Merge remote-tracking branch 'origin/jetty-12.0.x' into jetty-12.0.x-…

…10582-servlethttpwrapper
jetty · Oct 12, 2023 · 1ba9e1e · 1ba9e1e
2 parents 1dd8dfd + fcc8827
commit 1ba9e1e
Show file tree

Hide file tree

Showing 373 changed files with 14,285 additions and 13,674 deletions.
diff --git a/.github/ISSUE_TEMPLATE/release-template.md b/.github/ISSUE_TEMPLATE/release-template.md
@@ -25,6 +25,7 @@ This release process will produce releases:
   + [ ] Freeze the target [GitHub Project(s)](https://github.com/eclipse/jetty.project/projects) by editing their names to "Jetty X.Y.Z FROZEN"
   + [ ] Review the issues/PRs assigned to the target [GitHub Project(s)](https://github.com/eclipse/jetty.project/projects).  Any tasks that are not-yet-started are moved to next releases.
 - [ ] Review dependabot status. [Manually](https://github.com/eclipse/jetty.project/network/updates) run dependabot if needed and review resulting PRs for inclusion.
+      Such updates should only be included in the week before a release if there is a compelling security or stability reason to do so.
 - [ ] Wait 24 hours from last change to the issues/PRs included in FROZEN GitHub Project(s).
 - [ ] Verify target [project(s)](https://github.com/eclipse/jetty.project/projects) are complete.
 - [ ] Verify that branch `jetty-10.0.x` is merged to branch `jetty-11.0.x`.

diff --git a/.mvn/maven-build-cache-config.xml b/.mvn/maven-build-cache-config.xml
@@ -22,7 +22,11 @@
   </configuration>
   <input>
     <global>
-      <glob>*.{java,xml,properties,mod,adoc}</glob>
+      <glob>{*.java,*.xml,*.properties,*.mod,*.adoc}</glob>
+      <excludes>
+        <exclude>*Jenkinsfile*</exclude>
+        <exclude>./idea/*</exclude>
+      </excludes>
     </global>
     <plugins>
       <plugin groupId="org.apache.maven.plugins" artifactId="maven-invoker-plugin">

diff --git a/KEYS.txt b/KEYS.txt
@@ -6,4 +6,4 @@ Joakim Erdfelt  <[email protected]>        B59B 67FD 7904 9843 67F9  3180 0818
 Joakim Erdfelt  <[email protected]>        BFBB 21C2 46D7 7768 3628  7A48 A04E 0C74 ABB3 5FEA
 Simone Bordet   <[email protected]>   8B09 6546 B1A8 F026 56B1  5D3B 1677 D141 BCF3 584D
 Olivier Lamy    <[email protected]>          F254 B356 17DC 255D 9344  BCFA 873A 8E86 B437 2146
-Ludovic Orban   <[email protected]>        E224 88CC 94F6 3E3F C928  536C 4241 C082 70D9 99C3
+Ludovic Orban   <[email protected]>        CD38 A1DA DA34 13BE 96DF  547F 3D14 6A4A 1C58 367E
diff --git a/VERSION.txt b/VERSION.txt
@@ -1,12 +1,52 @@
-jetty-12.0.2-SNAPSHOT
+jetty-12.0.3-SNAPSHOT
+
+jetty-12.0.2 - 09 October 2023
+ + 7408 Change scope of maven plugin dependencies
+ + 9665 `HttpCookieStore` incorrectly rejects cookies for domains that are an
+   IPv6 address
+ + 9777 CrossOriginFilter does not return Vary header on no-cors mode
+ + 9928 Backport `Request.getBeginNanoTime()`
+ + 10219 Review HTTP Cookie parsing
+ + 10271 jetty.sh does not stop jetty anymore
+ + 10328 Review `ResourceFactory.newSystemResource(String)` behavior & javadoc
+ + 10361 Introduce QoSHandler
+ + 10382 NPE thrown during HttpClient tests
+ + 10388 Jetty10 inetaccess mod started error
+ + 10440 ClassCastException with `<jettyEnvXml>` use in
+   `jetty-ee10-maven-plugin`
+ + 10441 Jetty 12 ee8 jaspi is missing
+ + 10442 Reduce verbosity when JMX finds overloaded setter
+ + 10463 Jetty 12 throws Exception handling static files when using response
+   wrapper
+ + 10466 Review HTTP session documentation
+ + 10473 Startup Script reports `ok` too fast, and doesn't wait for actual
+   start of Jetty
+ + 10474 Jetty 12 default error handler throws IllegalStateException for
+   application/json
+ + 10475 Update Jetty 12 MANIFEST's Bundle-Copyright
+ + 10482 RewriteHandler with multiple HeaderPatternRules
+ + 10490 Jetty 12 Jakarta Websockets user principal is always null
+ + 10498 NullPointerException from call to UpgradeRequest#getUserPrincipal with
+   Jetty 12
+ + 10500 Jetty 12 HTTP SPI does not preserve double-quotes on valid request
+   headers
+ + 10508 Jetty 12 IllegalArgumentExeption when setting a HTTP header to null
+ + 10513 Lockup processing POST request body with Jetty 12.0.1 using http/2
+ + 10543 Review HttpStream.consumeAvailable() implementations
+ + 10547 Cannot customize Executor on WebSocketClient
+ + 10557 Update quiche to 0.18.0
+ + 10558 NPE when forwarding a request to default servlet which should redirect
+   to a subdirectory with trailing slash
+ + 10665 Wrong BREE in Jetty jars
+ + 10679 Review HTTP/2 rate control (CVE-2023-44487)
 
