DO NOT REPLY [Bug 43622] New: - compression / minCompressionSize attribute not properly implemented

2007-10-15 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43622

   Summary: compression / minCompressionSize attribute not properly
implemented
   Product: Tomcat 5
   Version: 5.5.12
  Platform: All
OS/Version: All
Status: NEW
  Severity: minor
  Priority: P3
 Component: Connector:HTTP
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


2 of the compression related attributes for the http connector are:

compression = on | off | force | 
The documentation states that integer val will be implemented as:
compression="on" and minCompressionSize = 

minCompressionSize = 
(The documentation for 5.5.12 doesnt mention this at all, but read this in the
server.xml)

The problem is that the documenation gives the impression that only setting
compression="some integer val" is sufficient, however the way the code is
written, the value of "minCompressionSize" always overrides the value specified
in the "compression" field. Even if minCompressionSize isnt set, it will still
get the default value of 2048 and override whatever value was there in the
"compression" field.

I looked at the implementation of the http11 connector and found the following
code that might be the culprit:

In org.apache.coyote.http11.Http11BaseProtocol.Http11ConnectionHandler.init
processor.setCompression( proto.compression );
processor.setCompressionMinSize( proto.compressionMinSize);

since the "setCompressionMinSize" is called after compressionMinSize, its value
will override the value read from compression atttribute.


I have looked at the code for Tomcat 6.0 also, and the problems appears to still
be present.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 43622] - compression / minCompressionSize attribute not properly implemented

2007-10-15 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43622





--- Additional Comments From [EMAIL PROTECTED]  2007-10-15 03:55 ---
Created an attachment (id=20977)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=20977&action=view)
Test cases with different connector settings

These test cases can prove that either the documentation or the code needs to
be changed regarding the compression size settings

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Denis LULLIER/Paris est absent(e).

2007-10-15 Thread dlullier 


Je serai absent(e) du  15/10/2007 au 18/10/2007.

Je répondrai à votre message dès mon retour. En cas d'urgence, vous pouvez
contacter  Marc-Olivier JOUAN

[Security] - Important vulnerability disclosed in Apache Tomcat webdav servlet

2007-10-15 Thread Mark Thomas 
A vulnerability in the Apache Tomcat webdav servlet was publicly
disclosed on full-disclosure yesterday, 14-Oct-2007.[1]

The Tomcat security team has evaluated this vulnerability and
determined that default installations of Tomcat 6.0.x, 5.5.x and 4.1.x
and not affected.

In order to be affected systems must have:
- one or more contexts configured for webdav using Tomcat's built-in
webdav implementation
- enabled write capability via webdav

Note:
- Tomcat 6.0.x has no webdav enabled contexts by default
- Tomcat 5.5.x and 4.1.x have a read-only webdav enabled context
(/webdav) by default

Systems with write-enabled webdav contexts that use Tomcat's built-in
webdav servlet are exposed to this vulnerability which, for such
systems, is important.

The mitigations available are:
- Disable write access until a fixed version is released
- Limit write access to trusted users
- Apply the following patch which will be included in the next
releases of 6.0.x, 5.5.x and 4.1.x

Index: src/share/org/apache/catalina/servlets/WebdavServlet.java
===
--- src/share/org/apache/catalina/servlets/WebdavServlet.java
(revision 584648)
+++ src/share/org/apache/catalina/servlets/WebdavServlet.java   (working
copy)
@@ -252,6 +252,7 @@
 try {
 documentBuilderFactory =
DocumentBuilderFactory.newInstance();
 documentBuilderFactory.setNamespaceAware(true);
+documentBuilderFactory.setExpandEntityReferences(false);
 documentBuilder =
documentBuilderFactory.newDocumentBuilder();
 } catch(ParserConfigurationException e) {
 throw new ServletException

[1]
http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0371.html

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r584771 - /tomcat/tc6.0.x/trunk/STATUS

2007-10-15 Thread markt 
Author: markt
Date: Mon Oct 15 05:32:41 2007
New Revision: 584771

URL: http://svn.apache.org/viewvc?rev=584771&view=rev
Log:
Propose fix for webdav vulnerability
Vote on the patches I could review quickly

Modified:
tomcat/tc6.0.x/trunk/STATUS

Modified: tomcat/tc6.0.x/trunk/STATUS
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?rev=584771&r1=584770&r2=584771&view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS (original)
+++ tomcat/tc6.0.x/trunk/STATUS Mon Oct 15 05:32:41 2007
@@ -66,7 +66,7 @@
   
 * Arrange doc of connectors.
   http://people.apache.org/~jfclere/patches/tc.docs.patch
-  +1: jfclere, remm
+  +1: jfclere, remm, markt
   -1:
 
 * Make server.xml parsing warnings more generic, add support for the NIO 
connector
@@ -86,4 +86,7 @@
   +1: 
   -1: 
   
-  
\ No newline at end of file
+* Fix important vulnerability when webdav is enabled for write
+  Patch: http://marc.info/?l=tomcat-dev&m=119245116910632&w=2
+  +1: markt
+  -1:



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r584774 - /tomcat/tc6.0.x/trunk/STATUS

