Indexing/Listing Vulnerability in Jetty

If you are using DefaultServlet or ResourceHandler with indexing/listing, then you are vulnerable to a variant of XSS behaviors surrounding the use of injected HTML element attributes on the parent directory link. We recommend disabling indexing/listing or upgrading to a non-vulnerable version. To disable indexing/listing: If using the DefaultServlet (provided Read more…

Eat What You Kill without Starvation!

Jetty 9 introduced the Eat-What-You-Kill[n]The EatWhatYouKill strategy is named after a hunting proverb in the sense that one should only kill to eat. The use of this phrase is not an endorsement of hunting nor killing of wildlife for food or sport.[/n] execution strategy to apply mechanically sympathetic techniques to the Read more…

CometD 4.0.0 Released

The CometD Project is happy to announce the availability of CometD 4.0.0. CometD 4.0.0 builds on top of the CometD 3.1.x series, bringing improvements and new features. You can find a migration guide at the official CometD documentation site. What’s new in CometD 4.0.0 The main theme behind CometD 4.0.x Read more…

Fast MultiPart FormData

Jetty’s venerable MultiPartInputStreamParser for parsing MultiPart form-data has been deprecated and replaced by the much more efficient MultiPartFormInputStream, based on a new MultiPartParser. This is much faster, but less forgiving of non-compliant format. So we have implemented a legacy mode to access the old parser, but with enhancements to make Read more…

Conscrypting native SSL for Jetty

By default, Jetty uses the JSSE provider from the JVM for SSL, which has three significant problems: It’s slow! It doesn’t support ALPN in Java 8, which is needed for HTTP/2 It’s REALLY slow! There are workarounds for both problems: using SSL offloading and/or using our boot path patched JSSE for Read more…

HTTP Trailers in Jetty

HTTP/1.1 and HTTP/2 have the concept of trailers, that is HTTP headers that can be sent after the message body, in both requests and responses. In HTTP/1.1 trailers can be sent using the chunked transfer coding, for example in requests (but the same is valid in responses): POST / HTTP/1.1\r\n Read more…