 jetty-12.0.1 - 29 August 2023
  + 8926 HttpClient GZIPContentDecoder should remove Content-Length and
    Content-Encoding: gzip
  + 9169 Idle timeout is ignored if callback is not completed
  + 9900 Improve `Request.getBeginNanoTime()` accuracy
- + 10158 Deploying on Jetty 12 using context XML files will only work
-   when a .properties file with the EE details is also present
+ + 10158 Deploying on Jetty 12 using context XML files will only work when a
+   .properties file with the EE details is also present
  + 10207 Update failed JSP deployment message
  + 10213 UnknownFormatConversionException in `start.jar --debug` if path has
    `%` sign
@@ -15,8 +55,7 @@ jetty-12.0.1 - 29 August 2023
  + 10274 java.nio.file.FileSystemNotFoundException when creating a resource
    from a JAR URL
  + 10294 Request.getContext().getContextPath()
- + 10295 FormAuthenticator does not dispatch to an error page but
-   redirect
+ + 10295 FormAuthenticator does not dispatch to an error page but redirect
  + 10306 Jetty 12 generates wrong Host header
  + 10309 Jetty 12: X-Powered-By header is added 2 times (if enabled)
  + 10312 Remove jetty-home-with-docs to eliminate build time cyclic
@@ -40,6 +79,23 @@ jetty-12.0.1 - 29 August 2023
  + 10411 Review deployment of Jetty Context XML files
  + 10416 EE9 Copies HttpFields in response
 
