Commit Graph

2091 Commits

Author SHA1 Message Date
Lachlan Roberts 7abb1e62f2 Issue #7160- Add AMBIGUOUS_PATH_ENCODING to default UriCompliance mode.
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2021-11-30 16:51:58 +11:00
Lachlan ec221865b6
Merge pull request #6978 from eclipse/jetty-10.0.x-4275-ambiguousparam
Improve #4275 ambiguous URIs (#6939)
2021-10-21 17:48:33 +11:00
Lachlan Roberts 866f4517db Improve #4275 ambiguous URIs (#6939)
* Improve #4275 ambiguous URIs

A URI like `/foo/%2e%2e;/bar` should be ambiguous both because of the encoded dots and because of the parameters.  This means that the default setting of jetty-9 is a bit more secure as this path is considered ambiguous if either Violation.SEGMENT or Violation.PARAM is set.

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2021-10-12 18:22:12 +11:00
Joakim Erdfelt cfc67f86d2 Updating to version 10.0.8-SNAPSHOT 2021-10-06 14:51:32 -05:00
Joakim Erdfelt da8a4553af Updating to version 10.0.7 2021-10-06 14:32:37 -05:00
Simone Bordet 0412bdc3d9 Fixes #6938 - module-info.java file do not use the canonical order for the elements
Changed order of entries in module-info.java to be canonical

(cherry picked from commit 02691171d5)
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2021-10-01 09:25:55 +02:00
Olivier Lamy 51d44a3401
use dependencyManagement for internal dependencies (#6940)
Signed-off-by: Olivier Lamy <oliver.lamy@gmail.com>
2021-09-30 16:57:19 +10:00
dependabot[bot] b44dde6098
Bump maven-enforcer-plugin from 3.0.0-M3 to 3.0.0 (#6755)
* Bump maven-enforcer-plugin from 3.0.0-M3 to 3.0.0

Bumps [maven-enforcer-plugin](https://github.com/apache/maven-enforcer) from 3.0.0-M3 to 3.0.0.
- [Release notes](https://github.com/apache/maven-enforcer/releases)
- [Commits](https://github.com/apache/maven-enforcer/compare/enforcer-3.0.0-M3...enforcer-3.0.0)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-enforcer-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix some upper bound issues and exclude more javax

Signed-off-by: Olivier Lamy <oliver.lamy@gmail.com>

* fix upperbound dependencies issue with enforcer plugin upgrade

Signed-off-by: Olivier Lamy <oliver.lamy@gmail.com>

* exclude this wrong which makes enforcer plugin fail and btw it's not used

Signed-off-by: Olivier Lamy <oliver.lamy@gmail.com>

* fix last enforcer upperbound issues

Signed-off-by: Olivier Lamy <oliver.lamy@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Olivier Lamy <oliver.lamy@gmail.com>
2021-09-14 06:10:48 +10:00
Lachlan 0a78b9845d
Merge pull request #6657 from eclipse/jetty-10.0.x-6642-WebSocketConnectionHeaders
Issue #6642 - WebSocket handling of Connection: upgrade,close.
2021-08-31 14:25:47 +10:00
Lachlan Roberts 949aa6c342 Issue #6642 - move shutdown logic into HttpChannelOverHTTP and HttpConnection
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2021-08-27 11:53:54 +10:00
Lachlan Roberts fa316fc20d Issue #6642 - never shutdown output after generating a request.
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2021-08-26 13:09:36 +10:00
Lachlan Roberts cb9a8d4060 Issue #6642 - change HttpGenerator state to END before returning
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2021-08-25 11:27:56 +10:00
Lachlan Roberts f7d9d8fcf8 Issue #6642 - prevent connection close after websocket upgrade
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2021-08-24 19:39:34 +10:00
Joakim Erdfelt 5dcc14b114
Merge pull request #6551 from eclipse/jetty-10.0.x-6545-refresh-mimetypes
Issue #6545 - Add more mime-types
2021-07-28 05:47:36 -05:00
Ludovic Orban bd11d6f682 #6491 add defensive check and introduce HttpParser.isTerminated()
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
2021-07-28 10:14:19 +02:00
Joakim Erdfelt 8971ea991f
Issue #6545 - Add more mime-types
+ Adding webp + avif + apng based on current
  `Accept` header offerings from current browsers.

