DO NOT REPLY [Bug 49716] New: HttpOnly flag can't be turned off for JSESSIONID
https://issues.apache.org/bugzilla/show_bug.cgi?id=49716 Summary: HttpOnly flag can't be turned off for JSESSIONID Product: Tomcat 7 Version: unspecified Platform: PC Status: NEW Severity: normal Priority: P2 Component: Servlet & JSP API AssignedTo: dev@tomcat.apache.org ReportedBy: franky...@gmail.com Using a simple JSP that contains only text verified that the HTTPOnly flag is always set for the JSESSIONID when using either of the following configurations: true false Specifying false should create a JSESSIONID without the HttpOnly flag. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 49716] HttpOnly flag can't be turned off for JSESSIONID
https://issues.apache.org/bugzilla/show_bug.cgi?id=49716 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID OS/Version||All --- Comment #1 from Mark Thomas 2010-08-06 03:34:57 EDT --- The useHttpOnly attirbute on the which defaults to true deliberately takes precedence so a) administrators can override application settings and b) session cookies are secure by default even if the application tries to make them less secure. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r982924 - /tomcat/tc5.5.x/trunk/container/webapps/docs/setup.xml
Author: markt Date: Fri Aug 6 10:18:28 2010 New Revision: 982924 URL: http://svn.apache.org/viewvc?rev=982924&view=rev Log: No need for autoconf Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/setup.xml Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/setup.xml URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/setup.xml?rev=982924&r1=982923&r2=982924&view=diff == --- tomcat/tc5.5.x/trunk/container/webapps/docs/setup.xml (original) +++ tomcat/tc5.5.x/trunk/container/webapps/docs/setup.xml Fri Aug 6 10:18:28 2010 @@ -113,7 +113,6 @@ cd $CATALINA_HOME/bin tar xvfz commons-deamon-native.tar.gz cd commons-daemon-1.0.x-native-src/unix -autoconf ./configure make cp jsvc ../.. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r982925 - /tomcat/tc6.0.x/trunk/webapps/docs/setup.xml
Author: markt Date: Fri Aug 6 10:19:01 2010 New Revision: 982925 URL: http://svn.apache.org/viewvc?rev=982925&view=rev Log: No need for autoconf Modified: tomcat/tc6.0.x/trunk/webapps/docs/setup.xml Modified: tomcat/tc6.0.x/trunk/webapps/docs/setup.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/setup.xml?rev=982925&r1=982924&r2=982925&view=diff == --- tomcat/tc6.0.x/trunk/webapps/docs/setup.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/setup.xml Fri Aug 6 10:19:01 2010 @@ -109,7 +109,6 @@ cd $CATALINA_HOME/bin tar xvfz commons-deamon-native.tar.gz cd commons-daemon-1.0.x-native-src/unix -autoconf ./configure make cp jsvc ../.. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r982926 - /tomcat/trunk/webapps/docs/setup.xml
Author: markt Date: Fri Aug 6 10:19:37 2010 New Revision: 982926 URL: http://svn.apache.org/viewvc?rev=982926&view=rev Log: No need for autoconf Modified: tomcat/trunk/webapps/docs/setup.xml Modified: tomcat/trunk/webapps/docs/setup.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/setup.xml?rev=982926&r1=982925&r2=982926&view=diff == --- tomcat/trunk/webapps/docs/setup.xml (original) +++ tomcat/trunk/webapps/docs/setup.xml Fri Aug 6 10:19:37 2010 @@ -109,7 +109,6 @@ cd $CATALINA_HOME/bin tar xvfz commons-deamon-native.tar.gz cd commons-daemon-1.0.x-native-src/unix -autoconf ./configure make cp jsvc ../.. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 49718] New: Fix for bug 46984 breaks HTTP 0.9 requests
https://issues.apache.org/bugzilla/show_bug.cgi?id=49718
Summary: Fix for bug 46984 breaks HTTP 0.9 requests
Product: Tomcat 5
Version: 5.5.29
Platform: Sun
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: Connector:HTTP
AssignedTo: dev@tomcat.apache.org
ReportedBy: ni...@ieee.org
Summary:
* issue found in 5.5.29 and still exists in 5.5.30.
