From 6afba08b39a10c2a85bb1b38e14ada224cd40705 Mon Sep 17 00:00:00 2001
From: Aayush Atharva <aayush@shieldblaze.com>
Date: Mon, 16 Dec 2024 00:41:59 +0530
Subject: [PATCH] Release 2.12.4 with CVE Fix: 2024-53990

---
 bom/pom.xml                                   |  2 +-
 client/pom.xml                                |  2 +-
 .../DefaultAsyncHttpClient.java               |  2 +-
 .../asynchttpclient/RequestBuilderBase.java   | 27 +++++--
 .../intercept/Redirect30xInterceptor.java     |  5 +-
 example/pom.xml                               |  2 +-
 extras/guava/pom.xml                          |  2 +-
 extras/jdeferred/pom.xml                      |  2 +-
 extras/pom.xml                                |  2 +-
 extras/registry/pom.xml                       |  2 +-
 extras/retrofit2/pom.xml                      |  2 +-
 extras/rxjava/pom.xml                         |  2 +-
 extras/rxjava2/pom.xml                        |  2 +-
 extras/simple/pom.xml                         |  2 +-
 extras/typesafeconfig/pom.xml                 |  2 +-
 netty-utils/pom.xml                           |  2 +-
 pom.xml                                       | 77 +++++++++----------
 17 files changed, 77 insertions(+), 60 deletions(-)

diff --git a/bom/pom.xml b/bom/pom.xml
index 867f23157e..a7c98bc484 100644
--- a/bom/pom.xml
+++ b/bom/pom.xml
@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.asynchttpclient</groupId>
         <artifactId>async-http-client-project</artifactId>
-        <version>2.12.3</version>
+        <version>2.12.4</version>
     </parent>
 
     <artifactId>async-http-client-bom</artifactId>
diff --git a/client/pom.xml b/client/pom.xml
index 59b67c17d1..cc856aaaf1 100644
--- a/client/pom.xml
+++ b/client/pom.xml
@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-project</artifactId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client</artifactId>
diff --git a/client/src/main/java/org/asynchttpclient/DefaultAsyncHttpClient.java b/client/src/main/java/org/asynchttpclient/DefaultAsyncHttpClient.java
index 7cc3e6e341..45094ed7e6 100644
--- a/client/src/main/java/org/asynchttpclient/DefaultAsyncHttpClient.java
+++ b/client/src/main/java/org/asynchttpclient/DefaultAsyncHttpClient.java
@@ -214,7 +214,7 @@ public <T> ListenableFuture<T> executeRequest(Request request, AsyncHandler<T> h
         if (!cookies.isEmpty()) {
           RequestBuilder requestBuilder = request.toBuilder();
           for (Cookie cookie : cookies) {
-            requestBuilder.addOrReplaceCookie(cookie);
+            requestBuilder.addCookieIfUnset(cookie);
           }
           request = requestBuilder.build();
         }
diff --git a/client/src/main/java/org/asynchttpclient/RequestBuilderBase.java b/client/src/main/java/org/asynchttpclient/RequestBuilderBase.java
index 35c8145776..a7fae7f430 100644
--- a/client/src/main/java/org/asynchttpclient/RequestBuilderBase.java
+++ b/client/src/main/java/org/asynchttpclient/RequestBuilderBase.java
@@ -308,15 +308,31 @@ public T addCookie(Cookie cookie) {
 
   /**
    * Add/replace a cookie based on its name
+   *
    * @param cookie the new cookie
    * @return this
    */
   public T addOrReplaceCookie(Cookie cookie) {
+    return maybeAddOrReplaceCookie(cookie, true);
+  }
+
+  /**
+   * Add a cookie based on its name, if it does not exist yet. Cookies that
+   * are already set will be ignored.
+   *
+   * @param cookie the new cookie
+   * @return this
+   */
+  public T addCookieIfUnset(Cookie cookie) {
+    return maybeAddOrReplaceCookie(cookie, false);
+  }
+
+  private T maybeAddOrReplaceCookie(Cookie cookie, boolean allowReplace) {
     String cookieKey = cookie.name();
     boolean replace = false;
     int index = 0;
     lazyInitCookies();
-    for (Cookie c : this.cookies) {
+    for (Cookie c : cookies) {
       if (c.name().equals(cookieKey)) {
         replace = true;
         break;
@@ -324,10 +340,11 @@ public T addOrReplaceCookie(Cookie cookie) {
 
