DO NOT REPLY [Bug 44679] Cookies are treated differently between 6.0.16 and 6.0.14
https://issues.apache.org/bugzilla/show_bug.cgi?id=44679 --- Comment #34 from Peter Pichler 2009-01-28 05:29:45 PST --- I asked the JSR315(Servlet 3.0)-team for a clarification in the next servlet spec... >>> Peter Pichler 28.01.09 14.14 Uhr -> jsr-315-comme...@jcp.org >>> Hello! I want to inform you about ambiguousness in the current Servlet-Spec, which was not corrected in the published draft java-doc for Servlet 3.0. My mail is motivated by a discussion with the tomcat developers (https://issues.apache.org/bugzilla/show_bug.cgi?id=44679#c29). !!! Maybe you find some time to post your point of view to this bug_report, which apache currently denies acceptance. Unofficially tomcat still has the status of a “reference implementation” of the Servlet spec… so I think it makes sense to help them improving their quality!!! Cookie-API and Cookie0 Spec / Discussion about changes made in tomcat 6.0.16-6.0.18: Currently there is a great discussion in the tomcat-bugzilla... (https://issues.apache.org/bugzilla/show_bug.cgi?id=44679#c29) There are different points of view, but most parties agree, that the problems are provoked by inconsistencies in the Servlet-Spec. Problematic part of the servlet-spec: > public Cookie(java.lang.String name, java.lang.String value) >Constructs a cookie with a specified name and value. >The name must conform to RFC 2109. That means it can contain only ASCII > alphanumeric characters and cannot > contain commas, semicolons, or white space or begin with a $ character. The > cookie's name cannot be changed after > creation. > The value can be anything the server chooses to send. Its value is probably > of interest only to the server. > The cookie's value can be changed after creation with the setValue method. > >> public void setValue(java.lang.String newValue) > Assigns a new value to a cookie after the cookie is created. > With Version 0 cookies, values should not contain white space, brackets, parentheses, equals signs, commas, double > quotes, slashes, question marks, at signs, colons, and semicolons. Empty values may not behave the same way on all > browsers. Constructor: The sentence in the constructor "The value can be anything the server chooses to send" is definitely too much... setValue: The BASE64 charset contains the slash and the equal mark... So the spec recommends base64 for binary information in the first sentence... and says it is not recommended in the second sentence... __ Proposal: == (REM You will have to translate following text from Austrian-English to real English... ) Constructor: Replace: the text: "The value can be anything the server chooses to send. Its value is probably of interest only to the server.” by "The allowed character set for cookie values depends on the cookie version used. (see setValue(...) for details)" Use following text to explain Cookie.setValue(...) for Version 0 "Following characters may not be used for a cookie0 value: * RFC2616-CTL characters (ASCII 0-31 and 127; forbidden characters for extension HTTP headers) * Semi-colon, comma and white space (explicitly forbidden by the cookie0 draft) If you use a binary value, you may want to use BASE64 encoding." _ Two further proposals for the next versions of the servlet-spec Cookie1: == Fact: Cookie1-RFC (Released: 1997) has been invalidated by Cookie2 (released 2000). So the comment for Cookie.setVersion(...) is obsolete too and should be changed. Replace “Since RFC 2109 is still somewhat new, consider version 1 as experimental; do not use it yet on production sites." by "RFC 2109 (Cookie-1) has been obsoleted by RFC 2965 (Cookie-2); do not use it on production sites". Cookie2: == >From my point of view the cookie2-Spec looks suitable. Of course browser support is week until now, but that can change quickly. The servlet spec should definitely support RFC2965 cookies. Cookies and HttpOnly = Microsoft defined this cookie feature outside any RFC. (See http://msdn.microsoft.com/en-us/library/ms533046.aspx). It is a useful additional security feature for cookies also supported by Mozilla and Opera. Currently it is not possible to create HttpOnly Cookies using the servlet API. The HttpOnly feature complicates the usage of malicious Client-Side-Cross-Side-Scripting within HTML application. Security Reviews of applications may claim to use this feature… and it is more work to argue against it, than to implement the cookie handling… Yours sincerely Peter Pichler -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 44679] Cookies are treated differently between 6.0.16 and 6.0.14
