Release 2.12.4 with CVE Fix: 2024-53990

Author: hyperxpro

bom/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.asynchttpclient</groupId>
         <artifactId>async-http-client-project</artifactId>
-        <version>2.12.3</version>
+        <version>2.12.4</version>
     </parent>
 
     <artifactId>async-http-client-bom</artifactId>

client/pom.xml

@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-project</artifactId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client</artifactId>

client/src/main/java/org/asynchttpclient/DefaultAsyncHttpClient.java

@@ -214,7 +214,7 @@ public <T> ListenableFuture<T> executeRequest(Request request, AsyncHandler<T> h
         if (!cookies.isEmpty()) {
           RequestBuilder requestBuilder = request.toBuilder();
           for (Cookie cookie : cookies) {
-            requestBuilder.addOrReplaceCookie(cookie);
+            requestBuilder.addCookieIfUnset(cookie);
           }
           request = requestBuilder.build();
         }

client/src/main/java/org/asynchttpclient/RequestBuilderBase.java

@@ -308,26 +308,43 @@ public T addCookie(Cookie cookie) {
 
   /**
    * Add/replace a cookie based on its name
+   *
    * @param cookie the new cookie
    * @return this
    */
   public T addOrReplaceCookie(Cookie cookie) {
+    return maybeAddOrReplaceCookie(cookie, true);
+  }
+
+  /**
+   * Add a cookie based on its name, if it does not exist yet. Cookies that
+   * are already set will be ignored.
+   *
+   * @param cookie the new cookie
+   * @return this
+   */
+  public T addCookieIfUnset(Cookie cookie) {
+    return maybeAddOrReplaceCookie(cookie, false);
+  }
+
+  private T maybeAddOrReplaceCookie(Cookie cookie, boolean allowReplace) {
     String cookieKey = cookie.name();
     boolean replace = false;
     int index = 0;
     lazyInitCookies();
-    for (Cookie c : this.cookies) {
+    for (Cookie c : cookies) {
       if (c.name().equals(cookieKey)) {
         replace = true;
         break;
       }
 
       index++;
     }
-    if (replace)
-      this.cookies.set(index, cookie);
-    else
-      this.cookies.add(cookie);
+    if (!replace) {
+      cookies.add(cookie);
+    } else if (allowReplace) {
+      cookies.set(index, cookie);
+    }
     return asDerivedType();
   }
 

client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java

@@ -135,8 +135,9 @@ else if (isNonEmpty(request.getBodyParts())) {
           // Update request's cookies assuming that cookie store is already updated by Interceptors
           List<Cookie> cookies = cookieStore.get(newUri);
           if (!cookies.isEmpty())
-            for (Cookie cookie : cookies)
-              requestBuilder.addOrReplaceCookie(cookie);
+            for (Cookie cookie : cookieStore.get(newUri)) {
+              requestBuilder.addCookieIfUnset(cookie);
+            }
         }
 
         boolean sameBase = request.getUri().isSameBase(newUri);

example/pom.xml

@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-project</artifactId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-example</artifactId>

extras/guava/pom.xml

@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-extras-parent</artifactId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-extras-guava</artifactId>

extras/jdeferred/pom.xml

@@ -18,7 +18,7 @@
   <parent>
     <artifactId>async-http-client-extras-parent</artifactId>
     <groupId>org.asynchttpclient</groupId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <artifactId>async-http-client-extras-jdeferred</artifactId>
   <name>Asynchronous Http Client JDeferred Extras</name>

extras/pom.xml

@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-project</artifactId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-extras-parent</artifactId>

extras/registry/pom.xml

@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-extras-parent</artifactId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-extras-registry</artifactId>