2007-10-15 Thread funkman 
Author: funkman
Date: Mon Oct 15 05:41:09 2007
New Revision: 584774

URL: http://svn.apache.org/viewvc?rev=584774&view=rev
Log:
webdav vote

Modified:
tomcat/tc6.0.x/trunk/STATUS

Modified: tomcat/tc6.0.x/trunk/STATUS
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?rev=584774&r1=584773&r2=584774&view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS (original)
+++ tomcat/tc6.0.x/trunk/STATUS Mon Oct 15 05:41:09 2007
@@ -88,5 +88,5 @@
   
 * Fix important vulnerability when webdav is enabled for write
   Patch: http://marc.info/?l=tomcat-dev&m=119245116910632&w=2
-  +1: markt
+  +1: markt,funkman
   -1:



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 43627] New: - ClassNotFoundException for JSP with long path

2007-10-15 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43627

   Summary: ClassNotFoundException for JSP with long path
   Product: Tomcat 6
   Version: 6.0.14
  Platform: PC
OS/Version: Windows XP
Status: NEW
  Severity: blocker
  Priority: P2
 Component: Jasper
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


JSPs with long path names generate ClassNotFoundException:
For example, JSP with path:
 
\schema-compiled\ab-products\solutions\assemblies\find-manage\ab-ex-rm-find-manage-2panels.jsp

generated exception:

java.lang.ClassNotFoundException:
org.apache.jsp.schema_002dcompiled.ab_002dproducts.solutions.assemblies.find_002dmanage.ab_002dex_002drm_002dfind_002dmanage_002d2panels_jsp

at java.net.URLClassLoader$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at java.net.URLClassLoader.findClass(Unknown Source)

at org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:134)

at org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:66)

at org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:598)

at
org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:144)

at 
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:329)

at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)

at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 43396] - Tomcat src requires ant 1.7.0 to build

2007-10-15 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43396


[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |ASSIGNED




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 43396] - Tomcat src requires ant 1.7.0 to build

2007-10-15 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43396


[EMAIL PROTECTED] changed:

   What|Removed |Added

 AssignedTo|tomcat- |[EMAIL PROTECTED]
   |[EMAIL PROTECTED]  |




--- Additional Comments From [EMAIL PROTECTED]  2007-10-15 11:11 ---
Created an attachment (id=20983)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=20983&action=view)
Changed BUILDING.txt to refer to Ant 1.7.0.

In certain versions of ant 1.6, the build fails.  Changed BUILDING.txt to refer
to Ant 1.7.0.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 43396] - Tomcat src requires ant 1.7.0 to build

2007-10-15 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43396


[EMAIL PROTECTED] changed:

   What|Removed |Added

 AssignedTo|[EMAIL PROTECTED]|tomcat-
   ||[EMAIL PROTECTED]
 Status|ASSIGNED|NEW




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: svn commit: r584774 - /tomcat/tc6.0.x/trunk/STATUS

2007-10-15 Thread jkew 
For what it is worth, I've replicated the issue and verified that the 
patch below fixes it.


-John

[EMAIL PROTECTED] wrote:

Author: funkman
Date: Mon Oct 15 05:41:09 2007
New Revision: 584774

URL: http://svn.apache.org/viewvc?rev=584774&view=rev
Log:
webdav vote

Modified:
tomcat/tc6.0.x/trunk/STATUS

Modified: tomcat/tc6.0.x/trunk/STATUS
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?rev=584774&r1=584773&r2=584774&view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS (original)
+++ tomcat/tc6.0.x/trunk/STATUS Mon Oct 15 05:41:09 2007
@@ -88,5 +88,5 @@
   
 * Fix important vulnerability when webdav is enabled for write

   Patch: http://marc.info/?l=tomcat-dev&m=119245116910632&w=2
-  +1: markt
+  +1: markt,funkman
   -1:



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

  



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 43629] New: - not compiling with jdk1.6.0_02

2007-10-15 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43629

   Summary: not compiling with jdk1.6.0_02
   Product: Tomcat 6
   Version: 6.0.14
  Platform: Other
OS/Version: other
Status: NEW
  Severity: normal
  Priority: P2
 Component: Catalina
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


log file from ant download:

Buildfile: build.xml

download:

proxyflags:

setproxy:

testexist:
 [echo] Testing  for 
/usr/share/java/tomcat-native-1.1.10/tomcat-native.tar.gz

downloadfile:

proxyflags:

setproxy:

testexist:
 [echo] Testing  for /usr/share/java/commons-daemon-1.0.1/commons-daemon.jar

downloadgz:

proxyflags:

setproxy:

testexist:
 [echo] Testing  for /usr/share/java/tomcat6-deps/dbcp/tomcat-dbcp.jar

downloadgz:
  [get] Getting:
http://archive.apache.org/dist/jakarta/commons/collections/source/commons-collections-3.2-src.tar.gz
  [get] To: C:\usr\share\java\file.tar.gz
   [gunzip] Expanding C:\usr\share\java\file.tar.gz to 
C:\usr\share\java\file.tar
[untar] Expanding: C:\usr\share\java\file.tar into C:\usr\share\java
   [delete] Deleting: C:\usr\share\java\file.tar
   [delete] Deleting: C:\usr\share\java\file.tar.gz