       index++;
     }
-    if (replace)
-      this.cookies.set(index, cookie);
-    else
-      this.cookies.add(cookie);
+    if (!replace) {
+      cookies.add(cookie);
+    } else if (allowReplace) {
+      cookies.set(index, cookie);
+    }
     return asDerivedType();
   }
 
diff --git a/client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java b/client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java
index a2ddbd9467..e0d89bd7a1 100644
--- a/client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java
+++ b/client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java
@@ -135,8 +135,9 @@ else if (isNonEmpty(request.getBodyParts())) {
           // Update request's cookies assuming that cookie store is already updated by Interceptors
           List<Cookie> cookies = cookieStore.get(newUri);
           if (!cookies.isEmpty())
-            for (Cookie cookie : cookies)
-              requestBuilder.addOrReplaceCookie(cookie);
+            for (Cookie cookie : cookieStore.get(newUri)) {
+              requestBuilder.addCookieIfUnset(cookie);
+            }
         }
 
         boolean sameBase = request.getUri().isSameBase(newUri);
diff --git a/example/pom.xml b/example/pom.xml
index 5643feaab9..5157f050cd 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-project</artifactId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-example</artifactId>
diff --git a/extras/guava/pom.xml b/extras/guava/pom.xml
index 39fd913a5f..4b176b29a5 100644
--- a/extras/guava/pom.xml
+++ b/extras/guava/pom.xml
@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-extras-parent</artifactId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-extras-guava</artifactId>
diff --git a/extras/jdeferred/pom.xml b/extras/jdeferred/pom.xml
index d3c7d6a9e4..c3fdf0e25b 100644
--- a/extras/jdeferred/pom.xml
+++ b/extras/jdeferred/pom.xml
@@ -18,7 +18,7 @@
   <parent>
     <artifactId>async-http-client-extras-parent</artifactId>
     <groupId>org.asynchttpclient</groupId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <artifactId>async-http-client-extras-jdeferred</artifactId>
   <name>Asynchronous Http Client JDeferred Extras</name>
diff --git a/extras/pom.xml b/extras/pom.xml
index 5fccc3bce6..94ce18c116 100644
--- a/extras/pom.xml
+++ b/extras/pom.xml
@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-project</artifactId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-extras-parent</artifactId>
diff --git a/extras/registry/pom.xml b/extras/registry/pom.xml
index 492ef41f65..58f10157eb 100644
--- a/extras/registry/pom.xml
+++ b/extras/registry/pom.xml
@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-extras-parent</artifactId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-extras-registry</artifactId>
diff --git a/extras/retrofit2/pom.xml b/extras/retrofit2/pom.xml
index f95bd3a092..66c1ba1433 100644
--- a/extras/retrofit2/pom.xml
+++ b/extras/retrofit2/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <artifactId>async-http-client-extras-parent</artifactId>
     <groupId>org.asynchttpclient</groupId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
 
   <artifactId>async-http-client-extras-retrofit2</artifactId>
diff --git a/extras/rxjava/pom.xml b/extras/rxjava/pom.xml
index 06680338a4..780e794132 100644
--- a/extras/rxjava/pom.xml
+++ b/extras/rxjava/pom.xml
@@ -3,7 +3,7 @@
   <parent>
     <artifactId>async-http-client-extras-parent</artifactId>
     <groupId>org.asynchttpclient</groupId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <artifactId>async-http-client-extras-rxjava</artifactId>
   <name>Asynchronous Http Client RxJava Extras</name>
diff --git a/extras/rxjava2/pom.xml b/extras/rxjava2/pom.xml
index e1c7af8f3d..ccbcfabd30 100644
--- a/extras/rxjava2/pom.xml
+++ b/extras/rxjava2/pom.xml
@@ -3,7 +3,7 @@
   <parent>
     <artifactId>async-http-client-extras-parent</artifactId>
     <groupId>org.asynchttpclient</groupId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <artifactId>async-http-client-extras-rxjava2</artifactId>
   <name>Asynchronous Http Client RxJava2 Extras</name>
diff --git a/extras/simple/pom.xml b/extras/simple/pom.xml
index 92ee8730e3..24c2df5dd4 100644
--- a/extras/simple/pom.xml
+++ b/extras/simple/pom.xml
@@ -3,7 +3,7 @@
   <parent>
     <artifactId>async-http-client-extras-parent</artifactId>
     <groupId>org.asynchttpclient</groupId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <artifactId>async-http-client-extras-simple</artifactId>
   <name>Asynchronous Http Simple Client</name>
diff --git a/extras/typesafeconfig/pom.xml b/extras/typesafeconfig/pom.xml
index 437b657438..0d4070b12c 100644
--- a/extras/typesafeconfig/pom.xml
+++ b/extras/typesafeconfig/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <artifactId>async-http-client-extras-parent</artifactId>
     <groupId>org.asynchttpclient</groupId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
 
