Re: Adding HTTPOnly support to Tomcat
Jim Manico wrote: Any thoughts would be greatly appreciated. If you add your patch (in diff -u format) to the bugzilla enhancement request you created then there is a much better chance it won't get forgotten. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Adding HTTPOnly support to Tomcat
On Sun, 2008-03-09 at 19:56 -0700, Filip Hanik - Dev Lists wrote: > haven't forgotten about you, it's still on the todo list. I am against adding support for IE only hacks ? Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Re:Reorder the http header generated by tomcat
Hi Filip & all, Thanks for your reply, I'm trying to reorder the header to make another Network management SW handle http response easier. Now I use another way to resolve the problem(change some code in the NMS) since I don't know how reorder it yet.. B.R Han Filip Hanik - Dev Lists wrote: George Sexton wrote: I agree. I just said that if HIS app requires a specific order, HE should write code to do it. that wont help you IF there is a proxy between server and user agent that reorders it. the user-agent is what needs to be fixed Filip I was working on the assumption that he's writing his own user agent and for whatever reason it simplifies his code if the headers are in a specific order. As I wrote in my original message, sometimes if you can get things in a specific order it makes things easier. The example I gave was an iCal parser. It turns out to be 10 times easier to write an iCal parser if you can get the fields in a specific order. I.E. have the DTSTART come before the RRULE every time. So, my iCal parser has a sort routine that puts the various parts of an iCal entry in a specific order BEFORE I try to use them. So, there are valid cases where when parsing data (e.g. header data) getting things in a specific order is desirable. I wholly agree that anyone that expects headers coming from a server to be in a specific order needs their head examined. -- George Sexton MH Software, Inc. Voice: +1 303 438 9585 URL: http://www.mhsoftware.com/ B.R Hanks
svn commit: r635539 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: remm Date: Mon Mar 10 05:11:58 2008 New Revision: 635539 URL: http://svn.apache.org/viewvc?rev=635539&view=rev Log: - Votes. Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=635539&r1=635538&r2=635539&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Mon Mar 10 05:11:58 2008 @@ -63,7 +63,7 @@ * Allow to specify the random device to use. (/dev/urandom is faster). http://svn.apache.org/viewvc?view=rev&revision=602114 http://svn.apache.org/viewvc?view=rev&revision=601795 - +1: jfclere, fhanik + +1: jfclere, fhanik, remm +0: markt, jim - should really be added to the docs as well -1: @@ -83,9 +83,11 @@ -1: markt This patch removes a method from a public API. With that issue fixed I would vote -0 until I can look at this further as explained in http://marc.info/?l=tomcat-dev&m=120457882215329&w=2 - -0: remm The newer code looks cleaner to me, so I propose this patch (bb.getLength() is equal to the - value used as the result of available in the other proposed patch, and thez are thus using - the same limit for reading data): + -0: remm The newer code looks cleaner to me + +* As an alternate fix to 44494, I propose this patch (bb.getLength() is equal to the + value used as the result of available in the other proposed patch, and both + patches are thus using the same limit for reading data): Index: java/org/apache/catalina/connector/InputBuffer.java === --- java/org/apache/catalina/connector/InputBuffer.java(revision 633279) @@ -99,11 +101,14 @@ bb.setOffset(bb.getEnd()); return cb.getLength(); - + + +1 : remm + * Cookie addition - due to how inconsistent browsers are we will only quote the value for v0 cookies. http://svn.apache.org/viewvc?view=rev&revision=634513 +1: fhanik + +0: remm -0: markt If the current code thinks the path needs quoting then you are in very uncertain territory for v0 cookies anyway and the chances are that something is going to break. I would @@ -115,15 +120,15 @@ * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44562 http://svn.apache.org/viewvc?rev=635294&view=rev (prior code clean up) http://svn.apache.org/viewvc?rev=635297&view=rev (the actual fix) - +1: markt + +1: markt, remm -1: * Fix minor HttpServlet bug. Use localised error message. http://svn.apache.org/viewvc?rev=635298&view=rev - +1: markt + +1: markt, remm -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44558 http://svn.apache.org/viewvc?rev=635304&view=rev - +1: markt + +1: markt, remm -1: - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Adding HTTPOnly support to Tomcat
