DO NOT REPLY [Bug 45015] Quoting in attributes
https://issues.apache.org/bugzilla/show_bug.cgi?id=45015 --- Comment #13 from youweiwang 2009-11-12 00:05:07 UTC --- You can add this config option to the file "catalina.properties" which is in the directory of "%tomcat_home%/conf",as follows: org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false And the problem will be resolved (In reply to comment #3) > A quick note to anyone being bitten by this bug fix: you can easily search > which of your JSPs (*.jsp*) need to be updated with the following regular > expression (take a deep breath): > > <\w+:[^>]+="[^<"]*<%=[^%]*"|<\w+:[^>]+='[^<']*<%=[^%]*' > > Unfortunately, I haven't found a way to automatically fix JSPs, but at least > you (hopefully) won't forget any! -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835322 - in /tomcat/native/trunk/native: include/ssl_private.h src/sslcontext.c src/sslnetwork.c src/sslutils.c
Author: mturk
Date: Thu Nov 12 10:29:34 2009
New Revision: 835322
URL: http://svn.apache.org/viewvc?rev=835322&view=rev
Log:
Port mod_ssl fix for CVE-2009-3555
Modified:
tomcat/native/trunk/native/include/ssl_private.h
tomcat/native/trunk/native/src/sslcontext.c
tomcat/native/trunk/native/src/sslnetwork.c
tomcat/native/trunk/native/src/sslutils.c
Modified: tomcat/native/trunk/native/include/ssl_private.h
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=835322&r1=835321&r2=835322&view=diff
==
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Thu Nov 12 10:29:34 2009
@@ -256,12 +256,29 @@
tcn_pass_cb_t *cb_data;
};
+
typedef struct {
apr_pool_t *pool;
tcn_ssl_ctxt_t *ctx;
SSL*ssl;
X509 *peer;
int shutdown_type;
+/* Track the handshake/renegotiation state for the connection so
+ * that all client-initiated renegotiations can be rejected, as a
+ * partial fix for CVE-2009-3555.
+ */
+enum {
+RENEG_INIT = 0, /* Before initial handshake */
+RENEG_REJECT, /* After initial handshake; any client-initiated
+ * renegotiation should be rejected
+ */
+RENEG_ALLOW,/* A server-initated renegotiation is taking
+ * place (as dictated by configuration)
+ */
+RENEG_ABORT /* Renegotiation initiated by client, abort the
+ * connection
+ */
+} reneg_state;
apr_socket_t *sock;
apr_pollset_t *pollset;
} tcn_ssl_conn_t;
@@ -287,6 +304,7 @@
DH *SSL_dh_get_param_from_file(const char *);
RSA*SSL_callback_tmp_RSA(SSL *, int, int);
DH *SSL_callback_tmp_DH(SSL *, int, int);
+voidSSL_callback_handshake(const SSL *, int, int);
voidSSL_vhost_algo_id(const unsigned char *, unsigned char *, int);
int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int);
int SSL_callback_SSL_verify(int, X509_STORE_CTX *);
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=835322&r1=835321&r2=835322&view=diff
==
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Thu Nov 12 10:29:34 2009
@@ -162,6 +162,7 @@
/* Set default password callback */
SSL_CTX_set_default_passwd_cb(c->ctx, (pem_password_cb
*)SSL_password_callback);
SSL_CTX_set_default_passwd_cb_userdata(c->ctx, (void
*)(&tcn_password_callback));
+SSL_CTX_set_info_callback(c->ctx, SSL_callback_handshake);
/*
* Let us cleanup the ssl context when the pool is destroyed
*/
Modified: tomcat/native/trunk/native/src/sslnetwork.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=835322&r1=835321&r2=835322&view=diff
==
--- tomcat/native/trunk/native/src/sslnetwork.c (original)
+++ tomcat/native/trunk/native/src/sslnetwork.c Thu Nov 12 10:29:34 2009
@@ -575,6 +575,11 @@
* ssl->state = SSL_ST_ACCEPT
* SSL_do_handshake()
*/
+
+/* Toggle the renegotiation state to allow the new
+ * handshake to proceed.
+ */
+con->reneg_state = RENEG_ALLOW;
retVal = SSL_renegotiate(con->ssl);
if (retVal <= 0)
return APR_EGENERAL;
@@ -603,6 +608,7 @@
} else
break;
}
+con->reneg_state = RENEG_REJECT;
if (SSL_get_state(con->ssl) != SSL_ST_OK) {
return APR_EGENERAL;
Modified: tomcat/native/trunk/native/src/sslutils.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=835322&r1=835321&r2=835322&view=diff
==
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Thu Nov 12 10:29:34 2009
@@ -672,4 +672,41 @@
return ok;
}
+/*
+ * This callback function is executed while OpenSSL processes the SSL
+ * handshake and does SSL record layer stuff. It's used to trap
+ * client-initiated renegotiations, and for dumping everything to the
+ * log.
+ */
+void SSL_callback_handshake(const SSL *ssl, int where, int rc)
+{
+tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl);
+
+/* Retrieve the conn_rec and the associated SSLConnRec. */
+if (con == NULL) {
+return;
+}
+
+
+/* If the reneg state is to reject renegotiations, check the SSL
+ * state machine and move to ABORT if a Client Hello is being
+ * read. */
+i
svn commit: r835335 - /tomcat/native/trunk/native/src/sslnetwork.c
Author: mturk
Date: Thu Nov 12 11:17:44 2009
New Revision: 835335
URL: http://svn.apache.org/viewvc?rev=835335&view=rev
Log:
Actually abort the connection in case of RENEG_ABORT.
