[UNDERTOW-2605 / 2609 / 2377 / 2582 / 2656 / 2674] CVE-2024-3884 CVE-2024-4027 CVE-2025-12543 Backport fixes to 2.4.x#1894
Merged
Conversation
…fter exact read of content length
…on decoded query string, and replace all internal usage of this method by the new method, getDecodedQueryString() Signed-off-by: Flavia Rainone <frainone@redhat.com>
… more sense in the nomenclature of query strings: * the method getQueryString() is the new standard for getting the original, unencoded, query string. * the method getNonDecodedQueryString is marked for removal in future release * the method setNonDecodedQueryStirng is replaced by setUnencodedQueryString and marked for removal as well * ProxyHandler uses getQueryString instead of getNonDecodedQueryString Signed-off-by: Flavia Rainone <frainone@redhat.com>
… HttpServerExchange. The nomenclature queryString refers always to unencoded query, whereas decodedQueryString is the decoded counterpart. Notice that this makes the invocation of setQueryString mandatory while parsing requests, while setDecodedQueryString is optional and can be used only when decoding of the query is performed. Signed-off-by: Flavia Rainone <frainone@redhat.com>
…ery string in its entire form instead of the beginning, apply this to AjpParsingUnitTestCase (although the original form of the query string in this case is unreadable) Signed-off-by: Flavia Rainone <frainone@redhat.com>
…/entity size Signed-off-by: Flavia Rainone <frainone@redhat.com>
…TIPART_MAX_ENTITY_SIZE to -1 Signed-off-by: Flavia Rainone <frainone@redhat.com>
…tCase and ReceiverTestCase Signed-off-by: Flavia Rainone <frainone@redhat.com>
Signed-off-by: Flavia Rainone <frainone@redhat.com>
…in request. Fix NetworkUtils regex patterns to have proper range and include embedded adr Signed-off-by: Flavia Rainone <frainone@redhat.com>
…PROTOCOL_ERRORS in WebSocketChannel instead of WRONG_CODE Signed-off-by: Flavia Rainone <frainone@redhat.com>
fl4via
added
waiting CI check
This was referenced Feb 15, 2026
Merged
fl4via
changed the title
This was referenced Feb 15, 2026
fl4via
changed the title
Signed-off-by: Flavia Rainone <frainone@redhat.com>
This was referenced Feb 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jiras:
Jiras:
https://issues.redhat.com/browse/UNDERTOW-2605 main PR: #1792
https://issues.redhat.com/browse/UNDERTOW-2582 main PR: #1850
https://issues.redhat.com/browse/UNDERTOW-2609 main PR: #1855
https://issues.redhat.com/browse/UNDERTOW-2377 main PR: #1856
https://issues.redhat.com/browse/UNDERTOW-2656 main PR: #1857
https://issues.redhat.com/browse/UNDERTOW-2674 main PR: #1859
2.2.x PR: #1882
2.3.x PR: #1860
Undertow EE:
main PR: undertow-io/undertow-ee#52
1.0.x PR: undertow-io/undertow-ee#53