Rely, This is not a ms hack, but a security enhancement supported by all browsers. Do some research and get back to us. Jim On Mar 10, 2008, at 5:33 AM, Remy Maucherat <[EMAIL PROTECTED]> wrote: On Sun, 2008-03-09 at 19:56 -0700, Filip Hanik - Dev Lists wrote: haven't forgotten about you, it's still on the todo list. I am against adding support for IE only hacks ? Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Adding HTTPOnly support to Tomcat
On Mon, 2008-03-10 at 08:16 -0400, Jim Manico wrote: > Rely, > > This is not a ms hack, but a security enhancement supported by all > browsers. Do some research and get back to us. This feature does not have good browser support, and I think it's a hack. Well, at least you know how I will vote if your patch is proposed [of course, it could still go in if many people support it] :) Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 41912] JSF datatable does not work on tomcat 6.0.9
https://issues.apache.org/bugzilla/show_bug.cgi?id=41912 Rangel Preis <[EMAIL PROTECTED]> changed: What|Removed |Added CC||[EMAIL PROTECTED] --- Comment #5 from Rangel Preis <[EMAIL PROTECTED]> 2008-03-10 06:00:12 PST --- Using tomcat 6.0.16 anda JSF 1.2-b20-FCS i get the same error: The method setVar(String) in the type DataTableTag is not applicable for the arguments (JspValueExpression) when i change to jsf 1.1 it´s works fine. Tomcat 6.0.16 have a bug too? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 44571] New: Limits busy per worker to a threshold
https://issues.apache.org/bugzilla/show_bug.cgi?id=44571 Summary: Limits busy per worker to a threshold Product: Tomcat 6 Version: unspecified Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Connectors AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] On a high load tomcat server, If a lot of requests is received suddenly, it will take a lot of time to serve the requests, but apache still send more requests to the tomcat, then tomcat become slower and slower. Since the server takes no response, some web clients may send the request again, make tomcat server more slower. It is something like congestion. I write a patch to limit busy per worker to a threshold. Define the threshold in worker.properties. If all workers reach the threshold, further request will get a 503 response. And sticky session parameter is ignored if the worker reaches the threshold. It is very simple to configure, just add the busylimit to the worker. default is 0, which means no limit. eg. worker.test-1.port = 8009 worker.test-1.host = localhost worker.test-1.type = ajp13 worker.test-1.busylimit = 10 -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 44571] Limits busy per worker to a threshold
https://issues.apache.org/bugzilla/show_bug.cgi?id=44571 --- Comment #1 from Zealot <[EMAIL PROTECTED]> 2008-03-10 06:28:02 PST --- Created an attachment (id=21648) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=21648) busy limit patch -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 44502] NIO connector under heavy load drops incoming requests
https://issues.apache.org/bugzilla/show_bug.cgi?id=44502 Filip Hanik <[EMAIL PROTECTED]> changed: What|Removed |Added Status|NEEDINFO|RESOLVED Resolution||FIXED --- Comment #6 from Filip Hanik <[EMAIL PROTECTED]> 2008-03-10 09:03:43 PST --- Yes it does make sense, that is how the regular connector works. when it hits max threads, it shuts down its connections to be able to handle other incoming connections. I suspect that something else is simply dropping connections, and when we close old connections you leave room to handle new ones. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Adding HTTPOnly support to Tomcat