   <artifactId>async-http-client-extras-typesafe-config</artifactId>
diff --git a/netty-utils/pom.xml b/netty-utils/pom.xml
index d2be381f14..87ac1ccd6a 100644
--- a/netty-utils/pom.xml
+++ b/netty-utils/pom.xml
@@ -2,7 +2,7 @@
   <parent>
     <groupId>org.asynchttpclient</groupId>
     <artifactId>async-http-client-project</artifactId>
-    <version>2.12.3</version>
+    <version>2.12.4</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <artifactId>async-http-client-netty-utils</artifactId>
diff --git a/pom.xml b/pom.xml
index 0ab1e952ec..be09cd5957 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
 
   <groupId>org.asynchttpclient</groupId>
   <artifactId>async-http-client-project</artifactId>
-  <version>2.12.3</version>
+  <version>2.12.4</version>
   <packaging>pom</packaging>
 
   <name>Asynchronous Http Client Project</name>
@@ -24,9 +24,9 @@
 
   <developers>
     <developer>
-      <id>slandelle</id>
-      <name>Stephane Landelle</name>
-      <email>slandelle@gatling.io</email>
+      <id>hyperxpro</id>
+      <name>Aayush Atharva</name>
+      <email>aayush@shieldblaze.com</email>
     </developer>
   </developers>
 
@@ -34,7 +34,7 @@
     <connection>scm:git:git@github.com:AsyncHttpClient/async-http-client.git</connection>
     <developerConnection>scm:git:git@github.com:AsyncHttpClient/async-http-client.git</developerConnection>
     <url>https://github.com/AsyncHttpClient/async-http-client/tree/master</url>
-    <tag>async-http-client-project-2.12.3</tag>
+    <tag>async-http-client-project-2.12.4</tag>
   </scm>
 
   <distributionManagement>
@@ -220,42 +220,41 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.sonatype.plugins</groupId>
+        <artifactId>nexus-staging-maven-plugin</artifactId>
+        <version>1.7.0</version>
+        <extensions>true</extensions>
+        <configuration>
+          <serverId>ossrh</serverId>
+          <nexusUrl>https://oss.sonatype.org/</nexusUrl>
+          <autoReleaseAfterClose>false</autoReleaseAfterClose>
+          <skipRemoteStaging>false</skipRemoteStaging>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-gpg-plugin</artifactId>
+        <version>3.2.7</version>
+        <executions>
+          <execution>
+            <id>sign-artifacts</id>
+            <phase>verify</phase>
+            <goals>
+              <goal>sign</goal>
+            </goals>
+            <configuration>
+              <!-- Prevent gpg from using pinentry programs -->
+              <gpgArguments>
+                <arg>--pinentry-mode</arg>
+                <arg>loopback</arg>
+              </gpgArguments>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
-  <profiles>
-    <profile>
-      <id>release-sign-artifacts</id>
-      <activation>
-        <property>
-          <name>performRelease</name>
-          <value>true</value>
-        </property>
-      </activation>
-      <build>
-        <plugins>
-          <plugin>
-            <artifactId>maven-gpg-plugin</artifactId>
-            <version>1.6</version>
-            <executions>
-              <execution>
-                <id>sign-artifacts</id>
-                <phase>verify</phase>
-                <goals>
-                  <goal>sign</goal>
-                </goals>
-              </execution>
-            </executions>
-          </plugin>
-        </plugins>
-      </build>
-    </profile>
-    <profile>
-      <id>test-output</id>
-      <properties>
-        <surefire.redirectTestOutputToFile>false</surefire.redirectTestOutputToFile>
-      </properties>
-    </profile>
-  </profiles>
 
   <modules>
     <module>bom</module>