* support for HTTP simple requests is broken as of tomcat 5.5.28.
* root cause: fix added to incorrect block in request line parser.
Details:
We've recently upgraded our product to use Apache Tomcat 5.5.29 from Apache
Tomcat 5.5.25. While testing, it was determined that some of our older clients
who sent the following HTTP 0.9 request, described as "Simple Requests" in RFC
1945:
GET /login/servlet/myservlet?ReplyType=ACTION&User=blah&Password=blahblah
Would receive the following response:
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Thu, 29 Jul 2010 19:26:06 GMT
Connection: close
For the same request using Tomcat 5.5.25, we'd get the correct
"Simple-Response" as required by RFC 1945.
After turning debugging on, I determined that tomcat was throwing the following
exception:
2010-07-29 15:49:22,068 [http-8080-Processor24] DEBUG
org.apache.coyote.http11.Http11Processor - Error parsing HTTP request header
java.lang.IllegalArgumentException: Invalid character (CR or LF) found in
method name
at
org.apache.coyote.http11.InternalInputBuffer.parseRequestLine(InternalInputBuffer.java:474)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:595)
Which doesn't make any sense.
After some testing, I found that if an extra space character was added after
the URI, I would once again get the correct "Simple-Response" back from tomcat.
Based on the error message, I assumed it was likely the following bug fix in
tomcat 5.5.28 that likely introduced the issue:
46984: Reject requests with invalid HTTP methods with a 400 rather than a 501.
Looking through the source, I found that this is the code block that is
throwing the exception:
$ diff
./apache-tomcat-5.5.27-src/connectors/http11/src/java/org/apache/coyote/http11/InternalInputBuffer.java
./apache-tomcat-5.5.28-src/connectors/http11/src/java/org/apache/coyote/http11/InternalInputBuffer.java
471a472,476
> // Spec says no CR or LF in method name
> if (buf[pos] == Constants.CR || buf[pos] == Constants.LF) {
> throw new IllegalArgumentException(
> sm.getString("iib.invalidmethod"));
> }
763c768
< throw new IOException
---
> throw new IllegalArgumentException
$
And digging through the code repository, this is the subversion revision in
which this issue was introduced:
svn diff -c 781763 http://svn.apache.org/repos/asf/tomcat/
Although I've only briefly perused this code, it seems that the likely error is
that this code block was added to the "Reading the URI" code block as opposed
to the "Reading the method name" code block, as intended.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48817] Skip validation query and use JDBC API for validation
https://issues.apache.org/bugzilla/show_bug.cgi?id=48817 --- Comment #13 from Matt Passell 2010-08-06 15:17:58 EDT --- Created an attachment (id=25858) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=25858) Add description for validatorClassName attribute to doc Great! I've attached a patch for the jdbc-pool.xml file, adding a description of the new validatorClassName attribute. I had more trouble creating the patch than usual, so here's the text inline, just in case the patch is broken: (String) The name of a class which implements the org.apache.tomcat.jdbc.pool.Validator interface and provides a no-arg constructor (may be implicit). If specified, the class will be used to create a Validator instance which is then used instead of any validation query to validate connections. The default value is null. An example value is com.mycompany.project.SimpleValidator. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 49721] New: Fail to access the resources such as jsp files from a jar file which is supported by servlet 3.0
https://issues.apache.org/bugzilla/show_bug.cgi?id=49721 Summary: Fail to access the resources such as jsp files from a jar file which is supported by servlet 3.0 Product: Tomcat 7 Version: trunk Platform: PC OS/Version: Windows XP Status: NEW Severity: normal Priority: P2 Component: Servlet & JSP API AssignedTo: dev@tomcat.apache.org ReportedBy: rafaa.w...@gmail.com I put a jsp file in a jar file and test whether tomcat 7 supports it by viewing it from the browser and failed. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