Modified:
tomcat/native/trunk/native/src/sslnetwork.c
Modified: tomcat/native/trunk/native/src/sslnetwork.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=835335&r1=835334&r2=835335&view=diff
==
--- tomcat/native/trunk/native/src/sslnetwork.c (original)
+++ tomcat/native/trunk/native/src/sslnetwork.c Thu Nov 12 11:17:44 2009
@@ -181,6 +181,10 @@
return APR_ENOPOLL;
if (!con->sock)
return APR_ENOTSOCK;
+if (con->reneg_state == RENEG_ABORT) {
+con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN;
+return APR_ECONNABORTED;
+}
/* Check if the socket was already closed
*/
@@ -384,6 +388,11 @@
int s, i, wr = (int)(*len);
apr_status_t rv = APR_SUCCESS;
+if (con->reneg_state == RENEG_ABORT) {
+*len = 0;
+con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN;
+return APR_ECONNABORTED;
+}
for (;;) {
if ((s = SSL_read(con->ssl, buf, wr)) <= 0) {
apr_status_t os = apr_get_netos_error();
@@ -440,6 +449,11 @@
int s, i, wr = (int)(*len);
apr_status_t rv = APR_SUCCESS;
+if (con->reneg_state == RENEG_ABORT) {
+*len = 0;
+con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN;
+return APR_ECONNABORTED;
+}
for (;;) {
if ((s = SSL_write(con->ssl, buf, wr)) <= 0) {
apr_status_t os = apr_get_netos_error();
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835336 - /tomcat/trunk/dist.xml
Author: kkolinko Date: Thu Nov 12 11:20:43 2009 New Revision: 835336 URL: http://svn.apache.org/viewvc?rev=835336&view=rev Log: Followup to r.817822 and r.833545 You have to specify explicit encoding in a fixcrlf task Modified: tomcat/trunk/dist.xml Modified: tomcat/trunk/dist.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/dist.xml?rev=835336&r1=835335&r2=835336&view=diff == --- tomcat/trunk/dist.xml (original) +++ tomcat/trunk/dist.xml Thu Nov 12 11:20:43 2009 @@ -278,7 +278,7 @@ +includes="RELEASE-NOTES.txt" eol="crlf" encoding="ISO-8859-1" fixlast="false" /> @@ -294,7 +294,7 @@ +includes="RELEASE-NOTES.txt" encoding="ISO-8859-1" fixlast="false" /> - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835337 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: kkolinko Date: Thu Nov 12 11:25:02 2009 New Revision: 835337 URL: http://svn.apache.org/viewvc?rev=835337&view=rev Log: votes Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=835337&r1=835336&r2=835337&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Nov 12 11:25:02 2009 @@ -170,7 +170,14 @@ http://svn.apache.org/viewvc?rev=817822&view=rev http://svn.apache.org/viewvc?rev=833545&view=rev (to address rjung's comment) +1: markt, funkman + +1: kkolinko: only if applied together with r.835336 -1: + + Additional patch: + http://svn.apache.org/viewvc?rev=835336&view=rev + +1: kkolinko + -1: + rjung: Our dreaded multi platform build system is a bit fragile w.r.t. fixcrlf. If you change the file to crlf in the installer target, then all unix packages (which are build after installer) @@ -382,7 +389,7 @@ * Make location and filename of catalina.out configurable in catalina.sh http://svn.apache.org/viewvc?rev=835036&view=rev - +1: fhanik, mturk + +1: fhanik, mturk, kkolinko -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835340 - /tomcat/native/branches/1.1.x/STATUS.txt
Author: mturk Date: Thu Nov 12 11:27:50 2009 New Revision: 835340 URL: http://svn.apache.org/viewvc?rev=835340&view=rev Log: Propose renegotiation fix backport Modified: tomcat/native/branches/1.1.x/STATUS.txt Modified: tomcat/native/branches/1.1.x/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/STATUS.txt?rev=835340&r1=835339&r2=835340&view=diff == --- tomcat/native/branches/1.1.x/STATUS.txt (original) +++ tomcat/native/branches/1.1.x/STATUS.txt Thu Nov 12 11:27:50 2009 @@ -34,3 +34,10 @@ * Add detection of the macosx jvm. Backport from trunk http://svn.eu.apache.org/viewvc?view=rev&revision=803803 + +* Fix CVE-2009-3555 by disabling renegotiation + Backport from trunk + https://svn.apache.org/viewvc?view=revision&revision=835322 + https://svn.apache.org/viewvc?view=revision&revision=835335 + +1: mturk + -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Problem with mod_jk 1.2.28 - Can not render up the page on browser after a long wait
I newly installed the mod_jk 1.2.28 and since then got problem (see below). I have a web application which is deployed on Jboss. One of the function of this web-app is: You can click a button (such as 'Generate Report') on client to submit a request for generating a PDF-report. The generation of PDF-report is done on Jboss. The generation will take very long, from 10 to 40 minutes, depends on what kind of report you want. After the PDF-report is generated, it will be sent back to client (browser) My system atlas looks as follow: Client: IE - browser | | Apache Http-Server (mod_jk 1.2.28) on Linux | | Server: JBoss on Linux (Web-App deployed hier) One can access the web-app directly to Jboss. In this case, no matter how big the PDF-report is and how long the generation will take (lets say for 20 min.), I can get the PDF-report shown on the browser. But as I issue a request via Apache-Http-Server and after the PDF-report is generated on Jboss-side (this take about 10 min.), I can not get the PDF-report shown on the browser, even after 30 min. The worse: I see no error message in mod_jk.log. Later I move the same configuration of worders.properties to another Apache Http-Server with mod_jk - 1.2.26. It works fine. Here is my workers.properties: worker.worker_portfolio_son1.connection_pool_timeout=600 worker.worker_portfolio_son1.socket_keepalive=True worker.worker_portfolio_son1.lbfactor=1 worker.worker_portfolio_son1.type=ajp13 worker.worker_portfolio_son1.port=8009 worker.worker_portfolio_son1.host=appl-myweb.mycom.com worker.worker_portfolio_son1.sticky_session=True Maybe someone can help. -- View this message in context: http://old.nabble.com/Problem-with-mod_jk-1.2.28---Can-not-render-up-the-page-on-browser-after-a-long-wait-tp26315338p26315338.html Sent from the Tomcat - Dev mailing list archive at Nabble.com. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
APR Connector renegotiation fix
Hi, Just made the fix by modifying the mod_ssl patch so that connection gets closed on R. Problem with OpenSSL 0.9.8l that it has renegotiation disabled and that it gets blocked in 'R' thus making it a potential DoS (much worse then actual R) so I'd suggest we don't use it and create immediate release of 1.1.18 with the fix. Please test the trunk or apply the patches to 1.1.x (even better vote with +1 :) Note. Don't use 0.9.8l for testing cause that bugger will block on renegotiation until socket timeout. Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835349 - /tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Author: kkolinko Date: Thu Nov 12 11:45:10 2009 New Revision: 835349 URL: http://svn.apache.org/viewvc?rev=835349&view=rev Log: Try to correct Peter's changelog entry of r.834790 Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=835349&r1=835348&r2=835349&view=diff == --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Nov 12 11:45:10 2009 @@ -372,7 +372,7 @@ -DeltaSession needs endAccess that CrossContext replication work. (pero) +DeltaSession needs endAccess so that CrossContext replication works. (pero) DeltaManager needs to replicate changed attributes even if session - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835351 - /tomcat/tc5.5.x/trunk/STATUS.txt