https://issues.apache.org/bugzilla/show_bug.cgi?id=44679 --- Comment #35 from Remy Maucherat 2009-01-28 06:34:35 PST --- No matter what happens, the behavior of cookie processing will not change again in the 5.5 and 6.0 branches, I would veto that. Feel free to pursue that little crusade of yours for future releases. BTW: Tomcat is not the reference implementation of anything. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46562] Reader not closed
https://issues.apache.org/bugzilla/show_bug.cgi?id=46562 --- Comment #5 from Flavio Crispim 2009-01-28 06:52:56 PST --- Created an attachment (id=23187) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23187) Test application Test application, needs a SSI enabled TC. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46562] Reader not closed
https://issues.apache.org/bugzilla/show_bug.cgi?id=46562 --- Comment #6 from Flavio Crispim 2009-01-28 06:54:29 PST --- Created an attachment (id=23188) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23188) Process Monitor logs. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46562] Reader not closed
https://issues.apache.org/bugzilla/show_bug.cgi?id=46562 --- Comment #7 from Flavio Crispim 2009-01-28 07:06:14 PST --- Hi I don´t have permision to install Dreamweaver and I was unable reproduce this issue. I´ve attached Process Monitor logs(http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) and seems ok to me (here in my enviroment) Enviroment XP.sp3 SUN 1.6.0_11 TC 5.5.27 Let me know if you can reproduce with the Test-app (attached). Flavio -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46621] New: Does not handle unicode characters in the Get request
https://issues.apache.org/bugzilla/show_bug.cgi?id=46621
Summary: Does not handle unicode characters in the Get request
Product: Tomcat 6
Version: 6.0.18
Platform: PC
URL: http://localhost:8080/examples/test.jsp?classIEligible=f
alse&name=ZZz%u2122aaa%20bbb¬oken=yes
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: Servlet & JSP API
AssignedTo: dev@tomcat.apache.org
ReportedBy: aizmay...@advisorsoftware.com
I have the following URL:
http://localhost:8080/examples/test.jsp?classIEligible=false&name=ZZz%u2122aaa%20bbb¬oken=yes
As you can see it contains ecaped version of trademark chararter u2122 - that
what javascript does by escaping TM chararter.
Jan 28, 2009 3:51:29 PM org.apache.tomcat.util.http.Parameters
processParameters
WARNING: Parameters: Character decoding failed. Parameter skipped.
java.io.CharConversionException: isHexDigit
and the parameter name is not part of HTTPRequest
just in case I was testing against following JSP:
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%
request.setCharacterEncoding("UTF-8");
response.setHeader("Pragma", "No-cache");
response.setHeader("Cache-Control", "no-cache");
response.setContentType("text/plain");
%>
Parameters
KeyValue
<%
for(Object key:request.getParameterMap().keySet()){
%><%=key
%><%=request.getParameter(key.toString()) %>
<%
}
%>
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 38726] GlobalRequestProcessor attributes are always 0
https://issues.apache.org/bugzilla/show_bug.cgi?id=38726 Kirk True changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||WORKSFORME --- Comment #9 from Kirk True 2009-01-28 21:57:49 PST --- Please reopen if you still see this and include the secret sauce I'm missing. Thanks. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Question about Bugzilla etiquette
Hi guys, If I want to work on a bug that's in Bugzilla, should I assign it to myself or keep it assigned to the dev@tomcat.apache.org user? Thanks, Kirk - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Question about Bugzilla etiquette
2009/1/29 Kirk True : > Hi guys, > > If I want to work on a bug that's in Bugzilla, should I assign it to myself > or keep it assigned to the dev@tomcat.apache.org user? > If you change the assignee, the bug change notifications will stop coming to the dev@ list. For example, your comment #2 at https://issues.apache.org/bugzilla/show_bug.cgi?id=39013 was not sent to the list: http://marc.info/?t=12287871656&r=1&w=2 Thus it would be better to do not do that. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46621] Does not handle unicode characters in the Get request