Firefox 90.0
`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8`

Chrome 92.0.4515.107
`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9`

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2021-07-27 11:48:39 -05:00
Joakim Erdfelt 92b6f336b6
Merge pull request #6503 from eclipse/release-10.0.6
Merge Release 10.0.6
2021-07-07 08:21:20 -05:00
Greg Wilkins 8945a58ffc
Reduce header cache memory usage on non persistent requests (#6494)
Delay creating a header cache until a second request on a parser.
Refactored cache code into subclass

Signed-off-by: Greg Wilkins <gregw@webtide.com>
2021-07-07 12:51:06 +10:00
Lachlan 259f9af9c9
Merge pull request #6490 from eclipse/jetty-10.0.x-6489-UriCompliance
Issue #6489 - fix RFC3986_UNAMBIGUOUS and UNSAFE UriCompliance modes.
2021-07-06 15:58:51 +10:00
Lachlan Roberts 76ab749aca Issue #6489 - fix RFC3986_UNAMBIGUOUS and UNSAFE UriCompliance modes.
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2021-07-01 17:52:07 +10:00
Lachlan Roberts b82b46243d Issue #6489 - fix RFC3986_UNAMBIGUOUS and UNSAFE UriCompliance modes.
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2021-07-01 17:27:17 +10:00
Joakim Erdfelt c245a70893 Updating to version 10.0.7-SNAPSHOT 2021-06-29 10:51:22 -05:00
Joakim Erdfelt 37e7731b4b Updating to version 10.0.6 2021-06-29 10:27:56 -05:00
Lachlan 3c32afa05c
Issue #6473 - canonicalPath refactor & fix alias check in PathResource (Jetty-10) (#6478)
Issue #6473 - canonicalPath refactor & fix alias check in PathResource

* Reverted %-escape handling for URI query parts.
* Performing canonicalization in ServletContext.getResource(),
  and improving alias checking in ContextHandler.getResource().
* Performing canonicalization checks in Resource.addPath() to avoid
  navigation above of the root.
* Test added and fixed.
* Various cleanups.
* Improved javadoc and comments
* Compliance mode HttpURI uses UriCompliance.Violation

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Co-authored-by: Greg Wilkins <gregw@webtide.com>
2021-06-29 15:42:39 +02:00
Lachlan bc0fbbb5c1
Revert logic in Request.setMetaData, clear emptySegment on HttpUri.clear() (#6468)
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
Manually merged as ECA checks are broken
2021-06-24 17:18:49 +10:00
Greg Wilkins 4673846635
Compliance modes documentation (#6312)
Added doco on compliance modes

Signed-off-by: Greg Wilkins <gregw@webtide.com>
Co-authored-by: Simone Bordet <simone.bordet@gmail.com>
2021-06-24 15:20:05 +10:00
Lachlan d233f3be02
Issue #6447 - Deprecate support for UTF16 encoding in URIs (#6457)
Deprecate support for UTF16 encoding in URIs.
Add compliance mode to allow UTF16 encodings.
Improve testing.
2021-06-23 22:58:49 +10:00
Joakim Erdfelt 9d2d1e29b7 Updating to version 10.0.6-SNAPSHOT 2021-06-11 09:42:42 -05:00
Joakim Erdfelt dc21b2d73c Updating to version 10.0.5 2021-06-11 09:18:00 -05:00
Lachlan b4d7e5117d
Issue #6302 - Treat empty path segments as ambiguous. (#6304)
Issue #6302 - Treat empty path segments are ambiguous.