+jetty-11.0.17 - 09 October 2023
+ + 9777 CrossOriginFilter does not return Vary header on no-cors mode
+ + 9928 Backport `Request.getBeginNanoTime()`
+ + 10271 jetty.sh does not stop jetty anymore
+ + 10473 Startup Script reports `ok` too fast, and doesn't wait for actual
+   start of Jetty
+ + 10547 Cannot customize Executor on WebSocketClient
+ + 10679 Review HTTP/2 rate control (CVE-2023-44487)
+
+jetty-10.0.17 - 09 October 2023
+ + 9777 CrossOriginFilter does not return Vary header on no-cors mode
+ + 9928 Backport `Request.getBeginNanoTime()`
+ + 10473 Startup Script reports `ok` too fast, and doesn't wait for actual
+   start of Jetty
+ + 10547 Cannot customize Executor on WebSocketClient
+ + 10679 Review HTTP/2 rate control (CVE-2023-44487)
+
 jetty-11.0.16 - 25 August 2023
  + 6140 Report total number of keys in SelectorManager
  + 7091 Add SOCKS5 support
@@ -63,6 +119,7 @@ jetty-11.0.16 - 25 August 2023
  + 9685 Jetty doesn't set the date header on error responses
  + 9720 Http2Session.streamIdleTimeout should permit being disabled from
    AbstractHTTP2ServerConnectionFactory
+ + 9749 Correct HPACK Integer Overflow (CVE-2023-36478)
  + 9772 Improve Quiche certificates deployment
  + 9777 CrossOriginFilter does not return Vary header on no-cors mode
  + 9795 http3-server is leaking the Jetty logging service to web applications
@@ -239,7 +296,8 @@ jetty-12.0.0.beta1 - 02 May 2023
  + 9444 Unexpected encoding in request.getPathInfo() with Jetty 12 beta 0
  + 9459 Path is missing from JSESSIONID cookie in 12 beta 0
  + 9463 NPE when starting jetty-ee10-maven-plugin
- + 9464 Add optional configuration to log user out after OpenID idToken expires (CVE-2023-41900)
+ + 9464 Add optional configuration to log user out after OpenID idToken expires
+   (CVE-2023-41900)
  + 9466 WebSocket `DeploymentException` is not thrown by client nor server
  + 9467 Jetty 12 - Review BOMs
  + 9468 Jetty 11.0.14 is less tolerant of non-compliant cookies than 11.0.13
@@ -400,6 +458,7 @@ jetty-10.0.16 - 25 August 2023
    common location
  + 9682 RetainableByteBuffer buffer release bug in WebSocket
  + 9685 Jetty doesn't set the date header on error responses
+ + 9749 Correct HPACK Integer Overflow (CVE-2023-36478)
  + 9720 Http2Session.streamIdleTimeout should permit being disabled from
    AbstractHTTP2ServerConnectionFactory
  + 9772 Improve Quiche certificates deployment
@@ -449,7 +508,8 @@ jetty-11.0.15 - 11 April 2023
  + 9309 `jetty.sh` cannot handle complex Jetty properties from `start.d/*.ini`
  + 9400 Jetty logs warning with stacktrace when annotation parser encounters
    module-info.class file inside elasticsearch-x-content jar
- + 9464 Add optional configuration to log user out after OpenID idToken expires (CVE-2023-41900)
+ + 9464 Add optional configuration to log user out after OpenID idToken expires
+   (CVE-2023-41900)
  + 9468 Jetty 11.0.14 is less tolerant of non-compliant cookies than 11.0.13
  + 9497 Maven plugin effective web xml: add support for jar projects
  + 9501 jetty client with proxy - ssl traffic between both proxy and servers
@@ -463,7 +523,8 @@ jetty-10.0.15 - 11 April 2023
  + 9309 `jetty.sh` cannot handle complex Jetty properties from `start.d/*.ini`
  + 9400 Jetty logs warning with stacktrace when annotation parser encounters
    module-info.class file inside elasticsearch-x-content jar
- + 9464 Add optional configuration to log user out after OpenID idToken expires (CVE-2023-41900)
+ + 9464 Add optional configuration to log user out after OpenID idToken expires
+   (CVE-2023-41900)
  + 9468 Jetty 11.0.14 is less tolerant of non-compliant cookies than 11.0.13
  + 9497 Maven plugin effective web xml: add support for jar projects
  + 9501 jetty client with proxy - ssl traffic between both proxy and servers
@@ -1378,7 +1439,8 @@ jetty-10.0.3 - 20 May 2021
  + 6254 Total timeout not enforced for queued requests
  + 6263 Review URI encoding in ConcatServlet & WelcomeFilter (CVE-2021-28169)
  + 6272 Reduce allocation in HttpClient when notifying content listeners
- + 6277 Better handle exceptions thrown from session destroy listener (CVE-2021-34428)
+ + 6277 Better handle exceptions thrown from session destroy listener
+   (CVE-2021-34428)
  + 6280 Copy ServletHolder class/instance properly during startWebapp
  + 6287 Class loading broken for WebSocketClient used inside webapp
 
@@ -1682,7 +1744,8 @@ jetty-10.0.2 - 26 March 2021
  + 6037 Review logging modules for j.u.l
  + 6050 Websocket: NotUtf8Exception after upgrade 9.4.35 -> 9.4.36 or newer
  + 6063 Allow override of hazelcast version when using module
- + 6072 jetty server high CPU when client send data length > 17408 (CVE-2021-28165)
+ + 6072 jetty server high CPU when client send data length > 17408
+   (CVE-2021-28165)
  + 6076 Embedded Jetty throws null pointer exception
  + 6082 SslConnection compacting
  + 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies"
@@ -1758,7 +1821,8 @@ jetty-10.0.0 - 02 December 2020
  + 5555 NPE for servlet with no mapping
  + 5562 ArrayTernaryTrie consumes too much memory
  + 5575 Add SEARCH as a known HttpMethod
- + 5605 java.io.IOException: unconsumed input during http request parsing (CVE-2020-27218)
+ + 5605 java.io.IOException: unconsumed input during http request parsing
+   (CVE-2020-27218)
  + 5633 Allow to configure HttpClient request authority
  + 5679 Distro argument --list-all-modules does not work
  + 5680 No way to see which modules are enabled for the distro
@@ -2045,7 +2109,8 @@ jetty-9.4.41.v20210516 - 16 May 2021
    `AsyncContext.dispatch`
  + 6254 Total timeout not enforced for queued requests
  + 6263 Review URI encoding in ConcatServlet & WelcomeFilter (CVE-2021-28169)
- + 6277 Better handle exceptions thrown from session destroy listener (CVE-2021-34428)
+ + 6277 Better handle exceptions thrown from session destroy listener
+   (CVE-2021-34428)
  + 6280 Copy ServletHolder class/instance properly during startWebapp
 