Author: kkolinko Date: Thu Nov 12 11:51:56 2009 New Revision: 835351 URL: http://svn.apache.org/viewvc?rev=835351&view=rev Log: vote Modified: tomcat/tc5.5.x/trunk/STATUS.txt Modified: tomcat/tc5.5.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=835351&r1=835350&r2=835351&view=diff == --- tomcat/tc5.5.x/trunk/STATUS.txt (original) +++ tomcat/tc5.5.x/trunk/STATUS.txt Thu Nov 12 11:51:56 2009 @@ -77,7 +77,7 @@ simple tags and tags and can't find any regression issues. The TCK also passes. http://svn.apache.org/viewvc?rev=804734&view=rev - +1: markt + +1: markt, kkolinko -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44041 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835381 - /tomcat/native/branches/1.1.x/native/include/tcn_version.h
Author: mturk Date: Thu Nov 12 13:46:19 2009 New Revision: 835381 URL: http://svn.apache.org/viewvc?rev=835381&view=rev Log: Current SVN version is 1.1.18-dev Modified: tomcat/native/branches/1.1.x/native/include/tcn_version.h Modified: tomcat/native/branches/1.1.x/native/include/tcn_version.h URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/include/tcn_version.h?rev=835381&r1=835380&r2=835381&view=diff == --- tomcat/native/branches/1.1.x/native/include/tcn_version.h (original) +++ tomcat/native/branches/1.1.x/native/include/tcn_version.h Thu Nov 12 13:46:19 2009 @@ -69,7 +69,7 @@ #define TCN_MINOR_VERSION 1 /** patch level */ -#define TCN_PATCH_VERSION 17 +#define TCN_PATCH_VERSION 18 /** * This symbol is defined for internal, "development" copies of TCN. This - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: APR Connector renegotiation fix
On 12/11/09 12:34, Mladen Turk wrote: I'd suggest we don't use it and create immediate release of 1.1.18 with the fix. BTW, released 1.1.17 reports as 1.1.17-dev ;) RM forgot to update the version before tagging So yet another reason for 1.1.18 Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835404 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: kkolinko Date: Thu Nov 12 15:01:56 2009 New Revision: 835404 URL: http://svn.apache.org/viewvc?rev=835404&view=rev Log: vote and proposal Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=835404&r1=835403&r2=835404&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Nov 12 15:01:56 2009 @@ -154,6 +154,23 @@ integration http://people.apache.org/~markt/patches/2009-11-06-log-config-per-instance.patch +1: markt, funkman + +1: kkolinko (good, though I propose a slightly corrected version of it below) + -1: + + kkolinko: + I updated the above Mark's patch with the following changes + (in catalina.bat/sh): +- Added an explicit check that CATALINA_BASE != CATALINA_HOME. + Otherwise the [ -r "$CATALINA_BASE/bin/tomcat-juli.jar" ] check will succeed + when those are equal. +- Moved the code that adds ";" or ":" to non-empty CLASSPATH. That is to avoid + the gap between this preparationary step and the one that actually adds jars + to the CLASSPATH. + Warning: I have not tried to run the patched catalina.sh yet. I hope it works. + http://people.apache.org/~kkolinko/patches/2009-11-12_log-config-per-instance.patch + +1: kkolinko + -1: + * Make FileHandler.java extensible http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/juli/FileHandler.java?r1=666232&r2=709018&pathrev=793882&view=patch - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835411 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: kkolinko Date: Thu Nov 12 15:13:30 2009 New Revision: 835411 URL: http://svn.apache.org/viewvc?rev=835411&view=rev Log: vote Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=835411&r1=835410&r2=835411&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Nov 12 15:13:30 2009 @@ -146,7 +146,7 @@ Threading issue in classloading. Adds a sync so please check performance Updated to use Filip's suggestion http://people.apache.org/~markt/patches/2009-11-05-bug44041.patch - +1: markt, fhanik + +1: markt, fhanik, kkolinko -1: * Allow per instance configuration of JULI or log4j for core Tomcat logging - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: APR Connector renegotiation fix
On 12/11/09 17:25, Filip Hanik - Dev Lists wrote: Note. Don't use 0.9.8l for testing cause that bugger will block on renegotiation until socket timeout. This is actually not so bad. Since it's so easy to achieve the same DoS by simply sending a partial POST body, or partial GET request, and you have the same exposure to socket timeout. Right, but this is different thing cause you don't have any control over it because it's executed below layer 7 (sort of). Given the blocking nature of the servlet specification, DoS is always there, and it's very easy to simulate. Timeouts is the only protection. Well even OpenSSL folks admitted that 0.9.8l wrongly approached dealing to that issue. They even removed the SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8 branch and now they use SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION using different tricks. So IMHO 0.9.8l is simply dead end and shouldn't be used. Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: APR Connector renegotiation fix
On 11/12/2009 04:34 AM, Mladen Turk wrote: Hi, Just made the fix by modifying the mod_ssl patch so that connection gets closed on R. Problem with OpenSSL 0.9.8l that it has renegotiation disabled and that it gets blocked in 'R' thus making it a potential DoS (much worse then actual R) so I'd suggest we don't use it and create immediate release of 1.1.18 with the fix. Please test the trunk or apply the patches to 1.1.x (even better vote with +1 :) Note. Don't use 0.9.8l for testing cause that bugger will block on renegotiation until socket timeout. This is actually not so bad. Since it's so easy to achieve the same DoS by simply sending a partial POST body, or partial GET request, and you have the same exposure to socket timeout. Given the blocking nature of the servlet specification, DoS is always there, and it's very easy to simulate. Timeouts is the only protection. filip Regards - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48158] warn that "per directory client certificate authentication" is harmful
https://issues.apache.org/bugzilla/show_bug.cgi?id=48158 --- Comment #4 from Ralf Hauser 2009-11-12 08:59:24 UTC --- see also http://marc.info/?t=12576133601&r=1&w=2 -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "PoweredBy" by ShadiSaba
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "PoweredBy" page has been changed by ShadiSaba.
http://wiki.apache.org/tomcat/PoweredBy?action=diff&rev1=207&rev2=208
--
{{http://www.tehospedo.com.br/img/identidade/marca_tehospedo_hor.gif}}
[[http://www.tehospedo.com.br|hospedagem de sites]] Hospedagem de sites -
TeHospedo.