* Fix false empty segments being reported.
* Add HttpUriTests for the empty segment as ambiguous

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
Co-authored-by: Greg Wilkins <gregw@webtide.com>
2021-06-10 15:12:59 +02:00
Joakim Erdfelt 987066aac1 Updating to version 10.0.5-SNAPSHOT 2021-06-04 13:28:47 -05:00
Joakim Erdfelt 5523480c54 Updating to version 10.0.4 2021-06-04 13:09:44 -05:00
Simone Bordet 9ace21992e Updated POM versions to 10.0.4-SNAPSHOT.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2021-05-21 17:07:46 +02:00
Lachlan f58dbedcd0
Fixes #6263 - Review URI encoding in ConcatServlet & WelcomeFilter.
Review URI encoding in ConcatServlet & WelcomeFilter and improve testing.

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Co-authored-by: Simone Bordet <simone.bordet@gmail.com>
2021-05-12 17:14:43 +02:00
Lachlan 4c98990cd9
Create FileBufferedResponseHandler to buffer responses into a file. (#6010)
FileBufferedResponseHandler adds an HttpOutput.Interceptor to buffer all responses into a file until the output is closed. This allows the commit to be delayed until the response is complete and thus headers and response status can be changed while writing the body.

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2021-04-19 11:02:44 +10:00
Greg Wilkins b56edf511a
UriCompliance mode improvements #6132 (#6137)
Resolve #6132

Improve configuration of ambiguous URI handling.
Added NON_CANONICAL_AMBIGUOUS_PATHS
2021-04-08 12:03:30 +10:00
Guilherme Amaral e3c87fc2af
Changed exception check by JUnit API usage (#6133) 2021-04-06 08:51:50 +10:00
Olivier Lamy a0796d1055 Updating to version 10.0.3-SNAPSHOT 2021-03-26 06:31:31 +00:00
Olivier Lamy 7bd207b309 Updating to version 10.0.2 2021-03-26 06:13:42 +00:00
Olivier Lamy d27363fa55 back to 10.0.2-SNAPSHOT
Signed-off-by: Olivier Lamy <oliver.lamy@gmail.com>
2021-03-26 06:10:47 +00:00
Jesse McConnell 7a9e01ac56
Updating to version 10.0.3-SNAPSHOT 2021-03-25 10:38:15 -05:00
Jesse McConnell aac6bfbd48
Updating to version 10.0.2 2021-03-25 10:21:44 -05:00
Simone Bordet 6fca106160 Reverted version to 10.0.2-SNAPSHOT.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2021-03-25 16:02:45 +01:00
Olivier Lamy 3d0574d64c Updating to version 10.0.3-SNAPSHOT 2021-03-25 04:10:39 +00:00
Olivier Lamy ab235ad687 Updating to version 10.0.2 2021-03-25 03:57:25 +00:00
Greg Wilkins 06e1a7e88d
URI compliance modes for #6001 (#6006)
* Fix #4275 separate compliance modes for ambiguous URI segments and separators

default modes allows both ambiguous separators and segments, but still forbids ambiguous parameters

Co-authored-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2021-03-02 11:59:16 +01:00
gregw c4dbf9748e Merge remote-tracking branch 'origin/jetty-9.4.x' into jetty-10.0.x
Signed-off-by: gregw <gregw@webtide.com>
2021-02-24 11:58:55 +01:00
Greg Wilkins 49e73dfb75
Fix #4275 #6001 separate compliance modes for ambiguous URI segments and se… (#6003)
Fix #4275 separate compliance modes for ambiguous URI segments and separators
2021-02-24 10:05:05 +01:00
Joakim Erdfelt fa6c617069
Fixing checkstyle warning
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2021-02-23 16:28:09 -06:00
gregw bc3e1dc94e Merge remote-tracking branch 'origin/jetty-9.4.x' into jetty-10.0.x
Signed-off-by: gregw <gregw@webtide.com>
2021-02-23 20:06:30 +01:00