configured in web.xml
+        {
+    	    registration.setInitParameter("remote", "false");
+    	    registration.setAsyncSupported(true);
+    	    registration.addMappingForUrlPatterns(
     	        EnumSet.of(DispatcherType.ERROR,DispatcherType.ASYNC,DispatcherType.FORWARD,DispatcherType.INCLUDE,DispatcherType.REQUEST),
     	        true, 
     	        new String[]{"/*"});
+        }
     }
 
     public void contextDestroyed(ServletContextEvent sce)
diff --git a/test-jetty-webapp/src/main/webapp/remote.html b/test-jetty-webapp/src/main/webapp/remote.html
index d54c44f5e25..760f1aed4ad 100644
--- a/test-jetty-webapp/src/main/webapp/remote.html
+++ b/test-jetty-webapp/src/main/webapp/remote.html
@@ -6,12 +6,12 @@
   </HEAD>
 <BODY>
 <A HREF="http://jetty.eclipse.org"><IMG SRC="jetty_banner.gif"></A>
-<h1>Welcome to Jetty 7 - REMOTE ACCESS!!</h1>
+<h1>Welcome to Jetty 8 - REMOTE ACCESS!!</h1>
 <p>
-This is the Test webapp for the Jetty 7 HTTP Server and Servlet Container.  
+This is the Test webapp for the Jetty 8 HTTP Server and Servlet Container.  
 For more information about Jetty, please visit our
-<a href="http://jetty.eclipse.org">website</a>
-or <a href="http://docs.codehaus.org/display/JETTY/Jetty+Wiki">wiki</a>. 
+<a href="http://www.eclipse.org/jetty">website</a>
+or <a href="http://www.eclipse.org/jetty/documentation/">documentation</a>. 
 Commercial support for Jetty is available via <a href="http://www.webtide.com">webtide</a>.
 </p>
 <p>
@@ -21,12 +21,11 @@ cross domain scripting vulnerabilities and reveal private information.  This pag
 is displayed because you have accessed this context from a non local IP address.
 </p>
 <p>
-You can disable the remote address checking by editing contexts/test.d/override-web.xml and changing the
-"remote" init parameter to true for the TestFilter. 
+You can disable the remote address checking by editing contexts/test.d/override-web.xml, uncommenting the definition of the TestFilter, and changing the
+"remote" init parameter to "true".
 </p>
 <p>
-This webapp is deployed in $JETTY_HOME/webapp/test and configured by $JETTY_HOME/contexts/test.xml
-and $JETTY_HOME/contexts/test.d/override-web.xml
+This webapp is deployed in $JETTY_HOME/webapp/test and configured by $JETTY_HOME/contexts/test.xml and $JETTY_HOME/contexts/test.d/override-web.xml
 </p>
 
 </BODY>

From 358735044772f4c99fc273e177bcdeb4d42aab36 Mon Sep 17 00:00:00 2001
From: Jan Bartel <janb@intalio.com>
Date: Fri, 23 Nov 2012 10:51:47 +1100
Subject: [PATCH 2/4] Fix link to jetty @ eclipse in remote.html

---
 test-jetty-webapp/src/main/webapp/remote.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test-jetty-webapp/src/main/webapp/remote.html b/test-jetty-webapp/src/main/webapp/remote.html
index 760f1aed4ad..5ccc6361323 100644
--- a/test-jetty-webapp/src/main/webapp/remote.html
+++ b/test-jetty-webapp/src/main/webapp/remote.html
@@ -5,7 +5,7 @@
     <META http-equiv="Cache-Control" content="no-cache,no-store">
   </HEAD>
 <BODY>
-<A HREF="http://jetty.eclipse.org"><IMG SRC="jetty_banner.gif"></A>
+<A HREF="http://www.eclipse.org/jetty"><IMG SRC="jetty_banner.gif"></A>
 <h1>Welcome to Jetty 8 - REMOTE ACCESS!!</h1>
 <p>
 This is the Test webapp for the Jetty 8 HTTP Server and Servlet Container.  

From 94547fb4ea4e3d33645c9d23afc2280c77c030f1 Mon Sep 17 00:00:00 2001
From: Jan Bartel <janb@intalio.com>
Date: Fri, 23 Nov 2012 10:54:47 +1100
Subject: [PATCH 3/4] Fix link to jetty @ eclipse for test webapp