proxyflags:

setproxy:

testexist:
 [echo] Testing  for /usr/share/java/tomcat6-deps/dbcp/tomcat-dbcp.jar

downloadgz:
  [get] Getting:
http://archive.apache.org/dist/jakarta/commons/pool/source/commons-pool-1.3-src.tar.gz
  [get] To: C:\usr\share\java\file.tar.gz
   [gunzip] Expanding C:\usr\share\java\file.tar.gz to 
C:\usr\share\java\file.tar
[untar] Expanding: C:\usr\share\java\file.tar into C:\usr\share\java
   [delete] Deleting: C:\usr\share\java\file.tar
   [delete] Deleting: C:\usr\share\java\file.tar.gz

proxyflags:

setproxy:

testexist:
 [echo] Testing  for /usr/share/java/tomcat6-deps/dbcp/tomcat-dbcp.jar

downloadgz:
  [get] Getting:
http://archive.apache.org/dist/jakarta/commons/dbcp/source/commons-dbcp-1.2.2-src.tar.gz
  [get] To: C:\usr\share\java\file.tar.gz
   [gunzip] Expanding C:\usr\share\java\file.tar.gz to 
C:\usr\share\java\file.tar
[untar] Expanding: C:\usr\share\java\file.tar into C:\usr\share\java
   [delete] Deleting: C:\usr\share\java\file.tar
   [delete] Deleting: C:\usr\share\java\file.tar.gz

build-tomcat-dbcp:
 [copy] Copying 61 files to C:\usr\share\java\tomcat6-deps\dbcp
 [move] Moving 61 files to
C:\usr\share\java\tomcat6-deps\dbcp\src\java\org\apache\tomcat\dbcp
[javac] Compiling 61 source files to 
C:\usr\share\java\tomcat6-deps\dbcp\classes
[javac]
C:\usr\share\java\tomcat6-deps\dbcp\src\java\org\apache\tomcat\dbcp\dbcp\BasicDataSource.java:44:
org.apache.tomcat.dbcp.dbcp.BasicDataSource is not abstract and does not
override abstract method isWrapperFor(java.lang.Class) in java.sql.Wrapper
[javac] public class BasicDataSource implements DataSource {
[javac]^
[javac]
C:\usr\share\java\tomcat6-deps\dbcp\src\java\org\apache\tomcat\dbcp\dbcp\DelegatingStatement.java:46:
org.apache.tomcat.dbcp.dbcp.DelegatingStatement is not abstract and does not
override abstract method isPoolable() in java.sql.Statement
[javac] public class DelegatingStatement extends AbandonedTrace implements
Statement {
[javac]^
[javac]
C:\usr\share\java\tomcat6-deps\dbcp\src\java\org\apache\tomcat\dbcp\dbcp\DelegatingStatement.java:131:
isClosed() in org.apache.tomcat.dbcp.dbcp.DelegatingStatement cannot implement
isClosed() in java.sql.Statement; attempting to assign weaker access privileges;
was public
[javac] protected boolean isClosed() {
[javac]   ^
[javac]
C:\usr\share\java\tomcat6-deps\dbcp\src\java\org\apache\tomcat\dbcp\dbcp\DelegatingPreparedStatement.java:50:
org.apache.tomcat.dbcp.dbcp.DelegatingPreparedStatement is not abstract and does
not override abstract method setNClob(int,java.io.Reader) in
java.sql.PreparedStatement
[javac] public class DelegatingPreparedStatement extends DelegatingStatement
[javac]^
[javac]
C:\usr\share\java\tomcat6-deps\dbcp\src\java\org\apache\tomcat\dbcp\dbcp\DelegatingCallableStatement.java:53:
org.apache.tomcat.dbcp.dbcp.DelegatingCallableStatement is not abstract and does
not override abstract method setNClob(java.lang.String,java.io.Reader) in
java.sql.CallableStatement
[javac] public class DelegatingCallableStatement extends
DelegatingPreparedStatement
[javac]^
[javac]
C:\usr\share\java\tomcat6-deps\dbcp\src\java\org\apache\tomcat\dbcp\dbcp\DelegatingConnection.java:51:
org.apache.tomcat.dbcp.dbcp.DelegatingConnection is not abstract and does not
override abstract method createStruct(java.lang.

DO NOT REPLY [Bug 43629] - not compiling with jdk1.6.0_02

2007-10-15 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43629


[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||INVALID




--- Additional Comments From [EMAIL PROTECTED]  2007-10-15 18:52 ---
This isn't a Tomcat bug, it is a commons-dbcp bug 
(https://issues.apache.org/jira/browse/DBCP-191 to be exact:).

The only work-around I can offer is to build the "build-tomcat-dbcp" target 
using a 1.5.x JVM, and then build the rest with a 1.6.x JVM.  

There is also a patch on the DBCP-191 bug report, but I don't know how cleanly 
it will apply to the version Tomcat is using.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]