Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CookieStore] Only set Cookies if they are not already set #2033

Merged
merged 3 commits into from
Dec 1, 2024
Merged

[CookieStore] Only set Cookies if they are not already set #2033

merged 3 commits into from
Dec 1, 2024
+55 −9

Conversation

pickypg
Copy link
Contributor

@pickypg pickypg commented Nov 14, 2024

This changes the behavior of the automatic usage of the CookieStore to avoid overwriting already-set Cookies and, instead only sets them if they do not exist yet.

Closes #1964

@pickypg
[CookieStore] Only set Cookies if they are not already set
1cc44f8 
This changes the behavior of the automatic usage of the
`CookieStore` to avoid overwriting already-set `Cookie`s and,
instead only sets them if they do not exist yet.
@pickypg pickypg mentioned this pull request Nov 14, 2024
Closed
@hyperxpro
Copy link
Member

I'll take a look this weekend.

@hyperxpro
Copy link
Member

Sadly this is a breaking change. RequestBuilderBase is an abstract class and adding anything will break compatibility. Perhaps, you might want to take a different approach.

@pickypg
Copy link
Contributor Author

pickypg commented Nov 16, 2024

I'm happy to if you have a suggestion? The current functionality is buggy given that it overrides explicitly provided cookies.

@hyperxpro
Copy link
Member

Let me try something

@hyperxpro hyperxpro requested a review from Copilot November 23, 2024 16:51
@hyperxpro
Copy link
Member

I'd say change this directly in RequestBuilder. People extending RequestBuilderBase will be safe from this breaking change.

Copilot
Copilot AI reviewed Nov 23, 2024
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 4 out of 4 changed files in this pull request and generated no suggestions.
@pickypg
Copy link
Contributor Author

pickypg commented Nov 23, 2024

That's doable, but this breaking change is clearly necessary.

@hyperxpro
Copy link
Member

Yup, I do feel this but as a library maintainer, I cannot. I am at fault, I should have made that as interface. But doing with directly changing should be best because people extending RequestBuilderBase should always take extra care of their custom implementations.

@hyperxpro
Copy link
Member

Fire this up so I can merge and cut a release.

@hyperxpro hyperxpro merged commit d5a8336 into AsyncHttpClient:main Dec 1, 2024
3 checks passed
@pickypg pickypg deleted the cookie-store-only-add-unset-cookies branch December 2, 2024 15:08
@lhotari
Copy link

lhotari commented Dec 13, 2024

Is there any way to backport this to 2.12.x to maintain Java 8 support?

We use AsyncHttpClient 2.12.x in the Apache Pulsar Admin client. Our challenge in Apache Pulsar is that the minimum Java requirement for clients is Java 8. Since AsyncHttpClient 3.0.x requires Java 11, we don't have a way to eliminate CVE-2024-53990 from our dependencies. While it's possible to set the CookieStore to null in AHC 2.12.x (as we're doing in apache/pulsar#23725), the main issue for Apache Pulsar is that many users have security policies requiring the elimination of dependencies with high or critical vulnerabilities. Therefore, configuring the CookieStore isn't a sufficient mitigation for many of our users.

Any suggestions and recommendations for solving our use case in Apache Pulsar would be much appreciated.

@hyperxpro
Copy link
Member

@lhotari Sure, yes. I will push the emergency release for 2.12.x.

@lhotari
Copy link

lhotari commented Dec 15, 2024
edited
Loading

@lhotari Sure, yes. I will push the emergency release for 2.12.x.

Thank you, @hyperxpro. After the release, it would be great to have CVE-2024-53990 updated so that it would enlist the new release clear of the vulnerability so that vulnerability scanners would have the information too.

@hyperxpro
Copy link
Member

Released 2.12.4; it will sync to Maven Central in some time :)

@pickypg Can you do PR in the advisory database to exclude 2.12.4?

@pickypg
Copy link
Contributor Author

pickypg commented Dec 15, 2024

Can do!

@xuwei-k
Copy link

xuwei-k commented Dec 16, 2024

missing 2.12.4 tag on GitHub? 👀

@xuwei-k xuwei-k mentioned this pull request Dec 16, 2024
Open
6 tasks
@aidandempsey
Copy link

@hyperxpro Thanks for the fix, is there any chance this will be back ported to 2.12.3? Thanks!

@hyperxpro
Copy link
Member

@hyperxpro Thanks for the fix, is there any chance this will be back ported to 2.12.3? Thanks!

2.12.4 is out

@hyperxpro
Copy link
Member

missing 2.12.4 tag on GitHub? 👀

Added async-http-client-project-2.12.4

@pickypg pickypg mentioned this pull request Dec 16, 2024
Merged
@xuwei-k
Copy link

xuwei-k commented Dec 16, 2024
edited
Loading

thanks!

@pickypg
Copy link
Contributor Author

pickypg commented Dec 16, 2024

Updated the GitHub Advisory: GHSA-mfj5-cf8g-g2fv

@coffius coffius mentioned this pull request Dec 30, 2024
Closed
@AshCorr AshCorr mentioned this pull request Jan 15, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@hyperxpro hyperxpro hyperxpro approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cookie explicitly set on the request is getting discarded in favor of the one from the cookie jar
5 participants
@pickypg @hyperxpro @lhotari @xuwei-k @aidandempsey