+ = TheStocksProfit =
+
[[http://www.thestocksprofit.com|{{http://www.thestocksprofit.com/wp-content/themes/talian-10/images/thestockslogo_purple1.jpg}}]]
uses Tomcat for own back bone.
+
+
= TravPro =
{{http://www.thasa.co.za/images/logo_travprobroker.jpg}}
Thasa Technologies', [[http://www.thasa.co.za/products.htm|TravPro]], a web
booking client for tour operators runs on Tomcat.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "PoweredBy" by ShadiSaba
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "PoweredBy" page has been changed by ShadiSaba.
http://wiki.apache.org/tomcat/PoweredBy?action=diff&rev1=208&rev2=209
--
[[http://www.tehospedo.com.br|hospedagem de sites]] Hospedagem de sites -
TeHospedo.
= TheStocksProfit =
-
[[http://www.thestocksprofit.com|{{http://www.thestocksprofit.com/wp-content/themes/talian-10/images/thestockslogo_purple1.jpg}}]]
uses Tomcat for own back bone.
+
{{http://www.thestocksprofit.com/wp-content/themes/talian-10/images/thestockslogo_purple1.jpg}}
+ [[http://www.thestocksprofit.com|The Stocks Profit]] uses Tomcat for own back
bone production system.
= TravPro =
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835460 - in /tomcat/trunk: ./ java/org/apache/catalina/ java/org/apache/catalina/authenticator/ java/org/apache/catalina/connector/ java/org/apache/catalina/core/ java/org/apache/catalina
Author: markt Date: Thu Nov 12 17:29:00 2009 New Revision: 835460 URL: http://svn.apache.org/viewvc?rev=835460&view=rev Log: Servlet 3 implementation. - Add support for relative fragment ordering and some test cases - Re-order fragment and annotation processing to match spec - Implement login/logout - Provide a method to retrieve the Authenticator in use by a Context - Add methods to Authenticator interface to facilitate the new login/login methods - Enable Authenticator.register() to be used for logout as well as login Added: tomcat/trunk/test/org/apache/catalina/startup/TestWebXml.java - copied, changed from r834808, tomcat/trunk/test/org/apache/catalina/startup/TestContextConfig.java Removed: tomcat/trunk/test/org/apache/catalina/startup/TestContextConfig.java Modified: tomcat/trunk/TOMCAT-7-RELEASE-PLAN.txt tomcat/trunk/java/org/apache/catalina/Authenticator.java tomcat/trunk/java/org/apache/catalina/Context.java tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties tomcat/trunk/java/org/apache/catalina/connector/Request.java tomcat/trunk/java/org/apache/catalina/connector/RequestFacade.java tomcat/trunk/java/org/apache/catalina/core/StandardContext.java tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties tomcat/trunk/java/org/apache/catalina/startup/WebRuleSet.java tomcat/trunk/java/org/apache/catalina/startup/WebXml.java tomcat/trunk/test/org/apache/catalina/connector/TestKeepAliveCount.java tomcat/trunk/test/org/apache/catalina/connector/TestRequest.java tomcat/trunk/test/org/apache/catalina/startup/TestTomcat.java Modified: tomcat/trunk/TOMCAT-7-RELEASE-PLAN.txt URL: http://svn.apache.org/viewvc/tomcat/trunk/TOMCAT-7-RELEASE-PLAN.txt?rev=835460&r1=835459&r2=835460&view=diff == --- tomcat/trunk/TOMCAT-7-RELEASE-PLAN.txt (original) +++ tomcat/trunk/TOMCAT-7-RELEASE-PLAN.txt Thu Nov 12 17:29:00 2009 @@ -15,13 +15,11 @@ limitations under the License. -$Id: $ - = An outline plan for the first stable Tomcat 7 release = -1. Update trunk with new API from Servlet Spec 3.0 PR +1. Update trunk with new API from Servlet Spec 3.0 Final Draft 2009-11-05 - Done 2. Provide NOOP implementations with TODO SRV3 markers so it will build @@ -36,33 +34,29 @@ 2.3.3.3, 2.3.3.4 - In progress 2.3.4 - Compliant - Sections 3 to 6 - not checked - - Section 7 - in progress - 7.1, 7.2, 7.3, 7.4, 7.5, 7.6 - Compliant - 7.7.1 - Compliant - 7.7.2 - When is IAE thrown? - 7.7.3 - Compliant + - Section 7 - Compliant - Section 8 - in progress 8.1 - not checked - 8.2 - in progress, plan as follows - - modify digester to parse to new classes - - configure Context & Jasper from new classes - - fragment scanning / parsing - - fragment ordering - - web(-fragment).xml merging code - - annotation scanning + 8.2 - in progress, 'just' annotation scanning left 8.3 - not checked - - Sections 9 onwards - not checked + 8.4 - not checked + - Sections 9 to 12 - not checked + - Section 13 - In progess + 13.1 to 13.3 - Compliant + 13.4 - In progress + 13.5 to 13.10 - Compliant + Section 14 to 15 - not checked - Java EE spec requirements - not checked + - JSR 196 - Recommended - Not yet implemented. Copy from Geronimo? 4. Do an alpha release (from trunk) - Create tc7.0.x\tags to hold release tags - - Create Bugzilla project - Add to web site - Update Wiki version status page 5. Fix issues as they get reported -6. Update for next public draft(s) of the spec if any. +6. Update for final release of the spec 7. Aim for first stable TC7 release with final release of Servlet 3 spec - Create tc7.0.x\trunk from trunk at first stable release Modified: tomcat/trunk/java/org/apache/catalina/Authenticator.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Authenticator.java?rev=835460&r1=835459&r2=835460&view=diff == --- tomcat/trunk/java/org/apache/catalina/Authenticator.java (original) +++ tomcat/trunk/java/org/apache/catalina/Authenticator.java Thu Nov 12 17:29:00 2009 @@ -18,18 +18,55 @@ package org.apache.catalina; +import java.io.IOException; +import java.security.Principal; + +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; +import org.apache.catalina.deploy.LoginCo
DO NOT REPLY [Bug 48158] warn that "per directory client certificate authentication" is harmful
https://issues.apache.org/bugzilla/show_bug.cgi?id=48158
--- Comment #5 from Ralf Hauser 2009-11-12 09:52:53 UTC ---
(In reply to comment #3)
> > Couldn't you make this an optional server.xml attribute
> See the "clientAuth" connector attribute for options already available for
> limiting server side re-negotiation.
