* Cherry-pick of Improvements to PathSpec.
* From commit: 5b4d1dd1c6
* Fixing ConstraintSecurityHandler usage of PathMappings
* Fixing bad INCLUDE logic from cherry-pick in ServletHandler.doScope()
* Cleanup of non ServletPathSpec behaviors in ServletPathMapping class
* Skip optional group name/info lookup if regex fails.
* Prevent NPE on static servletPathMappings
* Update WebSocketMappings to use new PathMappings.getMatched(String)
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Fixes#8014 - Review HttpRequest URI construction.
Now always adding a "/" before the path, if not already present.
Disabled flakey HTTP/3 test.
Parse CONNECT URIs as Authority
Co-authored-by: Greg Wilkins <gregw@webtide.com>
* Clarify that requestHeaderSize is a cumulative limit
HttpConfiguration documents the requestHeaderSize configuration option
as being a limit on the size of a single request header, but it is in
fact a limit on the cumulative size of all request headers as well as
the request URI. This patch updates the documentation accordingly, and
adds test cases for the HTTP/1.x and HTTP/2 parsers to verify the
behavior.
NB.: the HTTP/3 parser and configuration seem to correctly document this
option as being a global limit on header size.
* Improve requestHeaderSize tests and documentation per review
Signed-off-by: Máté Szabó <mszabo@wikia-inc.com>
* Fixes#7348 - Slow CONNECT request causes NPE (#7349)
Added NPE guard in `HttpReceiverOverHTTP.onUpgradeFrom()`.
Expanded logic in `HttpReceiverOverHTTP.parse()` to return true in case of CONNECT + 200.
Fixed `ProxyConnection.toConnectionString()` to avoid NPEs.
Fixed `HttpClientTest.testCONNECTWithHTTP10()` logic
after changes to fix this issue.
Now a tunneled connection is not put back into the connection pool,
and if applications explicitly want to use it, they must re-enable
fill interest, similarly to what should be done after upgrade+101.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
(cherry picked from commit 5eb7b70df7)
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Added http3 Jetty module and distribution test.
Implemented simple logic to send the Alt-Svc header in HTTP/2 responses.
Updated JNA dependency to use jna-jpms.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
* Improve #4275 ambiguous URIs
A URI like `/foo/%2e%2e;/bar` should be ambiguous both because of the encoded dots and because of the parameters. This means that the default setting of jetty-9 is a bit more secure as this path is considered ambiguous if either Violation.SEGMENT or Violation.PARAM is set.
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
Changed order of entries in module-info.java to be canonical
(cherry picked from commit 02691171d5)
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Issue #6473 - canonicalPath refactor & fix alias check in PathResource
* Reverted %-escape handling for URI query parts.
* Performing canonicalization in ServletContext.getResource(),
and improving alias checking in ContextHandler.getResource().
* Performing canonicalization checks in Resource.addPath() to avoid
navigation above of the root.
* Test added and fixed.
* Various cleanups.
* Improved javadoc and comments
* Compliance mode HttpURI uses UriCompliance.Violation
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Co-authored-by: Greg Wilkins <gregw@webtide.com>
Joakim Erdfelt
Greg Wilkins
Simone Bordet
Jaroslaw Rzeszotko
mszabo-wikia
Lachlan Roberts
Olivier Lamy
dependabot[bot]
Ludovic Orban