Merged branch 'jetty-10.0.x' into 'jetty-11.0.x'.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>

Author: sbordet

VERSION.txt

@@ -241,10 +241,10 @@ jetty-10.0.1 - 19 February 2021
  + 4275 Path Normalization/Traversal - Context Matching
  + 4515 Validation extension should not downcast CoreSession
  + 5492 Add ability to manage start modules by java feature
- + 5499 Improve temporary buffer usage for WebSocket PerMessageDeflate.
+ + 5499 Improve temporary buffer usage for WebSocket PerMessageDeflate
  + 5605 Blocked IO Thread not woken
  + 5689 Jetty ssl keystorePath doesn't work with absolute path
- + 5706 The WebSocket ServerUpgradeResponse can produce NPE in jetty 10.
+ + 5706 The WebSocket ServerUpgradeResponse can produce NPE in jetty 10
  + 5725 Review Preventers
  + 5755 Cannot configure maxDynamicTableSize on HTTP2Client
  + 5757 Review Inferred vs Assumed charsets
@@ -258,7 +258,7 @@ jetty-10.0.1 - 19 February 2021
  + 5799 Allow specifying the duration an object can stay in a pool
  + 5824 Build up of ConstraintMappings when stopping and starting WebAppContext
  + 5830 Jetty-util contains wrong Import-Package
- + 5844 --download flag to jetty-start causes NullPointerException
+ + 5844 download flag to jetty-start causes NullPointerException
  + 5845 Use UTF-8 encoding for client basic auth if requested
  + 5850 NPE at Principal WebSocketSession.getUserPrincipal()
  + 5851 org.eclipse.jetty.websocket.servlet.WebSocketServlet cleanup
@@ -304,7 +304,8 @@ jetty-10.0.0 - 02 December 2020
  + 5555 NPE for servlet with no mapping
  + 5562 ArrayTernaryTrie consumes too much memory
  + 5575 Add SEARCH as a known HttpMethod
- + 5605 java.io.IOException: unconsumed input during http request parsing - Resolves CVE-2020-27218
+ + 5605 java.io.IOException: unconsumed input during http request parsing -
+   Resolves CVE-2020-27218
  + 5633 Allow to configure HttpClient request authority
  + 5679 Distro argument --list-all-modules does not work
  + 5680 No way to see which modules are enabled for the distro
@@ -382,8 +383,8 @@ jetty-9.4.35.v20201120 - 20 November 2020
  + 5539 StatisticsServlet output is not valid
  + 5562 ArrayTernaryTrie consumes too much memory
  + 5575 Add SEARCH as a known HttpMethod
- + 5605 java.io.IOException: unconsumed input during http
-   request parsing - Resolves CVE-2020-27218
+ + 5605 java.io.IOException: unconsumed input during http request parsing -
+   Resolves CVE-2020-27218
  + 5633 Allow to configure HttpClient request authority
 
 jetty-9.4.34.v20201102 - 02 November 2020
@@ -640,7 +641,8 @@ jetty-9.4.30.v20200611 - 11 June 2020
  + 4923 SecureRequestCustomizer.SslAttributes does not cache cert chain like
    before
  + 4929 HttpClient: HttpCookieStore.Empty prevents sending cookies
- + 4936 Response header overflow leads to buffer corruptions - Resolves CVE-2019-17638
+ + 4936 Response header overflow leads to buffer corruptions - Resolves
+   CVE-2019-17638
 
 jetty-9.4.29.v20200521 - 21 May 2020
  + 2188 Lock contention creating HTTP/2 streams
@@ -867,7 +869,8 @@ jetty-9.4.22.v20191022 - 22 October 2019
    inclusion of sessionid
 