Hmm, the word "re-negotiation" doesn't really appear in
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File
for the attribute nor does one know whether it is a mandatory or optional
attribute (same for "truststoreFile" - is there a "*" wildcard option to accept
any issuer?).
> > > We can't do anything to prevent client initiated renegotiation.
> > Sure, but closing 2 out of 3 attack vectors is at least something, isn't it?
> In this case, I don't think it is. However, the options are already in place
> if you wish to use them.
looking at
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(boolean
force), I see
if(jsseCerts.length <= 0 && force) {
session.invalidate();
handShake();
session = ssl.getSession();
}
isn't that the renegotiation we want to avoid?
Shouldn't this now be commented out for the time being?
(One scenario being that an MITM attacker in the handshake eliminates the
optional "CertificateRequest*" as per section "7.3. Handshake Protocol overview
" http://www.ietf.org/rfc/rfc2246.txt
With that the client might first do a non-client-cert SSL session and the
server might soon notice and trigger a TLS-re-handshake [just speculating...])
At least the javax.net.ssl.SSLSocket.startHandshake() executed inside the above
"handShake()" doesn't dissipate my suspicions that there may be a problem:
/**
* Starts an SSL handshake on this connection.
*/
public void startHandshake() throws IOException {
checkWrite();
try {
if (getConnectionState() == cs_HANDSHAKE) {
// do initial handshake
performInitialHandshake();
} else {
// start renegotiation
kickstartHandshake();
}
} catch (Exception e) {
// shutdown and rethrow (wrapped) exception as appropriate
handleException(e);
}
}
but maybe http://marc.info/?l=tomcat-dev&m=125796482429041&w=2 got there too...
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48097] NoClassDefFoundError on first access of first jsp
https://issues.apache.org/bugzilla/show_bug.cgi?id=48097 Konstantin Kolinko changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED | --- Comment #13 from Konstantin Kolinko 2009-11-12 11:13:01 UTC --- Reopening. The WebappClassLoader$PrivilegedFindResourceByName class (added in rev.834814) has to be preloaded in o.a.c.security.SecurityClassLoad#loadLoaderPackage(). That can be demonstrated by the following: 1. Deploy the sample ROOT application, as described in comment #6 2. Copy default conf/web.xml to webapps/ROOT/WEB-INF/ 3. Remove all content from the default conf/web.xml and leave just the root XML tag and its attributes. 4. Start catalina.bat start -security 5. Access http://localhost:8080/ 6. Observe the exception Usually the first calls to WebappClassLoader#findResourceInternal() are to load JspServlet and DefaultServlet. In this configuration those are avoided. This is already fixed in trunk. I will propose a backport soon. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835516 - in /tomcat/trunk/java/org/apache/catalina: connector/Request.java core/ApplicationContext.java core/AsyncListenerWrapper.java
Author: markt
Date: Thu Nov 12 19:53:49 2009
New Revision: 835516
URL: http://svn.apache.org/viewvc?rev=835516&view=rev
Log:
Make TODO comments consistent to make them easier to find
Modified:
tomcat/trunk/java/org/apache/catalina/connector/Request.java
tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java
tomcat/trunk/java/org/apache/catalina/core/AsyncListenerWrapper.java
Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=835516&r1=835515&r2=835516&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Thu Nov 12
19:53:49 2009
@@ -2322,7 +2322,7 @@
sm.getString("coyoteRequest.authenticate.ise"));
}
-// TODO SERVLET 3
+// TODO SERVLET3
return false;
}
@@ -2376,12 +2376,12 @@
}
public Collection getParts() {
-// TODO Servlet 3 - file upload
+// TODO SERVLET3 - file upload
return null;
}
public Part getPart(String name) throws IllegalArgumentException {
-// TODO Servlet 3.0 - file upload
+// TODO SERVLET3 - file upload
return null;
}
Modified: tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java?rev=835516&r1=835515&r2=835516&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/ApplicationContext.java Thu Nov
12 19:53:49 2009
@@ -829,7 +829,7 @@
return null;
}
-// TODO Servlet 3
+// TODO SERVLET3
return null;
}
@@ -848,7 +848,7 @@
return null;
}
-// TODO Servlet 3
+// TODO SERVLET3
return null;
}
@@ -867,20 +867,20 @@
return null;
}
-// TODO Servlet 3
+// TODO SERVLET3
return null;
}
public T createFilter(Class c)
throws ServletException {
-// TODO Servlet 3
+// TODO SERVLET3
return null;
}
public FilterRegistration getFilterRegistration(String filterName) {
-// TODO Servlet 3.0
+// TODO SERVLET3
return null;
}
@@ -898,7 +898,7 @@
return null;
}
-// TODO Servlet 3
+// TODO SERVLET3
return null;
}
@@ -917,7 +917,7 @@
return null;
}
-// TODO Servlet 3
+// TODO SERVLET3
return null;
}
@@ -937,20 +937,20 @@
return null;
}
-// TODO Servlet 3
+// TODO SERVLET3
return null;
}
public T createServlet(Class c)
throws ServletException {
-// TODO Servlet 3
+// TODO SERVLET3
return null;
}
public ServletRegistration getServletRegistration(String servletName) {
-// TODO Servlet 3.0
+// TODO SERVLET3
return null;
}
@@ -1046,81 +1046,81 @@
@Override
public boolean setInitParameter(String name, String value) {
-// TODO Servlet 3
+// TODO SERVLET3
return false;
}
@Override
public void addListener(Class listenerClass) {
-// TODO Servlet 3
+// TODO SERVLET3
}
@Override
public void addListener(String className) {
-// TODO Servlet 3
+// TODO SERVLET3
}
@Override
public void addListener(T t) {
-// TODO Servlet 3
+// TODO SERVLET3
}
@Override
public T createListener(Class c)
throws ServletException {
-// TODO Servlet 3
+// TODO SERVLET3
return null;
}
@Override
public void declareRoles(String... roleNames) {
-// TODO Servlet 3
+// TODO SERVLET3
}
@Override
public ClassLoader getClassLoader() {
-// TODO Servlet 3
+// TODO SERVLET3
return null;
}
@Override
public int getEffectiveMajorVersion() {
-// TODO Servlet 3
+// TODO SERVLET3
return 0;
}
@Override
public int getEffectiveMinorVersion() {
-// TODO Servlet 3
+// TODO SERVLET3
return 0;
}
@Override
public Map getFilterRegistrations() {
-// TODO Servlet 3
+// TODO SERVLET3
return null;
}
@Override
public JspConfigDescriptor getJspConfigDescriptor() {
-// TODO Servlet 3
+// TODO S
Re: APR Connector renegotiation fix
On 12.11.2009 17:39, Mladen Turk wrote: > Well even OpenSSL folks admitted that 0.9.8l wrongly approached > dealing to that issue. They even removed the > SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8 branch > and now they use SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION using > different tricks. > > So IMHO 0.9.8l is simply dead end and shouldn't be used. +1, recent discussion on openssl list points pretty well in this direction. 0.9.8 head has the block on renegotiation problem fixed. Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Problem with mod_jk 1.2.28 - Can not render up the page on browser after a long wait
