DO NOT REPLY [Bug 44679] Cookies are treated differently between 6.0.16 and 6.0.14
https://issues.apache.org/bugzilla/show_bug.cgi?id=44679
Mark Thomas changed:
What|Removed |Added
Status|REOPENED|RESOLVED
Resolution||FIXED
--- Comment #30 from Mark Thomas 2009-01-25 01:32:37 PST ---
(In reply to comment #29)
> 1.) HTTP/1.1 allows the usage of separator chars in cookie values
>
> It is not true, that the RFC2616 definition for the term "token" is
> restricting the allowed characters for cookies following the Netscape Cookie
> Definition (cookie 0; see
> http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html)
The cookie 0 spec has a number of ambiguities (eg %XX encoding is suggested but
not supported by many (all?) browsers, the '=' character is not listed as one
that must be quoted if used in a name or value despite the obvious issues this
would cause, etc). The Tomcat treatment of v0 cookies is consistent with the v0
spec and takes a practical view of the various ambiguities that is consistent
with the operation of major browsers.
The v1 spec (RFC2109) does restrict cookie values to token or quoted string.
> 2.) Servlet Spec does not allow separator chars as value for a cookie
> =
> The Servlet Specification is indifferent.
The servlet spec defers to the v0 and v1 specs with the additional statement
that:
> With Version 0 cookies, values should not contain white space, brackets,
> parentheses, equals signs, commas, double quotes, slashes, question
> marks,
> at signs, colons, and semicolons. Empty values may not behave the same way
> on all browsers.
The should is enforced as it enables parsing to be unambiguous (see the =
comment above).
> 3.) Your Work Around: Migrating cookies to version 1 Cookies, when they are
> containing special characters
> ==
>
> This is one of the most horrible ways imaginable to handle this problem...
I, and I suspect a number of other committers, strongly disagree.
> There is written "DO NOT USE IT YET (Version 1 Cookies) ON PRODUCTION
> SITES"
>
> From my point of view the justification ("is still somewhat new") is a little
> bit silly (RFC 2109 has been released Feb. 1997) but the conclusion is right
> in
> every case. ("DO NOT USE ON PRODUCTION SITES")
That statement should have been updated several spec versions ago. v1 cookies
are widely supported and are a lot better than v0 in terms of a well defined
spec.
> If you look outside the servlet spec, you will find there is already a new RFC
> (Cookie 2, RFC 2965). READ the chapter "ABSTRACT" on page 1...
If you read the Tomcat source you will see that the Tomcat developers are well
aware of the various cookie specs.
>Abstract
>...
>The method described here differs from Netscape's Cookie
>proposal [Netscape], but it can interoperate with HTTP/1.0 user
>agents that use Netscape's method. (See the HISTORICAL section.)
>
>This document reflects implementation experience with RFC 2109 and
>obsoletes it.
>
>
> In plain text RFC 2109 is incompatible with the Netscape cookie spec. It
> is
> not possible to support both in one system... So RFC 2109 is not
> experimental... RFC 2109 was an experiment which failed
Last time I checked browser support for RFC 2965 was patchy. It would also help
if the servlet spec referenced v2 cookies.
> 4.) Conclusion
>
> * The Migration to version 1 is definitely a bug.
We know the auto conversion isn't spec compliant. That is why if you use strict
servlet compliance, the automatic conversion doesn't happen.
The fundamental problem with cookies is a lack of a well defined specification
that is correctly implemented by browsers. This situation is made worse by
ambiguities in the v0 spec.
The changes made to Tomcat's cookie parsing were made to address a number of
security concerns. These changes had to be made. These changes highlighted a
number of browser issues and further changes were made to provide a solution
that is secure and compatible with major browsers.
All the known issues are addressed in 6.0.18. There may interoperability issues
with some systems as a result of Tomcat's stricter parsing. These will almost
certainly need to be addressed on a case by case basis but where there is a
case for adding functionality or a configuration option to Tomcat it will be
considered (please create a separate bugzilla entry for any such proposed
patches).
As has already been noted earlier in this bug, not all of the cookie changes
have been ported to 5.5.x. I will create a new Bugzilla entry for 5.5.x to
track that to make sure all the changes are ported, hopefully in time for the
next 5.5.x release.
