Merge pull request #12643 from jetty/jetty-12.0.x-12609-setStatusCodes

Issue #12609 - better validation for response codes in setStatus

Author: lachlan-roberts

jetty-core/jetty-server/src/main/java/org/eclipse/jetty/server/internal/HttpChannelState.java

@@ -1190,6 +1190,8 @@ public int getStatus()
         @Override
         public void setStatus(int code)
         {
+            if (code < 100 || code > 999)
+                throw new IllegalArgumentException();
             if (!isCommitted())
                 _status = code;
         }

jetty-ee9/jetty-ee9-nested/src/main/java/org/eclipse/jetty/ee9/nested/Response.java

@@ -754,7 +754,7 @@ public void addIntHeader(String name, int value)
     @Override
     public void setStatus(int sc)
     {
-        if (sc <= 0)
+        if (sc < 100 || sc > 999)
             throw new IllegalArgumentException();
         if (isMutable())
         {
@@ -775,7 +775,7 @@ public void setStatus(int sc, String message)
 
     public void setStatusWithReason(int sc, String message)
     {
-        if (sc <= 0)
+        if (sc < 100 || sc > 999)
             throw new IllegalArgumentException();
         if (isMutable())
         {