 jetty-9.4.40.v20210413 - 13 April 2021
@@ -2061,7 +2126,8 @@ jetty-9.4.39.v20210325 - 25 March 2021
  + 6052 Cleanup TypeUtil and ModuleLocation to allow jetty-client/hybrid to
    work on Android
  + 6063 Allow override of hazelcast version when using module
- + 6072 jetty server high CPU when client send data length > 17408 (CVE-2021-28165)
+ + 6072 jetty server high CPU when client send data length > 17408
+   (CVE-2021-28165)
  + 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies"
    Message
  + 6101 Normalize ambiguous URIs (CVE-2021-28164)
@@ -2117,7 +2183,8 @@ jetty-9.4.35.v20201120 - 20 November 2020
  + 5539 StatisticsServlet output is not valid
  + 5562 ArrayTernaryTrie consumes too much memory
  + 5575 Add SEARCH as a known HttpMethod
- + 5605 java.io.IOException: unconsumed input during http request parsing (CVE-2020-27218)
+ + 5605 java.io.IOException: unconsumed input during http request parsing
+   (CVE-2020-27218)
  + 5633 Allow to configure HttpClient request authority
 
 jetty-9.4.34.v20201102 - 02 November 2020
@@ -2611,8 +2678,10 @@ jetty-9.4.18.v20190429 - 29 April 2019
 jetty-9.4.17.v20190418 - 18 April 2019
  + 2140 Infinispan and hazelcast changes to scavenge zombie expired sessions
  + 3464 Split SslContextFactory into Client and Server
- + 3549 Directory Listing on Windows reveals Resource Base path (CVE-2019-10246)
- + 3555 DefaultHandler Reveals Base Resource Path of each Context (CVE-2019-10247)
+ + 3549 Directory Listing on Windows reveals Resource Base path
+   (CVE-2019-10246)
+ + 3555 DefaultHandler Reveals Base Resource Path of each Context
+   (CVE-2019-10247)
 
 jetty-9.4.16.v20190411 - 11 April 2019
  + 1861 Limit total bytes pooled by ByteBufferPools
@@ -2693,8 +2762,10 @@ jetty-9.3.28.v20191105 - 05 November 2019
  + 4217 SslConnection.DecryptedEnpoint.flush eternal busy loop
 
 jetty-9.3.27.v20190418 - 18 April 2019
- + 3549 Directory Listing on Windows reveals Resource Base path (CVE-2019-10246)
- + 3555 DefaultHandler Reveals Base Resource Path of each Context (CVE-2019-10247)
+ + 3549 Directory Listing on Windows reveals Resource Base path
+   (CVE-2019-10246)
+ + 3555 DefaultHandler Reveals Base Resource Path of each Context
+   (CVE-2019-10247)
 
 jetty-9.3.26.v20190403 - 03 April 2019
  + 2954 Improve cause reporting for HttpClient failures
@@ -2708,11 +2779,14 @@ jetty-9.2.29.v20191105 - 05 November 2019
  + 4217 SslConnection.DecryptedEnpoint.flush eternal busy loop
 
 jetty-9.2.28.v20190418 - 18 April 2019
- + 3549 Directory Listing on Windows reveals Resource Base path (CVE-2019-10246)
- + 3555 DefaultHandler Reveals Base Resource Path of each Context (CVE-2019-10247)
+ + 3549 Directory Listing on Windows reveals Resource Base path
+   (CVE-2019-10246)
+ + 3555 DefaultHandler Reveals Base Resource Path of each Context
+   (CVE-2019-10247)
 
 jetty-9.2.27.v20190403 - 03 April 2019
- + 3319 Refactored Directory Listing to modernize and avoid XSS (CVE-2019-10241)
+ + 3319 Refactored Directory Listing to modernize and avoid XSS
+   (CVE-2019-10241)
 
 jetty-9.4.14.v20181114 - 14 November 2018
  + 3097 Duplicated programmatic Servlet Listeners causing duplicate calls

diff --git a/build/build-resources/pom.xml b/build/build-resources/pom.xml
@@ -1,3 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <!--
@@ -7,17 +8,17 @@
     -->
   <groupId>org.eclipse.jetty</groupId>
   <artifactId>build-resources</artifactId>
-  <version>12.0.2-SNAPSHOT</version>
-  <name>Build :: Resources</name>
+  <version>12.0.3-SNAPSHOT</version>
   <packaging>jar</packaging>
+  <name>Build :: Resources</name>
 