--
Configure bugmail: https://issues.apache.org/bugz
DO NOT REPLY [Bug 46597] New: Not all cookie changes in 6.0.x branch have been ported to 5.5.x
https://issues.apache.org/bugzilla/show_bug.cgi?id=46597 Summary: Not all cookie changes in 6.0.x branch have been ported to 5.5.x Product: Tomcat 5 Version: Nightly Build Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: dev@tomcat.apache.org ReportedBy: ma...@apache.org Need to check the STATUS file and generate a proposal for the cookie patches applied to 6.0.x that have not yet been proposed for 5.5.x -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46591] Revision 678137 is unnecessary
https://issues.apache.org/bugzilla/show_bug.cgi?id=46591 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Comment #1 from Mark Thomas 2009-01-25 01:50:44 PST --- Character decoding should not result in a URI that is not normalized. If it does, it is indicative of a bug in the character decoding that has possible security implications. Therefore, the code has been written to detect this situation an report it. The approach proposed above would hide any character decoding bugs. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46599] New: Tomcat doc. should acknowledge longstanding Daemon bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=46599 Summary: Tomcat doc. should acknowledge longstanding Daemon bug Product: Tomcat 6 Version: 6.0.18 Platform: PC URL: http://tomcat.apache.org/tomcat-6.0-doc/windows-service- howto.html OS/Version: Windows XP Status: NEW Severity: normal Priority: P2 Component: Documentation AssignedTo: dev@tomcat.apache.org ReportedBy: 4...@safe-mail.net Please add this text: "Do not use PR_DEPENDSON, PR_ENVIRONMENT, PR_JVMOPTIONS, PR_JVMMS, PR_JVMMX, PR_JVMSS, PR_STARTPARAMS, PR_STOPPARAMS or PR_STOPTIMEOUT, until this bug is fixed: http://issues.apache.org/jira/browse/DAEMON-49"; (or similar text) to this page: http://tomcat.apache.org/tomcat-6.0-doc/windows-service-howto.html The "Windows service HOW-TO" indicates that those nine environment variables will take effect, if they are defined when tomcat6.exe is invoked. But they don't work, and apparently they never worked. The person who reported the Daemon bug submitted a patch, but that was almost 5 years ago, and no one has done anything with the patch. The tomcat6.exe documentation should acknowledge the existence of this longstanding Daemon bug, so people who read the HOW-TO will not waste numerous hours on it. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46599] Tomcat doc. should acknowledge longstanding Daemon bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=46599 Trev <4...@safe-mail.net> changed: What|Removed |Added CC||4...@safe-mail.net -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 3 [2009/01/25]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 412|Ver|Nor|2001-01-08|JspC on Windows fails to handle includes in subdir| | 2350|Ver|Nor|2001-06-27|ServletConfig.getInitParameter() requires url-patt| | 6488|Ver|Maj|2002-02-15|Error: 304. Apparent bug in default ErrorHandler c| | 9737|Ver|Nor|2002-06-10|ArrayIndexOutOfBoundsException when sending just p| +-+---+---+--+--+ | Total4 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Watchdog [2009/01/25]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 278|Unc|Nor|2000-12-04|Bug in GetParameterValuesTestServlet.java file Bug| | 279|Unc|Nor|2000-12-04|Logical Error in GetParameterValuesTestServlet Bug| | 469|Unc|Nor|2001-01-17|in example-taglib.tld "urn" should be "uri" BugRat| | 470|Unc|Nor|2001-01-17|FAIL positiveForward.jsp and positiveInclude.jsp B| | 9634|New|Enh|2002-06-05|No tests exist for ServletContext.getResourcePaths| |10703|New|Enh|2002-07-11|Need to test getRequestURI after RequestDispatcher| |11336|New|Enh|2002-07-31|Test wrapped path methods with RD.foward()| |11663|New|Maj|2002-08-13|JSP precompile tests rely on Jasper specific behav| |11664|New|Maj|2002-08-13|A sweep is needed of all Watchdog 4.0 tag librarie| |11665|New|Maj|2002-08-13|ServletToJSPErrorPageTest and ServletToServletErro| |11666|New|Maj|2002-08-13|SetBufferSize_1TestServlet is invalid.