Remy, I recommend more careful research on this topic. IE 6+ supports HttpOnly FireFox 2.0.0.6+ support HttpOnly Opera 9.5+ has promised HttpOnly support Safari is still considering On Mon, 2008-03-10 at 08:16 -0400, Jim Manico wrote: Rely, This is not a ms hack, but a security enhancement supported by all browsers. Do some research and get back to us. This feature does not have good browser support, and I think it's a hack. Well, at least you know how I will vote if your patch is proposed [of course, it could still go in if many people support it] :) Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r635680 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: markt Date: Mon Mar 10 13:28:32 2008 New Revision: 635680 URL: http://svn.apache.org/viewvc?rev=635680&view=rev Log: Propose adding systemprops doc Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=635680&r1=635679&r2=635680&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Mon Mar 10 13:28:32 2008 @@ -132,3 +132,9 @@ http://svn.apache.org/viewvc?rev=635304&view=rev +1: markt, remm -1: + +* Add system property docs + http://svn.apache.org/viewvc?rev=620335&view=rev + http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/systemprops.xml?r1=627743&r2=627742&pathrev=627743 + +1: markt + -1: - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r635704 - /tomcat/current/tc5.5.x/STATUS.txt
Author: markt Date: Mon Mar 10 14:34:56 2008 New Revision: 635704 URL: http://svn.apache.org/viewvc?rev=635704&view=rev Log: Add a couple of proposals. Modified: tomcat/current/tc5.5.x/STATUS.txt Modified: tomcat/current/tc5.5.x/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=635704&r1=635703&r2=635704&view=diff == --- tomcat/current/tc5.5.x/STATUS.txt (original) +++ tomcat/current/tc5.5.x/STATUS.txt Mon Mar 10 14:34:56 2008 @@ -69,3 +69,13 @@ http://svn.apache.org/viewvc?rev=635298&view=rev +1: markt -1: + +* Add system properties docs + http://people.apache.org/~markt/patches/2008-03-10-sys-props.patch + +1: markt + -1: + +* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44556 + http://people.apache.org/~markt/patches/2008-03-10-bug44556.patch + +1: markt + -1: - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 44556] Filename for commons-logging-api changed, but config files doesn't changed.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44556 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added Severity|blocker |normal --- Comment #1 from Mark Thomas <[EMAIL PROTECTED]> 2008-03-10 14:34:29 PST --- A patch has been proposed for the next release. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r635718 - /tomcat/current/tc4.1.x/STATUS.txt
Author: markt Date: Mon Mar 10 15:04:05 2008 New Revision: 635718 URL: http://svn.apache.org/viewvc?rev=635718&view=rev Log: Propose back port of security related fix. CVE-2008-0128. Modified: tomcat/current/tc4.1.x/STATUS.txt Modified: tomcat/current/tc4.1.x/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/current/tc4.1.x/STATUS.txt?rev=635718&r1=635717&r2=635718&view=diff == --- tomcat/current/tc4.1.x/STATUS.txt (original) +++ tomcat/current/tc4.1.x/STATUS.txt Mon Mar 10 15:04:05 2008 @@ -30,4 +30,9 @@ http://svn.apache.org/viewvc?rev=635297&view=rev (the actual fix) +1: markt -1: - \ No newline at end of file + +* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=41217 + This is CVE-2008-0128. + http://people.apache.org/~markt/patches/2008-03-10-bug41217-tc4.patch + +1: markt + -1: - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r635720 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-6.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-6.xml
Author: markt Date: Mon Mar 10 15:05:18 2008 New Revision: 635720 URL: http://svn.apache.org/viewvc?rev=635720&view=rev Log: Add CVE-2008-0128 which was missing. Modified: tomcat/site/trunk/docs/security-4.html tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/xdocs/security-4.xml tomcat/site/trunk/xdocs/security-5.xml tomcat/site/trunk/xdocs/security-6.xml Modified: tomcat/site/trunk/docs/security-4.