From 57eb04182bad8529dea9586c4e1738aca8211610 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Mon, 16 Dec 2024 10:50:12 +1100 Subject: [PATCH 1/2] Issue #12609 - better validation for response codes in setStatus Signed-off-by: Lachlan Roberts --- .../org/eclipse/jetty/ee10/servlet/ServletApiResponse.java | 2 ++ .../src/main/java/org/eclipse/jetty/ee9/nested/Response.java | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletApiResponse.java b/jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletApiResponse.java index 45bf9b1252c4..ee03bed31a91 100644 --- a/jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletApiResponse.java +++ b/jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletApiResponse.java @@ -250,6 +250,8 @@ public void addIntHeader(String name, int value) @Override public void setStatus(int sc) { + if (sc < 100 || sc > 999) + throw new IllegalArgumentException(); getResponse().setStatus(sc); } diff --git a/jetty-ee9/jetty-ee9-nested/src/main/java/org/eclipse/jetty/ee9/nested/Response.java b/jetty-ee9/jetty-ee9-nested/src/main/java/org/eclipse/jetty/ee9/nested/Response.java index 1d9777389986..66354b80a077 100644 --- a/jetty-ee9/jetty-ee9-nested/src/main/java/org/eclipse/jetty/ee9/nested/Response.java +++ b/jetty-ee9/jetty-ee9-nested/src/main/java/org/eclipse/jetty/ee9/nested/Response.java @@ -754,7 +754,7 @@ public void addIntHeader(String name, int value) @Override public void setStatus(int sc) { - if (sc <= 0) + if (sc < 100 || sc > 999) throw new IllegalArgumentException(); if (isMutable()) { @@ -775,7 +775,7 @@ public void setStatus(int sc, String message) public void setStatusWithReason(int sc, String message) { - if (sc <= 0) + if (sc < 100 || sc > 999) throw new IllegalArgumentException(); if (isMutable()) { From 92d5b92833036c5650d661099de5d828ab9bb02e Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Mon, 16 Dec 2024 16:01:22 +1100 Subject: [PATCH 2/2] PR #12643 - move validation to core response Signed-off-by: Lachlan Roberts --- .../org/eclipse/jetty/server/internal/HttpChannelState.java | 2 ++ .../java/org/eclipse/jetty/ee10/servlet/ServletApiResponse.java | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/jetty-core/jetty-server/src/main/java/org/eclipse/jetty/server/internal/HttpChannelState.java b/jetty-core/jetty-server/src/main/java/org/eclipse/jetty/server/internal/HttpChannelState.java index b315e9353806..bf484685594e 100644 --- a/jetty-core/jetty-server/src/main/java/org/eclipse/jetty/server/internal/HttpChannelState.java +++ b/jetty-core/jetty-server/src/main/java/org/eclipse/jetty/server/internal/HttpChannelState.java @@ -1190,6 +1190,8 @@ public int getStatus() @Override public void setStatus(int code) { + if (code < 100 || code > 999) + throw new IllegalArgumentException(); if (!isCommitted()) _status = code; } diff --git a/jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletApiResponse.java b/jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletApiResponse.java index ee03bed31a91..45bf9b1252c4 100644 --- a/jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletApiResponse.java +++ b/jetty-ee10/jetty-ee10-servlet/src/main/java/org/eclipse/jetty/ee10/servlet/ServletApiResponse.java @@ -250,8 +250,6 @@ public void addIntHeader(String name, int value) @Override public void setStatus(int sc) { - if (sc < 100 || sc > 999) - throw new IllegalArgumentException(); getResponse().setStatus(sc); }