Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review HttpRequest URI construction (CVE-2022-2047) #8014

Closed
sbordet opened this issue May 17, 2022 · 0 comments
Closed

Review HttpRequest URI construction (CVE-2022-2047) #8014

sbordet opened this issue May 17, 2022 · 0 comments
Labels
Bug For general bugs on Jetty side Security

Comments

@sbordet
Copy link
Contributor

sbordet commented May 17, 2022
edited by joakime
Loading

Jetty version(s)
10.0.x

Description
Certain URIs may be misconstructed by HttpRequest, possibly resulting in a wrong Host header.

Fixes Security Advisory
GHSA-cj7v-27pg-wf7q
CVE-2022-2047
@sbordet sbordet added the Bug For general bugs on Jetty side label May 17, 2022
sbordet added a commit that referenced this issue May 17, 2022
@sbordet
Fixes #8014 - Review HttpRequest URI construction.
c1cb2dc 
Now always adding a "/" before the path, if not already present.
Disabled flakey HTTP/3 test.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
sbordet added a commit that referenced this issue May 23, 2022
@sbordet
Fixes #8014 - Review HttpRequest URI construction.
2cd7c30 
Fixes after review in HttpURI.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
sbordet added a commit that referenced this issue May 23, 2022
@sbordet
Fixes #8014 - Review HttpRequest URI construction.
9b4f40d 
More fixes after review in HttpURI.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
gregw added a commit that referenced this issue May 24, 2022
@gregw
Update #8014
78298f5 
Parse CONNECT URIs as Authority
@gregw gregw closed this as completed in d1e64f4 May 26, 2022
sbordet added a commit that referenced this issue Jun 8, 2022
@sbordet
Fixes #8014 - Review HttpRequest URI construction.
878ff23 
Now always adding a "/" before the path, if not already present.
Parse CONNECT URIs as Authority

Co-authored-by: Greg Wilkins <gregw@webtide.com>
(cherry picked from commit d1e64f4)
sbordet added a commit that referenced this issue Jun 8, 2022
@sbordet
Fixes #8014 - Review HttpRequest URI construction. (#8146)
4ca8afb 
Now always adding a "/" before the path, if not already present.
Parse CONNECT URIs as Authority

Co-authored-by: Greg Wilkins <gregw@webtide.com>
(cherry picked from commit d1e64f4)
@joakime joakime changed the title Review HttpRequest URI construction Review HttpRequest URI construction (CVE-2022-2047) Jul 7, 2022
This was referenced Sep 9, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug For general bugs on Jetty side Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joakime @sbordet