Skip to content

DB-4068 cherry-pick upstream HttpRequest/ObjectDecoder fixes (4.0.54/bdp 5.1)#22

Merged
jtgrabowski merged 3 commits intoriptano:dse-netty-4.0.54.Finalfrom
dalaro:dse-netty-4.0.54.Final-with-DB-4068
Apr 8, 2020
Merged

DB-4068 cherry-pick upstream HttpRequest/ObjectDecoder fixes (4.0.54/bdp 5.1)#22
jtgrabowski merged 3 commits intoriptano:dse-netty-4.0.54.Finalfrom
dalaro:dse-netty-4.0.54.Final-with-DB-4068

Conversation

@jtgrabowski
Copy link
Copy Markdown

@jtgrabowski jtgrabowski commented Apr 3, 2020
edited
Loading

https://datastax.jira.com/browse/DB-4068

@dalaro I have netty write permissions so I created 4.0.54 branch and this PR

@normanmaurer @dalaro
Detect missing colon when parsing http headers with no value (netty#9871
072722a 
)

Motivation:

Technical speaking its valid to have http headers with no values so we should support it. That said we need to detect if these are "generated" because of an "invalid" fold.

Modifications:

- Detect if a colon is missing when parsing headers.
- Add unit test

Result:

Fixes netty#9866

(cherry picked from commit a7c18d4)

(After the default cherry-pick algorithm finished, I hand-resolved some
compile errors related to refactoring between the 4.0 and 4.1 branches)
jtgrabowski
jtgrabowski commented Apr 3, 2020
View reviewed changes
Copy link
Copy Markdown
Author

@jtgrabowski jtgrabowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Backport looks good but I see some unchanged 4.0.54.Final in pom files

@dalaro
Version bump to 4.0.54.1.dse
9d7e6fa 
This version is equivalent to upstream's 4.0.54.Final, but with one
upstream commit (for CVE-2019-20444) cherry-picked backwards from 4.1.

Detect missing colon when parsing http headers with no value (netty#9871)
	GHSA-cqqj-4p63-rrmm
	netty#9866
	netty#9871

	a7c18d4
@dalaro
Copy link
Copy Markdown

dalaro commented Apr 7, 2020

Thanks for creating an appropriate base branch.

I found four overlooked 4.0.54.Final usages:

  • <scm><tag> in three poms (top-level, dev-tools, bom)
  • <version> in bom/pom.xml

I updated the stale <version> in bom/pom.xml.

I've also deleted all <tag> elements from the <scm> elements. I haven't created or pushed tags for these new versions yet. If the release job for this project runs mvn release:prepare (or mvn scm:tag directly for some reason), then I think it should repopulate the <scm><tag> as it executes. I'm not sure the release job cares, though, because I see values for <scm><tag> that don't have corresponding tags on the riptano/netty repo.

Here's the diff reflecting what I just listed above, right before force-pushing:

$  git diff dalaro/`git rev-parse --symbolic-full-name --abbrev-ref HEAD`..HEAD
diff --git a/bom/pom.xml b/bom/pom.xml
index 7cd0c4a827..5259e3215d 100644
--- a/bom/pom.xml
+++ b/bom/pom.xml
@@ -25,7 +25,7 @@
 
   <groupId>io.netty</groupId>
   <artifactId>netty-bom</artifactId>
-  <version>4.0.54.Final</version>
+  <version>4.0.54.1.dse</version>
   <packaging>pom</packaging>
 
   <name>Netty/BOM</name>
@@ -49,7 +49,6 @@
     <url>https://github.com/netty/netty</url>
     <connection>scm:git:git://github.com/netty/netty.git</connection>
     <developerConnection>scm:git:ssh://git@github.com/netty/netty.git</developerConnection>
-    <tag>netty-4.0.54.Final</tag>
   </scm>
 
   <developers>
diff --git a/dev-tools/pom.xml b/dev-tools/pom.xml
index 33eba560f9..e672c70215 100644
--- a/dev-tools/pom.xml
+++ b/dev-tools/pom.xml
@@ -52,6 +52,5 @@
   </build>
 
   <scm>
-    <tag>netty-4.0.54.Final</tag>
   </scm>
 </project>
diff --git a/pom.xml b/pom.xml
index 2d4a2d4bab..1ac923f4c1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -53,7 +53,6 @@
     <url>https://github.com/netty/netty</url>
     <connection>scm:git:git://github.com/netty/netty.git</connection>
     <developerConnection>scm:git:ssh://git@github.com/netty/netty.git</developerConnection>
-    <tag>netty-4.0.54.Final</tag>
   </scm>
 
   <developers>

I'm force-pushing similar changes on the other two PRs.

@dalaro dalaro force-pushed the dse-netty-4.0.54.Final-with-DB-4068 branch from 401e993 to 9d7e6fa Compare April 7, 2020 11:18
This was referenced Apr 7, 2020
Merged
Merged
@dalaro
Add build.yaml for repo.sjc.dsinternal.org
f263804 
This build.yaml is copied from dse-netty-4.1.13.Final.  I just modified the repo
URL to point to https://repo.sjc.dsinternal.org/artifactory/datastax-releases-local
instead of the old artifactory URL.
@jtgrabowski jtgrabowski merged commit 0a9e4f3 into riptano:dse-netty-4.0.54.Final Apr 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jtgrabowski @dalaro @normanmaurer