 jetty-9.4.21.v20190926 - 26 September 2019
- + Includes fixes for CVE-2019-9511, CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, and CVE-2019-9518
+ + Includes fixes for CVE-2019-9511, CVE-2019-9512, CVE-2019-9514,
+   CVE-2019-9515, CVE-2019-9516, and CVE-2019-9518
  + 97 Permanent UnavailableException thrown during servlet request handling
    should cause servlet destroy
  + 137 Support OAuth
@@ -1013,16 +1016,19 @@ jetty-9.4.18.v20190429 - 29 April 2019
 jetty-9.4.17.v20190418 - 18 April 2019
  + 2140 Infinispan and hazelcast changes to scavenge zombie expired sessions
  + 3464 Split SslContextFactory into Client and Server
- + 3549 Directory Listing on Windows reveals Resource Base path - Resolves CVE-2019-10246
- + 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves CVE-2019-10247
+ + 3549 Directory Listing on Windows reveals Resource Base path - Resolves
+   CVE-2019-10246
+ + 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves
+   CVE-2019-10247
 
 jetty-9.4.16.v20190411 - 11 April 2019
  + 1861 Limit total bytes pooled by ByteBufferPools
  + 3133 Logging of `key.readyOps()` can throw unchecked `CancelledKeyException`
  + 3159 WebSocket permessage-deflate RSV1 validity check
  + 3274 OSGi versions of java.base classes in
    org.apache.felix:org.osgi.foundation:jar conflicts with new rules on Java 9+
- + 3319 Modernize Directory Listing: HTML5 and Sorting - Resolves CVE-2019-10241
+ + 3319 Modernize Directory Listing: HTML5 and Sorting - Resolves
+   CVE-2019-10241
  + 3361 HandlerCollection.addHandler is lacking synchronization
  + 3373 OutOfMemoryError: Java heap space in GZIPContentDecoder
  + 3389 Websockets jsr356 willDecode not invoked during decoding
@@ -1095,8 +1101,10 @@ jetty-9.3.28.v20191105 - 05 November 2019
  + 4217 SslConnection.DecryptedEnpoint.flush eternal busy loop
 
 jetty-9.3.27.v20190418 - 18 April 2019
- + 3549 Directory Listing on Windows reveals Resource Base path - Resolves CVE-2019-10246
- + 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves CVE-2019-10247
+ + 3549 Directory Listing on Windows reveals Resource Base path - Resolves
+   CVE-2019-10246
+ + 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves
+   CVE-2019-10247
 
 jetty-9.3.26.v20190403 - 03 April 2019
  + 2954 Improve cause reporting for HttpClient failures
@@ -1110,11 +1118,14 @@ jetty-9.2.29.v20191105 - 05 November 2019
  + 4217 SslConnection.DecryptedEnpoint.flush eternal busy loop
 
 jetty-9.2.28.v20190418 - 18 April 2019
- + 3549 Directory Listing on Windows reveals Resource Base path - Resolves CVE-2019-10246
- + 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves CVE-2019-10247
+ + 3549 Directory Listing on Windows reveals Resource Base path - Resolves
+   CVE-2019-10246
+ + 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves
+   CVE-2019-10247
 
 jetty-9.2.27.v20190403 - 03 April 2019
- + 3319 Refactored Directory Listing to modernize and avoid XSS - Resolves CVE-2019-10241
+ + 3319 Refactored Directory Listing to modernize and avoid XSS - Resolves
+   CVE-2019-10241
 
 jetty-9.4.14.v20181114 - 14 November 2018
  + 3097 Duplicated programmatic Servlet Listeners causing duplicate calls
@@ -11824,31 +11835,24 @@ jetty-1.1
 jetty-1.0.1
  + Bug fixes
 
-jetty-1.0 - Jan 1998
+jetty-1.0 - 01 January 1998
  + MBServlerV5 renamed to Jetty
  + First release in com.mortbay package structure
- + Included Util, JDBC, HTML, HTTP, Jetty
-
-MBServler-V4.5Beta
-  + Using It JSDK1.0Beta API
-  + Improved HTML package.
-  + Filter mechanism inspired by JigSaw
-
-MBServler-V4
+ + Included Util, JDBC, HTML, HTTP, Jetty MBServler-V4.5Beta + Using It
+   JSDK1.0Beta API + Improved HTML package. + Filter mechanism inspired by
+   JigSaw MBServler-V4
  + JeevesA1.2 servlet API
  + Better configuration and setup for embedding in other Java applications.
- + Util classes from Intelligent Switched Systems.
-
-MBServler-V1 / IssueTracker 3.1
- + The IssueTracker HTTP server has been separated from the Issue Tracker application and updated to the java.servlet interface. It is now called MBServler
- + JDBC module
-
-IssueTracker-2.0
+ + Util classes from Intelligent Switched Systems. MBServler-V1 / IssueTracker
+   3.1
+ + The IssueTracker HTTP server has been separated from the Issue Tracker
+   application and updated to the java.servlet interface. It is now called
+   MBServler
+ + JDBC module IssueTracker-2.0
  + Faster HTTP server
  + Basic authentication
- + User management
-
-IssueTracker-1.0 - Jan 1995
+ + User management IssueTracker-1.0 - Jan 1995
  + Won the Australian Java Programming Contest!
  + HTTP Server
  + Issue tracking application
+