   <properties>
-    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.deploy.skip>true</maven.deploy.skip>
+    <maven.javadoc.skip>true</maven.javadoc.skip>
     <!-- versions for these plugins are not based on parent pom -->
     <maven.remote-resources.plugin.version>3.1.0</maven.remote-resources.plugin.version>
     <maven.surefire.plugin.version>3.1.2</maven.surefire.plugin.version>
-    <maven.deploy.skip>true</maven.deploy.skip>
-    <maven.javadoc.skip>true</maven.javadoc.skip>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <skipTests>true</skipTests>
   </properties>
 
@@ -27,26 +28,66 @@
         <directory>${project.basedir}/src/main/resources</directory>
       </resource>
       <resource>
+        <targetPath>META-INF</targetPath>
         <directory>${project.basedir}/../</directory>
         <includes>
           <include>LICENSE</include>
           <include>NOTICE.txt</include>
         </includes>
-        <targetPath>META-INF</targetPath>
       </resource>
     </resources>
     <plugins>
+      <plugin>
+        <groupId>com.diffplug.spotless</groupId>
+        <artifactId>spotless-maven-plugin</artifactId>
+        <version>2.39.0</version>
+        <configuration>
+          <pom>
+            <includes>
+              <include>pom.xml</include>
+            </includes>
+            <sortPom>
+              <nrOfIndentSpace>2</nrOfIndentSpace>
+              <!-- default see https://github.com/Ekryd/sortpom/wiki/PredefinedSortOrderProfiles -->
+              <predefinedSortOrder>recommended_2008_06</predefinedSortOrder>
+              <!-- Sort properties -->
+              <sortProperties>true</sortProperties>
+              <!-- Sort modules -->
+              <sortModules>true</sortModules>
+              <!-- Sort plugin executions -->
+              <sortExecutions>true</sortExecutions>
+              <!-- Sort dependencies see https://github.com/Ekryd/sortpom/wiki/SortDependencies -->
+              <sortDependencies>scope,groupId,artifactId</sortDependencies>
+              <!-- Sort dependency exclusions -->
+              <sortDependencyExclusions>groupId,artifactId</sortDependencyExclusions>
+              <!-- Sort plugins: https://github.com/Ekryd/sortpom/wiki/SortPlugins -->
+              <sortPlugins>groupId,artifactId</sortPlugins>
+            </sortPom>
+          </pom>
+          <upToDateChecking>
+            <enabled>true</enabled>
+          </upToDateChecking>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+            </goals>
+            <phase>validate</phase>
+          </execution>
+        </executions>
+      </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-remote-resources-plugin</artifactId>
         <version>${maven.remote-resources.plugin.version}</version>
         <executions>
           <execution>
             <id>create-shared-resources</id>
-            <phase>process-resources</phase>
             <goals>
               <goal>bundle</goal>
             </goals>
+            <phase>process-resources</phase>
             <configuration>
               <resourcesDirectory>${project.build.outputDirectory}</resourcesDirectory>
               <includes>

diff --git a/build/pom.xml b/build/pom.xml
@@ -1,22 +1,22 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+  <modelVersion>4.0.0</modelVersion>
   <parent>
     <groupId>org.eclipse.jetty</groupId>
     <artifactId>jetty-project</artifactId>
-    <version>12.0.2-SNAPSHOT</version>
+    <version>12.0.3-SNAPSHOT</version>
   </parent>
-
-  <modelVersion>4.0.0</modelVersion>
   <groupId>org.eclipse.jetty.build</groupId>
   <artifactId>build</artifactId>
-  <name>Build</name>
   <packaging>pom</packaging>
-
-  <properties>
-    <sonar.skip>true</sonar.skip>
-  </properties>
+  <name>Build</name>
 
   <modules>
     <module>build-resources</module>
   </modules>
+
+  <properties>
+    <sonar.skip>true</sonar.skip>
+  </properties>
 </project>