https://issues.apache.org/bugzilla/show_bug.cgi?id=46621 Tim Whittington changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Comment #1 from Tim Whittington 2009-01-28 23:13:44 PST --- The URL is not encoded correctly. Have a read of http://en.wikipedia.org/wiki/Percent-encoding (specifically the section on application/x-www-form-urlencoded) for how it should be done. Any further questions about how to encode URLs should be directed to the users group. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: DO NOT REPLY [Bug 46416] New: Include order in jk_global.h breaks mod_jk build on Windows + Visual Studio 2005
Any chance of anyone fixing this? I¹d submit a patch myself, but it¹s trivial, and some more tidying than a quick fix might be in order. cheers tim From: Reply-To: Tomcat Developers List Date: Thu, 18 Dec 2008 14:04:22 -0800 (PST) To: Subject: DO NOT REPLY [Bug 46416] New: Include order in jk_global.h breaks mod_jk build on Windows + Visual Studio 2005 https://issues.apache.org/bugzilla/show_bug.cgi?id=46416 Summary: Include order in jk_global.h breaks mod_jk build on Windows + Visual Studio 2005 Product: Tomcat Connectors Version: 1.2.27 Platform: PC OS/Version: Windows XP Status: NEW Severity: blocker Priority: P1 Component: mod_jk AssignedTo: dev@tomcat.apache.org ReportedBy: tim.whitting...@orionhealth.com Building against the 1.2.27 tag, I've come across an issue with the order of includes in jk_global.h that breaks the build using Visual Studio 2005. Some recent changes to keepalive code started using the tcp_keepalive struct in , which is only included in jk_global.h if _WINDOWS_ is not already defined - i.e. if has not already been included. Unfortunately is included by APR (at least in the Apache 2.0 build I have), and the APR headers are included before the #ifndef _WINDOWS_ block. Switching the APR includes to below the #ifdef WIN32 block fixes the build. It appears there's some fragility in the includes - it seems a bit odd that mod_jk is sensitive to being the first to import - but I didn't look hard enough at all the other defines/includes in there to say it could be separated out entirely. (On a side note, is included in jk_mt.h, which may not be necessary). -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Fwd: [ANN-pmcs] Registration for ApacheCon Europe 2009 is now open!]
ApacheCon EU 2009 registration is now open! 23-27 March -- Mövenpick Hotel, Amsterdam, Netherlands http://www.eu.apachecon.com/ Registration for ApacheCon Europe 2009 is now open - act before early bird prices expire 6 February. Remember to book a room at the Mövenpick and use the Registration Code: Special package attendees for the conference registration, and get 150 Euros off your full conference registration. Lower Costs - Thanks to new VAT tax laws, our prices this year are 19% lower than last year in Europe! We've also negotiated a Mövenpick rate of a maximum of 155 Euros per night for attendees in our room block. Quick Links: http://xrl.us/aceu09sp See the schedule http://xrl.us/aceu09hp Get your hotel room http://xrl.us/aceu09rp Register for the conference Other important notes: - Geeks for Geeks is a new mini-track where we can feature advanced technical content from project committers. And our Hackathon on Monday and Tuesday is open to all attendees - be sure to check it off in your registration. - The Call for Papers for ApacheCon US 2009, held 2-6 November 2009 in Oakland, CA, is open through 28 February, so get your submissions in now. This ApacheCon will feature special events with some of the ASF's original founders in celebration of the 10th anniversary of The Apache Software Foundation. http://www.us.apachecon.com/c/acus2009/ - Interested in sponsoring the ApacheCon conferences? There are plenty of sponsor packages available - please contact Delia Frees at de...@apachecon.com for further information. == ApacheCon EU 2008: A week of Open Source at it's best! Hackathon - open to all! | Geeks for Geeks | Lunchtime Sessions In-Depth Trainings | Multi-Track Sessions | BOFs | Business Panel Lightning Talks | Receptions | Fast Feather Track | Expo... and more! - Shane Curcuru, on behalf of Noirin Shirley, Conference Lead, and the whole ApacheCon Europe 2009 Team http://www.eu.apachecon.com/ 23-27 March -- Amsterdam, Netherlands - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