| |14004|New|Maj|2002-10-28|Incorrent behaviour of all attribute-related lifec| |15504|New|Nor|2002-12-18|JSP positiveGetValues test relies on order preserv| |24649|New|Nor|2003-11-12|getRemoteHost fails when agent has uppercase chara| |29398|New|Nor|2004-06-04|Update site and note current status | +-+---+---+--+--+ | Total 15 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 4 [2009/01/25]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 3839|Opn|Enh|2001-09-26|Problem bookmarking login page| | 4227|Opn|Enh|2001-10-17|Invalid CGI path | | 5329|New|Enh|2001-12-08|NT Service exits startup before Tomcat is finished| | 5795|New|Enh|2002-01-10|Catalina Shutdown relies on localhost causing prob| | 5829|New|Enh|2002-01-13|StandardManager needs to cope with sessions throwi| | 5985|New|Enh|2002-01-23|Tomcat should perform a more restrictive validatio| | 6600|Opn|Enh|2002-02-20|enodeURL adds 'jsession' when 'isRequestedSessionI| | 6614|New|Enh|2002-02-21|Have Bootstrap and StandardClassLoader use the sam| | 6671|New|Enh|2002-02-25|Simple custom tag example uses old declaration sty| | 7043|New|Enh|2002-03-12|database user and password for JDBC Based Store | | 7374|New|Enh|2002-03-22|Apache Tomcat/4.0.1 message on standard output| | 7676|New|Enh|2002-04-02|Allow name property to use match experssions in without className in server.xml produces N| |11129|New|Enh|2002-07-24|New valve for putting the sessionIDs in the reques| |11248|New|Enh|2002-07-29|DefaultServlet doesn't send expires header| |11754|Opn|Enh|2002-08-15|Synchronous shutdown script - shutdown.sh should w| |12069|New|Enh|2002-08-27|Creation of more HttpSession objects for one previ| |12428|Opn|Enh|2002-09-09|request.getUserPrincipal(): Misinterpretation of s| |12658|New|Enh|2002-09-15|a proxy host and port at the element level | |12766|New|Enh|2002-09-18|Tomcat should use tld files in /WEB-INF/ over vers| |13309|Opn|Enh|2002-10-04|Catalina calls System.exit() | |13634|New|Enh|2002-10-15|Allowing system properties to be substituted in co| |13689|Opn|Enh|2002-10-16|Classloader paths for 'Common' classes and librari| |13731|New|Enh|2002-10-17|Final request, response, session and other variabl| |13941|New|Enh|2002-10-24|reload is VERY slow | |13965|New|Enh|2002-10-25|Catalina.sh correction request for Tru64 Unix | |14097|New|Enh|2002-10-30|hardcoded registry value for vm lets tomcat servic| |14416|New|Enh|2002-11-10|blank tag name in TLD cause NullPointerException | |14635|New|Enh|2002-11-18|Should be possible not to have -MM-DD in log f| |14766|New|Enh|2002-11-22|Redirect Vavle| |14993|New|Enh|2002-12-02|Possible obselete synchronized declaration| |15115|New|Enh|2002-12-05|correct docs... XML parser *cannot* be overridden | |15417|Opn|Enh|2002-12-16|Add port for forced compilation of JSP pages | |15688|New|Enh|2002-12-27|full-qualified names instead of imports | |15941|New|Enh|2003-01-10|Expose rootCause exceptions at deeper levels | |16294|New|Enh|2003-01-21|Configurable URL Decoding.| |16357|New|Enh|2003-01-23|"connection timeout reached" | |16531|New|Enh|2003-01-29|Updating already deployed ".war" files in a single| |16579|New|Enh|2003-01-30|documentation page layout/style breaks wrapping to| |16596|New|Enh|2003-01-30|option for disabling log rotation | |17070|New|Enh|2003-02-14|The Catalina Ant tasks do not allow for 'reusable'| |17146|New|Enh|2003-02-18|Simplify build.xml using
Bug report for Tomcat 5 [2009/01/25]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |27122|Opn|Enh|2004-02-20|IE plugins cannot access components through Tomcat| |28039|Opn|Enh|2004-03-30|Cluster Support for SingleSignOn | |29160|Ver|Enh|2004-05-23|precompile problem: _jspx_meth_* (javax.servlet.js| |29494|Inf|Enh|2004-06-10|No way to set PATH when running as a service on Wi| |30241|Ver|Enh|2004-07-21|Enhance build script to use branch argument when c| |33262|Inf|Enh|2005-01-27|Service Manager autostart should check for adminis| |33453|Opn|Enh|2005-02-08|Jasper should recompile JSP files whose datestamps| |33671|Opn|Enh|2005-02-21|Manual Windows service installation with custom na| |34801|New|Enh|2005-05-08|PATCH: CGIServlet does not terminate child after a| |34805|Ass|Enh|2005-05-08|warn about invalid security constraint url pattern| |34868|Ass|Enh|2005-05-11|allow to register a trust store for a session that| |35054|Inf|Enh|2005-05-25|warn if appBase is not existing as a File or direc| |36133|Inf|Enh|2005-08-10|Support