Thomas, please do not cross-post. The discussion is pretty well going on on your post on the users list. See the latest answers you got on your posted test case and logs, which show that for this specific test your request to JBoss didn't return a PDF document, but instead an html snippet. Please switch back to that discussion thread. Thanks and Regards, Rainer On 12.11.2009 12:28, thomas2004 wrote: > > I newly installed the mod_jk 1.2.28 and since then got problem (see below). > > I have a web application which is deployed on Jboss. One of the function of > this web-app is: You can click a button (such as 'Generate Report') on > client to submit a request for generating a PDF-report. The generation of > PDF-report is done on Jboss. The generation will take very long, from 10 to > 40 minutes, depends on what kind of report you want. After the PDF-report is > generated, it will be sent back to client (browser) > > My system atlas looks as follow: > > Client: IE - browser > | > | > Apache Http-Server (mod_jk 1.2.28) on Linux > | > | > Server: JBoss on Linux (Web-App deployed hier) > > > One can access the web-app directly to Jboss. In this case, no matter how > big the PDF-report is and how long the generation will take (lets say for 20 > min.), I can get the PDF-report shown on the browser. > > But as I issue a request via Apache-Http-Server and after the PDF-report is > generated on Jboss-side (this take about 10 min.), I can not get the > PDF-report shown on the browser, even after 30 min. The worse: I see no > error message in mod_jk.log. > > Later I move the same configuration of worders.properties to another Apache > Http-Server with mod_jk - 1.2.26. It works fine. > > Here is my workers.properties: > > worker.worker_portfolio_son1.connection_pool_timeout=600 > worker.worker_portfolio_son1.socket_keepalive=True > worker.worker_portfolio_son1.lbfactor=1 > worker.worker_portfolio_son1.type=ajp13 > worker.worker_portfolio_son1.port=8009 > worker.worker_portfolio_son1.host=appl-myweb.mycom.com > worker.worker_portfolio_son1.sticky_session=True > > > Maybe someone can help. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Cookie issues
Remy Maucherat wrote: > On Wed, 2009-11-11 at 16:45 -0500, Mark Thomas wrote: >> I really do loath cookies right now. I've pulled the proposed patches for >> 5.5.x >> and 6.0.x until I (or someone else) can take a look at this. > > I do too. v0 cookies is 15 years old stuff that Netscape hacked out of > thin air without thinking at all, and seemingly nobody wants to upgrade > since then :( > > The examples in the v1 spec (even the first one) are nice (everything is > always quoted, it's easy and it avoids problems ...), but the problems > occur if you try to enforce it (because the security folks ask for it) > and have to keep v0 support at the same time. Getting back to your original concerns, what were these based on? You mentioned session cookies breaking because / gets treated as a separator. / only gets treated as a separator if you set org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true (the default is false) or you set org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=true (again the default is false) My intention with this set of cookie patches was to: - keep the current behaviour by default - make STRICT_SERVLET_COMPLIANCE stricter (knowing this option on it's own may break many browsers) - provide additional options that let you disable those aspects of STRICT_SERVLET_COMPLIANCE that cause compatibility issues - add additional options (like allowing = in cookie values) that allow even less compliant usage The only place where the current behaviour should change is that single quote is no longer treated as a separator. I don't see that creating any issues. I have spotted a few issues in the patch where current behaviour does change. I'll get those fixed and re-propose the patches. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: APR Connector renegotiation fix
On 12/11/09 21:17, Rainer Jung wrote: On 12.11.2009 17:39, Mladen Turk wrote: Well even OpenSSL folks admitted that 0.9.8l wrongly approached dealing to that issue. They even removed the SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8 branch and now they use SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION using different tricks. So IMHO 0.9.8l is simply dead end and shouldn't be used. +1, recent discussion on openssl list points pretty well in this direction. 0.9.8 head has the block on renegotiation problem fixed. Agreed, however we cannot just depend 0.9.8something will fix the issue. Majority OS vendors simply won't implement this feature, and think we should just use the proposed patch. Same will probably be the case with JVM. Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Cookie issues
Mark Thomas wrote: > Remy Maucherat wrote: >> On Wed, 2009-11-11 at 16:45 -0500, Mark Thomas wrote: >>> I really do loath cookies right now. I've pulled the proposed patches for >>> 5.5.x >>> and 6.0.x until I (or someone else) can take a look at this. >> I do too. v0 cookies is 15 years old stuff that Netscape hacked out of >> thin air without thinking at all, and seemingly nobody wants to upgrade >> since then :( >> >> The examples in the v1 spec (even the first one) are nice (everything is >> always quoted, it's easy and it avoids problems ...), but the problems >> occur if you try to enforce it (because the security folks ask for it) >> and have to keep v0 support at the same time. > > Getting back to your original concerns, what were these based on? I've done some more digging and I think I have found what was causing this. I'll have a fix for trunk shortly and (after some testing) I'll re-propose. Mark > > You mentioned session cookies breaking because / gets treated as a separator. > / > only gets treated as a separator if you set > org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true (the default is false) or > you > set org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=true > (again > the default is false) > > My intention with this set of cookie patches was to: > - keep the current behaviour by default > - make STRICT_SERVLET_COMPLIANCE stricter (knowing this option on it's own may > break many browsers) > - provide additional options that let you disable those aspects of > STRICT_SERVLET_COMPLIANCE that cause compatibility issues > - add additional options (like allowing = in cookie values) that allow even > less > compliant usage > > The only place where the current behaviour should change is that single quote > is > no longer treated as a separator. I don't see that creating any issues. > > I have spotted a few issues in the patch where current behaviour does change. > I'll get those fixed and re-propose the patches. > > Mark > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: APR Connector renegotiation fix