jetty-server/src/main/java/org/eclipse/jetty/server/session/SessionHandler.java

@@ -1614,41 +1614,59 @@ else if (!DispatcherType.REQUEST.equals(baseRequest.getDispatcherType()))
                         if (LOG.isDebugEnabled())
                             LOG.debug("Got Session ID {} from cookie {}", id, sessionCookie);
 
-                        //retrieve the session, which increments the reference count
-                        HttpSession s = getHttpSession(id);
-                        //associate it with the request so its reference count
-                        //will be decremented as the request completes
-                        if (s != null && isValid(s))
-                            baseRequest.enterSession(s);
-
-                        if (requestedSessionId == null)
+                        if (session == null)
                         {
-                            //no previous id, always accept this one
-                            requestedSessionId = id;
-                            session = s;
-                        }
-                        else if (requestedSessionId.equals(id))
-                        {
-                            //really a bad request, but will forgive the duplication
-                        }
-                        else if (session == null || !isValid(session))
-                        {
-                            //no previous session or invalid, accept this one
-                            requestedSessionId = id;
-                            session = s;
+                            //we currently do not have a session selected, use this one if it is valid
+                            HttpSession s = getHttpSession(id);
+                            if (s != null && isValid(s))
+                            {
+                                //associate it with the request so its reference count is decremented as the
+                                //request exits
+                                requestedSessionId = id;
+                                session = s;
+                                baseRequest.enterSession(session);
+                                baseRequest.setSession(session);
+
+                                if (LOG.isDebugEnabled())
+                                    LOG.debug("Selected session {}", session);
+                            }
+                            else
+                            {
+                                if (LOG.isDebugEnabled())
+                                    LOG.debug("No session found for session cookie id {}", id);
+
+                                //if we don't have a valid session id yet, just choose the current id
+                                if (requestedSessionId == null)
+                                    requestedSessionId = id;
+                            }
                         }
                         else
                         {
-                            //previous session is valid, use it unless both valid
-                            if (s != null && isValid(s))
-                                throw new BadMessageException("Duplicate valid session cookies: " + requestedSessionId + "," + id);
+                            //we currently have a valid session selected. We will throw an error
+                            //if there is a _different_ valid session id cookie. Duplicate ids, or
+                            //invalid session ids are ignored
+                            if (!session.getId().equals(getSessionIdManager().getId(id)))
+                            {
+                                //load the session to see if it is valid or not
+                                HttpSession s = getHttpSession(id);
+                                if (s != null && isValid(s))
+                                {
+                                    //associate it with the request so its reference count is decremented as the
+                                    //request exits
+                                    baseRequest.enterSession(s);
+                                    if (LOG.isDebugEnabled())
+                                        LOG.debug("Multiple different valid session ids: {}, {}", requestedSessionId, id);
+                                    throw new BadMessageException("Duplicate valid session cookies: " + requestedSessionId + " ," + id);
+                                }
+                            }
+                            else
+                            {
+                                if (LOG.isDebugEnabled())
+                                    LOG.debug("Duplicate valid session cookie id: {}", id);
+                            }
                         }
                     }
                 }
-
-                //if we wound up with a single valid session
-                if (session != null && isValid(session))
-                    baseRequest.setSession(session);  //associate the session with the request
             }
         }
 

scripts/release-jetty.sh

@@ -18,6 +18,7 @@ requiredExecutable "sed"
 requiredExecutable "gpg"
 requiredExecutable "egrep"
 requiredExecutable "mvn"
+requiredExecutable "dot"
 
 proceedyn() {
     while true; do