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=635720&r1=635719&r2=635720&view=diff == --- tomcat/site/trunk/docs/security-4.html (original) +++ tomcat/site/trunk/docs/security-4.html Mon Mar 10 15:05:18 2008 @@ -3,19 +3,19 @@ Apache Tomcat - Apache Tomcat 4.x vulnerabilities - - - - + + + + - - + + http://tomcat.apache.org/";> - + @@ -26,28 +26,28 @@ http://www.apache.org/";> -http://www.apache.org/images/asf-logo.gif"; /> +http://www.apache.org/images/asf-logo.gif"; align="right" alt="Apache Logo" border="0"/> -http://www.google.com/search";> - - - +http://www.google.com/search"; method="get"> + + + - + - + - + Apache Tomcat @@ -182,11 +182,11 @@ - - + + - + Apache Tomcat 4.x vulnerabilities @@ -219,14 +219,14 @@ - + - + - + Will not be fixed in Apache Tomcat 4.1.x @@ -259,14 +259,51 @@ - + - + - + + +Not fixed in Apache Tomcat 4.1.x + + + + + + + + + +moderate: Session hi-jacking + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128";> + CVE-2008-0128 + + +When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is + transmitted without the "secure" attribute, resulting in it being + transmitted to any content that is - by purpose or error - requested via + http from the same server. + +Affects: 4.1.0-4.1.37 + + + + + + + + + + + + + + + Fixed in Apache Tomcat 4.1.37 @@ -406,14 +443,14 @@ - + - + - + Fixed in Apache Tomcat 4.1.36 @@ -503,14 +540,14 @@ - + - + - + Fixed in Apache Tomcat 4.1.32 @@ -595,14 +632,14 @@ - + - + - + Fixed in Apache Tomcat 4.1.29 @@ -633,14 +670,14 @@ - + - + - + Fixed in Apache Tomcat 4.1.13, 4.0.6 @@ -685,14 +722,14 @@ - + - + - + Fixed in Apache Tomcat 4.1.12, 4.0.5 @@ -719,14 +756,14 @@ - + - + - + Fixed in Apache Tomcat 4.1.3 @@ -755,14 +792,14 @@ - + - + - + Fixed in Apache Tomcat 4.1.0 @@ -802,14 +839,14 @@ - + - + - + Fixed in Apache Tomcat 4.0.2 @@ -840,14 +877,14 @@ - + - + - + Fixed in Apache Tomcat 4.0.0 @@ -875,14 +912,14 @@ - + - + - + Unverified @@ -899,7 +936,7 @@ CVE-2005-4703, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2008";> CVE-2002-2008 - + This issue only affects Windows operating systems. It can not be @@ -915,7 +952,7 @@ important: Denial of service http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1895";> CVE-2002-1895 - + This issue only affects configurations that use IIS in conjunction with @@ -931,14 +968,14 @@ - + - + - + Not a vulnerability in Tomcat @@ -967,7 +1004,7 @@ - + @@ -976,14 +1013,14 @@ - + - + Copyright © 1999-2007, The Apache Software Foundation Modified: tomcat/site/trunk/docs/security-5.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=635720&r1=635719&r2=635720&view=diff == --- tomcat/site/trunk/docs/security-5.html (original) +++ tomcat/site/trunk/docs/security-5.html Mon Mar 10 15:05:18 2008 @@ -3,19 +3,19 @@ Apache Tomcat - Apache Tomcat 5.x vulnerabilities - - - - + + + + - - + + http://tomcat.apache.org/";> - + @@ -26,28 +26,28 @@ http://www.apache.org/";> -http://www.apache.org/images/asf-logo.gif"; /> +http://www.apache.org/images/asf-logo.gif"; align="right" alt="Apache Logo" border="0"/> -http://www.google.com/search";> - - - +http://www.google.com/search"; method="get"> + + + - + - + - + Apache Tomcat @@ -182,11 +182,11 @@ - - + + - + Apache Tomcat 5.x vulnerabilities @@ -220,14 +220,14 @@ - + - + - + Fixed in Apache Tomcat 5.5.26 @@ -295,14 +295,14 @@ - + - + - + Fixed in Apache Tomcat 5.5.25, 5.0.SVN @@ -384,14 +384,14 @@ - + - + - + Fixed in Apache Tomcat 5.5.24, 5.0.SVN @@ -421,14 +421,14 @@ - + - + - + Fixed in Apache Tomcat 5.5.23, 5.0.SVN @@ -463,14 +463,14 @@ - + - + - + Fixed in Apache Tomcat 5.5.22, 5.0.SVN @@ -524,1
DO NOT REPLY [Bug 44554] Null Pointer exception deploying WAR
https://issues.apache.org/bugzilla/show_bug.cgi?id=44554 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Comment #1 from Mark Thomas <[EMAIL PROTECTED]> 2008-03-10 16:52:25 PST --- Your war file is malformed. I get this error if I use 7zip to create the war but if I use the jar command line tool and set URIEncoding="UTF-8" in the connector then it works correctly. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 44571] Limits busy per worker to a threshold
https://issues.apache.org/bugzilla/show_bug.cgi?id=44571 Zealot <[EMAIL PROTECTED]> changed: What|Removed |Added Component|Connectors |Native:JK -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 44047] Provide a way for Tomcat to serve up error pages when too busy
https://issues.apache.org/bugzilla/show_bug.cgi?id=44047 Zealot <[EMAIL PROTECTED]> changed: What|Removed |Added Component|Catalina|Native:JK -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