On 12.11.2009 21:31, Mladen Turk wrote: > On 12/11/09 21:17, Rainer Jung wrote: >> On 12.11.2009 17:39, Mladen Turk wrote: >>> Well even OpenSSL folks admitted that 0.9.8l wrongly approached >>> dealing to that issue. They even removed the >>> SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8 branch >>> and now they use SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION using >>> different tricks. >>> >>> So IMHO 0.9.8l is simply dead end and shouldn't be used. >> >> +1, recent discussion on openssl list points pretty well in this >> direction. 0.9.8 head has the block on renegotiation problem fixed. >> > > Agreed, however we cannot just depend 0.9.8something will > fix the issue. Majority OS vendors simply won't implement > this feature, and think we should just use the proposed patch. > Same will probably be the case with JVM. I didn't want to argue against the patch. That's a good thing! I'm going to test over the WE. Just wanted to shed a little additional light on the recent OpenSSL development. Great that you ported the fix. Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835552 - /tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
Author: markt
Date: Thu Nov 12 21:19:09 2009
New Revision: 835552
URL: http://svn.apache.org/viewvc?rev=835552&view=rev
Log: (empty)
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java?rev=835552&r1=835551&r2=835552&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java Thu Nov 12
21:19:09 2009
@@ -115,6 +115,12 @@
FWD_SLASH_IS_SEPARATOR =
Boolean.valueOf(fwdSlashIsSeparator).booleanValue();
}
+
+if (FWD_SLASH_IS_SEPARATOR) {
+tspecials2 = "()<>@,;:\\\"/[]?={} \t";
+} else {
+tspecials2 = "()<>@,;:\\\"[]?={} \t";
+}
}
// Note: Servlet Spec =< 2.5 only refers to Netscape and RFC2109,
@@ -194,8 +200,7 @@
}
private static final String tspecials = ",; ";
-private static final String tspecials2 = "()<>@,;:\\\"/[]?={} \t";
-private static final String tspecials2NoSlash = "()<>@,;:\\\"[]?={} \t";
+private static final String tspecials2;
/*
* Tests a string and returns true if the string counts as a
@@ -243,13 +248,13 @@
}
public static boolean isToken2(String value, String literals) {
-String tspecials2 = (literals==null?ServerCookie.tspecials2:literals);
+String tokens = (literals==null?ServerCookie.tspecials2:literals);
if( value==null) return true;
int len = value.length();
for (int i = 0; i < len; i++) {
char c = value.charAt(i);
-if (tspecials2.indexOf(c) != -1)
+if (tokens.indexOf(c) != -1)
return false;
}
return true;
@@ -303,7 +308,7 @@
buf.append("=");
// Servlet implementation does not check anything else
-version = maybeQuote2(version, buf, value,true);
+version = maybeQuote2(version, buf, value, true);
// Spec team clarified setting comment on a v0 cookie switches it to v1
if (version == 0 && comment != null) {
@@ -354,17 +359,7 @@
// Path=path
if (path!=null) {
buf.append ("; Path=");
-if (version==0) {
-maybeQuote2(version, buf, path);
-} else {
-if (FWD_SLASH_IS_SEPARATOR) {
-maybeQuote2(version, buf, path, ServerCookie.tspecials,
-false);
-} else {
-maybeQuote2(version, buf, path,
-ServerCookie.tspecials2NoSlash, false);
-}
-}
+maybeQuote2(version, buf, path);
}
// Secure
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r835552 - svn:log
Author: markt Revision: 835552 Modified property: svn:log Modified: svn:log at Thu Nov 12 21:22:42 2009 -- --- svn:log (original) +++ svn:log Thu Nov 12 21:22:42 2009 @@ -0,0 +1,2 @@ +Make handling of / as a separator consistent with the rest of the cookie code. +This actually relaxes treatment of / in cookie generation. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835567 - /tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
Author: markt
Date: Thu Nov 12 21:36:49 2009
New Revision: 835567
URL: http://svn.apache.org/viewvc?rev=835567&view=rev
Log:
Fix NPEs on startup with relative ordering and provide somewhere to store
results of annotation scanning when that is implemented
Modified:
tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
Modified: tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java?rev=835567&r1=835566&r2=835567&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java Thu Nov 12
21:36:49 2009
@@ -1472,7 +1472,7 @@
JarFile jarFile = null;
InputStream stream = null;
-WebXml fragment = null;
+WebXml fragment = new WebXml();
try {
urlConn.setUseCaches(false);
@@ -1485,7 +1485,6 @@
urlConn.getJarFileURL().toString() +
File.separatorChar + FRAGMENT_LOCATION);
source.setByteStream(stream);
-fragment = new WebXml();
parseWebXml(source, fragment, true);
}
} finally {
@@ -1503,15 +1502,11 @@
// ignore
}
}
-if (fragment == null) {
-fragments.put(urlConn.getURL().toString(), fragment);
-} else {
-fragment.setURL(urlConn.getURL());
-if (fragment.getName() == null) {
-fragment.setName(fragment.getURL().toString());
-}
-fragments.put(fragment.getName(), fragment);
+fragment.setURL(urlConn.getURL());
+if (fragment.getName() == null) {
+fragment.setName(fragment.getURL().toString());
}
+fragments.put(fragment.getName(), fragment);
}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r833535 - svn:log
Author: kkolinko Revision: 833535 Modified property: svn:log Modified: svn:log at Thu Nov 12 22:57:16 2009 -- --- svn:log (original) +++ svn:log Thu Nov 12 22:57:16 2009 @@ -0,0 +1 @@ +Implement Remote IP Valve - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835625 - in /tomcat/tc6.0.x/trunk/test/org/apache/catalina/valves: ./ RemoteIpValveTest.java
Author: kkolinko
Date: Thu Nov 12 22:59:52 2009
New Revision: 835625
URL: http://svn.apache.org/viewvc?rev=835625&view=rev
Log:
Remove svn:mergeinfo added in rev.833536
Modified:
tomcat/tc6.0.x/trunk/test/org/apache/catalina/valves/ (props changed)
tomcat/tc6.0.x/trunk/test/org/apache/catalina/valves/RemoteIpValveTest.java
(props changed)
Propchange: tomcat/tc6.0.x/trunk/test/org/apache/catalina/valves/
('svn:mergeinfo' removed)
Propchange:
tomcat/tc6.0.x/trunk/test/org/apache/catalina/valves/RemoteIpValveTest.java
('svn:mergeinfo' removed)
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Cookie issues