---
 test-jetty-webapp/src/main/webapp/remote.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test-jetty-webapp/src/main/webapp/remote.html b/test-jetty-webapp/src/main/webapp/remote.html
index d54c44f5e25..b759568f4cb 100644
--- a/test-jetty-webapp/src/main/webapp/remote.html
+++ b/test-jetty-webapp/src/main/webapp/remote.html
@@ -5,13 +5,13 @@
     <META http-equiv="Cache-Control" content="no-cache,no-store">
   </HEAD>
 <BODY>
-<A HREF="http://jetty.eclipse.org"><IMG SRC="jetty_banner.gif"></A>
+<A HREF="http://www.eclipse.org/jetty"><IMG SRC="jetty_banner.gif"></A>
 <h1>Welcome to Jetty 7 - REMOTE ACCESS!!</h1>
 <p>
 This is the Test webapp for the Jetty 7 HTTP Server and Servlet Container.  
 For more information about Jetty, please visit our
-<a href="http://jetty.eclipse.org">website</a>
-or <a href="http://docs.codehaus.org/display/JETTY/Jetty+Wiki">wiki</a>. 
+<a href="http://www.eclipse.org/jetty">website</a>
+or <a href="http://www.eclipse.org/jetty/documentation/">documentation</a>. 
 Commercial support for Jetty is available via <a href="http://www.webtide.com">webtide</a>.
 </p>
 <p>

From 769260f2519a831694b267615af75c69f8f69cc4 Mon Sep 17 00:00:00 2001
From: Jan Bartel <janb@intalio.com>
Date: Fri, 23 Nov 2012 12:29:53 +1100
Subject: [PATCH 4/4] 392417 Prevent Cookie parsing interpreting unicode chars

---
 .../eclipse/jetty/server/CookieCutter.java    |  4 +-
 .../jetty/util/QuotedStringTokenizer.java     | 41 +++++++++++++++++++
 .../jetty/util/QuotedStringTokenizerTest.java | 11 +++++
 3 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/CookieCutter.java b/jetty-server/src/main/java/org/eclipse/jetty/server/CookieCutter.java
index 65c93517404..a154bb72085 100644
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/CookieCutter.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/CookieCutter.java
@@ -281,8 +281,8 @@ public class CookieCutter
                 if (value!=null && name!=null)
                 {
                     // TODO handle unquoting during parsing!  But quoting is uncommon
-                    name=QuotedStringTokenizer.unquote(name);
-                    value=QuotedStringTokenizer.unquote(value);
+                    name=QuotedStringTokenizer.unquoteOnly(name);
+                    value=QuotedStringTokenizer.unquoteOnly(value);
                     
                     try
                     {
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/QuotedStringTokenizer.java b/jetty-util/src/main/java/org/eclipse/jetty/util/QuotedStringTokenizer.java
index b2ce0fa1a69..8dc0a816f8f 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/QuotedStringTokenizer.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/QuotedStringTokenizer.java
@@ -408,6 +408,47 @@ public class QuotedStringTokenizer
             throw new RuntimeException(e);
         }
     }
+    
+    /* ------------------------------------------------------------ */
+    /** Unquote a string, NOT converting unicode sequences
+     * @param s The string to unquote.
+     * @return quoted string
+     */
+    public static String unquoteOnly(String s)
+    {
+        if (s==null)
+            return null;
+        if (s.length()<2)
+            return s;
+
+        char first=s.charAt(0);
+        char last=s.charAt(s.length()-1);
+        if (first!=last || (first!='"' && first!='\''))
+            return s;
+
+        StringBuilder b = new StringBuilder(s.length() - 2);
+        boolean escape=false;
+        for (int i=1;i<s.length()-1;i++)
+        {
+            char c = s.charAt(i);
+
+            if (escape)
+            {
+                escape=false;
+                b.append(c);
+            }
+            else if (c=='\\')
+            {
+                escape=true;
+            }
+            else
+            {
+                b.append(c);
+            }
+        }
+
+        return b.toString(); 
+    }
 
     /* ------------------------------------------------------------ */
     /** Unquote a string.
diff --git a/jetty-util/src/test/java/org/eclipse/jetty/util/QuotedStringTokenizerTest.java b/jetty-util/src/test/java/org/eclipse/jetty/util/QuotedStringTokenizerTest.java
index da008c87b8a..3407574bea9 100644
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/QuotedStringTokenizerTest.java
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/QuotedStringTokenizerTest.java
@@ -178,5 +178,16 @@ public class QuotedStringTokenizerTest
         assertEquals("ab\u001ec",QuotedStringTokenizer.unquote("ab\u001ec"));
         assertEquals("ab\u001ec",QuotedStringTokenizer.unquote("\"ab\u001ec\""));
     }
+    
+    
+    @Test
+    public void testUnquoteOnly()
+    {
+        assertEquals("abc",QuotedStringTokenizer.unquoteOnly("abc"));
+        assertEquals("a\"c",QuotedStringTokenizer.unquoteOnly("\"a\\\"c\""));
+        assertEquals("a'c",QuotedStringTokenizer.unquoteOnly("\"a'c\""));
+        assertEquals("a\\n\\r\\t",QuotedStringTokenizer.unquoteOnly("\"a\\\\n\\\\r\\\\t\""));
+        assertEquals("ba\\uXXXXaaa", QuotedStringTokenizer.unquoteOnly("\"ba\\\\uXXXXaaa\""));
+    }
 
 }