Go to file
Artem Smotrakov 26976310d2
Enable header valication in HttpServerUpgradeHandler (#10643)
Motivation:

HttpServerUpgradeHandler takes a list of protocols from an incoming
request and uses them for building a response.
Although the class does some validation while parsing the list,
it then disables HTTP header validation when it builds a responst.
The disabled validation may potentially allow
HTTP response splitting attacks.

Modifications:

- Enabled HTTP header validation in HttpServerUpgradeHandler
  as a defense-in-depth measure to prevent possible
  HTTP response splitting attacks.
- Added a new constructor that allows disabling the validation.

Result:

HttpServerUpgradeHandler validates incoming protocols
before including them into a response.
That should prevent possible HTTP response splitting attacks.
2020-10-30 11:23:42 +01:00
.github Create codeql-analysis.yml (#10696) 2020-10-18 14:25:48 +02:00
.mvn Use latest maven release (#9820) 2019-11-27 14:45:28 +01:00
all Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
bom Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
buffer Fix explicitly little-endian accessors in SwappedByteBuf (#10747) 2020-10-29 10:35:47 +01:00
codec Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
codec-dns Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
codec-haproxy Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
codec-http Enable header valication in HttpServerUpgradeHandler (#10643) 2020-10-30 11:23:42 +01:00
codec-http2 Change variable name of Http2Headers (#10743) 2020-10-29 10:40:49 +01:00
codec-memcache Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
codec-mqtt MQTT5: support multiple Subscription ID properties (#10734) 2020-10-30 11:17:46 +01:00
codec-redis Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
codec-smtp Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
codec-socks Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
codec-stomp Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
codec-xml Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
common Rethrow NoSuchMethodError with more hints about incompatible native library versions (#10740) 2020-10-28 19:22:08 +01:00
dev-tools Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
docker Update java patch versions (#10703) 2020-10-17 20:24:18 +02:00
example Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
handler Better hash algorithm in FingerprintTrustManagerFactory (#10683) 2020-10-26 14:29:26 +01:00
handler-proxy Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
license Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
microbench Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
resolver Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
resolver-dns Fix native image build on modern GraalVM versions for the cases when the program uses netty-dns (#10630) 2020-10-26 08:34:31 +01:00
resolver-dns-native-macos Fix compile error introduced by a63faa4fa1 (#10750) 2020-10-30 11:07:38 +01:00
tarball Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
testsuite Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
testsuite-autobahn Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
testsuite-http2 Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
testsuite-native-image Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
testsuite-native-image-client Fix native image build on modern GraalVM versions for the cases when the program uses netty-dns (#10630) 2020-10-26 08:34:31 +01:00
testsuite-osgi Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
testsuite-shading Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
transport Make changes to prepare for io_uring incubator repository (#10741) 2020-10-28 15:31:02 +01:00
transport-blockhound-tests Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
transport-native-epoll Use netty-jni-util and so remove a lot of duplication (#10735) 2020-10-29 16:36:07 +01:00
transport-native-kqueue Use netty-jni-util and so remove a lot of duplication (#10735) 2020-10-29 16:36:07 +01:00
transport-native-unix-common Use netty-jni-util and so remove a lot of duplication (#10735) 2020-10-29 16:36:07 +01:00
transport-native-unix-common-tests Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
transport-rxtx Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
transport-sctp Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
transport-udt Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
.fbprefs Updated Find Bugs configuration 2009-03-04 10:33:09 +00:00
.gitattributes Include mvn wrapper to make setup of development env easier 2018-01-26 08:13:17 +01:00
.gitignore Ignore .shelf/ folder generated by IntelliJ IDEA (#10445) 2020-08-03 07:51:53 +02:00
.lgtm.yml Enables lgtm.com to process this project and create a CodeQL database 2020-01-17 11:05:53 +01:00
CONTRIBUTING.md Change the netty.io homepage scheme(http -> https) (#9344) 2019-07-09 21:09:42 +02:00
LICENSE.txt Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
mvnw Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
mvnw.cmd Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
nohttp-checkstyle-suppressions.xml Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
nohttp-checkstyle.xml Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
NOTICE.txt Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
pom.xml Upgrade Conscrypt to 2.5.1 (#10732) 2020-10-26 19:40:39 +01:00
README.md Enable nohttp check during the build (#10708) 2020-10-23 14:44:18 +02:00
run-example.sh Add DNS client examples for run-example.sh (#10283) 2020-05-14 12:10:32 +02:00
SECURITY.md Added a security policy (#10692) 2020-10-15 20:39:37 +02:00

Netty Project

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.

How to build

For the detailed information about building and developing Netty, please visit the developer guide. This page only gives very basic information.

You require the following to build Netty:

Note that this is build-time requirement. JDK 5 (for 3.x) or 6 (for 4.0+) is enough to run your Netty-based application.

Branches to look

Development of all versions takes place in each branch whose name is identical to <majorVersion>.<minorVersion>. For example, the development of 3.9 and 4.0 resides in the branch '3.9' and the branch '4.0' respectively.

Usage with JDK 9

Netty can be used in modular JDK9 applications as a collection of automatic modules. The module names follow the reverse-DNS style, and are derived from subproject names rather than root packages due to historical reasons. They are listed below:

  • io.netty.all
  • io.netty.buffer
  • io.netty.codec
  • io.netty.codec.dns
  • io.netty.codec.haproxy
  • io.netty.codec.http
  • io.netty.codec.http2
  • io.netty.codec.memcache
  • io.netty.codec.mqtt
  • io.netty.codec.redis
  • io.netty.codec.smtp
  • io.netty.codec.socks
  • io.netty.codec.stomp
  • io.netty.codec.xml
  • io.netty.common
  • io.netty.handler
  • io.netty.handler.proxy
  • io.netty.resolver
  • io.netty.resolver.dns
  • io.netty.transport
  • io.netty.transport.epoll (native omitted - reserved keyword in Java)
  • io.netty.transport.kqueue (native omitted - reserved keyword in Java)
  • io.netty.transport.unix.common (native omitted - reserved keyword in Java)
  • io.netty.transport.rxtx
  • io.netty.transport.sctp
  • io.netty.transport.udt

Automatic modules do not provide any means to declare dependencies, so you need to list each used module separately in your module-info file.