On Thu, 2009-11-12 at 16:03 -0500, Mark Thomas wrote: > I've done some more digging and I think I have found what was causing this. > I'll > have a fix for trunk shortly and (after some testing) I'll re-propose. No, what I meant is that, if you want to go the strict route and use '/' as a separator as well, the behavior is bad. If you create a session cookie, it will be v0 and will have a path like: $Path=/somepath in it. The path value cannot be parsed back (enable debug logging to see it). Rémy - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
resource init upon TC start, not when context lookup
i would like to load a singleton type resource WHEN TOMCAT STARTS. currently, the way i do it, the resource is initialized when it is first looked up from the context by a client. i understand that i can make a bastardized servlet, which does nothing related to http and is in web.xml and it loads that resource but that does not seem like an elegant solution. the reason i wanna do this is because this init process can take some time and i don't want the 1st unlucky user whose thread requests it to wait. so, what i have in context.xml is: in web.xml: Object factory for MyBean instances. rsrc-generic com.selma.resource.Generic com.selma.resource.Generic is constructed only when first looked up from the context. i want it done when the server starts. can it be done ? thanks -- View this message in context: http://old.nabble.com/resource-init-upon-TC-start%2C-not-when-context-lookup-tp26328510p26328510.html Sent from the Tomcat - Dev mailing list archive at Nabble.com. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: resource init upon TC start, not when context lookup
Try asking this on the Tomcat Users List. p On 12/11/2009 23:40, foampile wrote: i would like to load a singleton type resource WHEN TOMCAT STARTS. currently, the way i do it, the resource is initialized when it is first looked up from the context by a client. i understand that i can make a bastardized servlet, which does nothing related to http and is in web.xml and it loads that resource but that does not seem like an elegant solution. the reason i wanna do this is because this init process can take some time and i don't want the 1st unlucky user whose thread requests it to wait. so, what i have in context.xml is: in web.xml: Object factory for MyBean instances. rsrc-generic com.selma.resource.Generic com.selma.resource.Generic is constructed only when first looked up from the context. i want it done when the server starts. can it be done ? thanks - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835657 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: kkolinko Date: Fri Nov 13 00:19:07 2009 New Revision: 835657 URL: http://svn.apache.org/viewvc?rev=835657&view=rev Log: proposal Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=835657&r1=835656&r2=835657&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Nov 13 00:19:07 2009 @@ -409,4 +409,13 @@ +1: fhanik, mturk, kkolinko -1: - +* Additional fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=48097 + 1) Code cleanup: Remove use of WebappClassLoader$PrivilegedFindResource, + because all findResourceInternal(String,String) calls are now already + wrapped with AccessController.doPrivileged, so additional wrapping is not + needed. + 2) Add preloading of WebappClassLoader$PrivilegedFindResourceByName, + to fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48097#c13 + http://people.apache.org/~kkolinko/patches/2009-11-12_PrivilegedFindResource_tc6.patch + +1: kkolinko + -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r835681 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: kkolinko Date: Fri Nov 13 00:50:08 2009 New Revision: 835681 URL: http://svn.apache.org/viewvc?rev=835681&view=rev Log: Propose two additional backports for JULI FileHandler series of patches Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=835681&r1=835680&r2=835681&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Nov 13 00:50:08 2009 @@ -172,6 +172,12 @@ -1: +* Prevent NPE in JULI FileHandler during shutdown where the logger has been + shutdown and delayed resources still trying to log + http://svn.apache.org/viewvc?rev=666232&view=rev + +1: kkolinko + -1: + * Make FileHandler.java extensible http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/juli/FileHandler.java?r1=666232&r2=709018&pathrev=793882&view=patch +1: fhanik, jim, markt, kkolinko @@ -183,6 +189,15 @@ +1: fhanik, jim, markt, kkolinko -1: +* Allow to disable buffering in JULI FileHandler + This allows to configure immediate publishing of log + records, like it was before rev.814876. + It depends on the above FileHandler patches. + http://svn.apache.org/viewvc?rev=816252&view=rev + +1: kkolinko + -1: + + * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47267 http://svn.apache.org/viewvc?rev=817822&view=rev http://svn.apache.org/viewvc?rev=833545&view=rev (to address rjung's comment) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "PoweredBy" by YoavShapira
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "PoweredBy" page has been changed by YoavShapira.
http://wiki.apache.org/tomcat/PoweredBy?action=diff&rev1=209&rev2=210
--
{{http://dev.mainsoft.com/Portals/0/powered_by_gh.gif}}
[[http://dev.mainsoft.com/default.aspx?tabid=27&forumid=13&postid=100&view=topic|The
Grasshopper Developer Zone]] web site is an ASP.NET application running on
Tomcat using [[http://dev.mainsoft.com/Default.aspx?tabid=130|Grasshopper]]
that ports [[http://www.mono-project.com|Mono]] open source .NET framework to
Tomcat.
-
= Gridsphere =
{{http://www.gridsphere.org/gridsphere/html/gridsphere_logo.png}}
[[http://www.gridsphere.org/gridsphere/gridsphere?cid=projects|Gridsphere]]
is an open grid computing environment.
@@ -274, +273 @@
= HomeHost =
{{http://www.homehost.com.br/images/logo_peq_homehost.gif}}
[[http://www.homehost.com.br/|HomeHost - Hospedagem de Sites]] provides
webhosting with support to JSP/Servlets by using Tomcat.
+
+ = HubSpot =
+ {{http://www.hubspot.com/Portals/53/images/website_logo.gif}}
+ [[http://dev.hubspot.com/|HubSpot]] is an inbound marketing system to help
your small or medium sized business get found on the Internet by the right
prospects and convert more of them into leads and customers for maximum
marketing ROI.
= IMS Neptune =
{{http://www.ims.net/design/ims-logo.gif}}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45015] Quoting in attributes
https://issues.apache.org/bugzilla/show_bug.cgi?id=45015 youweiwang changed: What|Removed |Added Version|5.5.23 |5.5.27 -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45015] Quoting in attributes
https://issues.apache.org/bugzilla/show_bug.cgi?id=45015 youweiwang changed: What|Removed |Added Version|5.5.27 |5.5.28 -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