JSS SSL implementation| |36362|New|Enh|2005-08-25|missing check for Java reserved keywords in tag fi| |36569|Inf|Enh|2005-09-09|Redirects produce illegal URL's | |36837|Inf|Enh|2005-09-28|Looking for ProxyHandler implementation of Http re| |36922|Inf|Enh|2005-10-04|setup.sh file mis-advertised and missing | |36923|New|Nor|2005-10-05|Deactivated EL expressions are not parsed for jsp | |37018|Ass|Enh|2005-10-11|Document how to use tomcat-SSL with a pkcs11 token| |37084|Ass|Nor|2005-10-14|JspC from ant fails on JSPs that use custom taglib| |37334|Inf|Enh|2005-11-02|Realm digest property not aligned with the adminis| |37449|Opn|Enh|2005-11-10|Two UserDatabaseRealm break manager user | |37458|Ass|Nor|2005-11-10|Datarace on org.apache.catalina.loader.WebappClass| |37485|Inf|Enh|2005-11-14|I'd like to run init SQL after JDBC Connection cre| |37498|New|Nor|2005-11-14|[PATCH] NPE in org.apache.catalina.core.ContainerB| |37515|Opn|Nor|2005-11-15|smap not generated by JspC when used from Ant for | |37627|Inf|Nor|2005-11-24|Slow and incomplete dynamic content generation aft| |37785|Inf|Nor|2005-12-05|Changing startup type via Tomcat Monitor does not | |37794|Opn|Nor|2005-12-05|getParameter() fails on POST with transfer-encodin| |37797|Inf|Maj|2005-12-05|Configure Tomcat utility truncates classpath to 96| |37847|Ass|Enh|2005-12-09|Allow User To Optionally Specify Catalina Output F| |37869|Opn|Nor|2005-12-12|Cannot obtain client certificate with SSL / client| |37918|Inf|Nor|2005-12-15|EL cannot find valid getter from object when using| |37984|New|Nor|2005-12-21|JNDIRealm.java not able to handle MD5 password| |38046|Ass|Reg|2005-12-27|apache-tomcat-5.5.14-deployer doesn't work (Illega| |38197|Opn|Maj|2006-01-09|taglib pool bug when tag is used with jsp:attribut| |38216|Inf|Enh|2006-01-10|Extend Jmxproxy to allow call of MBean Operations | |38217|Ver|Enh|2006-01-10|mention that private key password and keystore pas| |38268|Inf|Enh|2006-01-13|User friendly: Need submit button on adding/deleti| |38352|Inf|Nor|2006-01-22|Additional Entries for Default catalina.policy fil| |38360|Inf|Enh|2006-01-24|Domain for session cookies| |38427|Inf|Nor|2006-01-27|ServletContextListener Notified Multiple Times Whe| |38483|New|Nor|2006-02-01|access log valve uses simpledateformat in tread-un| |38484|New|Min|2006-02-01|webapps Admin: Invalid path /login was requested | |38516|Inf|Nor|2006-02-05|Configuration Manager loses "Log On" settings | |38546|Inf|Enh|2006-02-07|Google bot sends invalid If-Modifed-Since Header, | |38553|Inf|Nor|2006-02-07|Wrong HTTP code for failed CLIENT-CERT authenticat| |38570|Inf|Nor|2006-02-08|if docBase path contains "webapps", a backslash is| |38577|Inf|Enh|2006-02-08|Enhance logging of security failures | |38630|Inf|Maj|2006-02-13|Environment (java:comp/env/) sometimes not availab| |38713|Ass|Nor|2006-02-20|java.io.IOException: tmpFile.renameTo(classFile) f| |38726|
DO NOT REPLY [Bug 46600] New: maxKeepAliveRequests description in wrong section of documentation
https://issues.apache.org/bugzilla/show_bug.cgi?id=46600 Summary: maxKeepAliveRequests description in wrong section of documentation Product: Tomcat 6 Version: 6.0.18 Platform: PC OS/Version: Linux Status: NEW Severity: trivial Priority: P2 Component: Documentation AssignedTo: dev@tomcat.apache.org ReportedBy: k...@mustardgrain.com On the page... http://tomcat.apache.org/tomcat-6.0-doc/config/http.html ...the maxKeepAliveRequests description is only in the "Standard Implementation" section. However, since it's applicable for the NIO implementation, it would appear that it properly belongs in the "Common Attributes" section. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
View towards refactoring changes?
Hi all, There are a number of places in NioEndpoint and JIoEndpoint that share a good portion of common code. The accessors for common properties take up a good chunk, but there's also some boilerplate code for checking if we're paused, running, etc. There are a lot of places where variable and method scope could be cleaned up too. Obviously I can't commit this code myself, but if I submitted patches for it, would they be looked upon favorably or ignored as noise? :) Thanks, Kirk - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
