Re: [taglibs] Time to release 1.2.0?
On 23/01/2011 20:41, Jeremy Boynes wrote: > The only bug remaining that impact the JSTL libraries is #46052 (locale > performance on 1.6). Henri suggested releasing in its current form which > sounds reasonable. Should we release this as 1.2.0? Is this a good version > number - should we use something like 1.2.0-beta? > > This will be the first release in a long time and the first since the switch > to a Maven based build. The process is described here > http://www.apache.org/dev/publishing-maven-artifacts.html > > I think we need to release the parent POM first to get it in the central > repo, and then the artifacts that depend on it. > > I'd volunteer to RM this but: > 1) I'm not a PMC member (which I don't think matters if we get enough votes > from PMC members) > 2) I'd need to update my PGP key in the WoT (somehow) > 3) I've not done the above process before so will likely mess things up. > > If we're ready to do this I'd suggest going for it this week. > Thoughts? +1 Ping. What happened to this? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1085303 - /tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
Author: markt
Date: Fri Mar 25 09:55:29 2011
New Revision: 1085303
URL: http://svn.apache.org/viewvc?rev=1085303&view=rev
Log:
Fix string comparison - reported by Veracode
Modified:
tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
Modified: tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java?rev=1085303&r1=1085302&r2=1085303&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java Fri Mar 25
09:55:29 2011
@@ -609,7 +609,7 @@ public class ContextConfig
// Add as watched resource so that cascade reload occurs if a
default
// config file is modified/added/removed
-if (contextXml.getProtocol() == "file") {
+if ("file".equals(contextXml.getProtocol())) {
context.addWatchedResource(
(new File(contextXml.toURI())).getAbsolutePath());
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1085304 - /tomcat/taglibs/taglibs-parent/trunk/
Author: markt Date: Fri Mar 25 10:11:06 2011 New Revision: 1085304 URL: http://svn.apache.org/viewvc?rev=1085304&view=rev Log: Update ignores Modified: tomcat/taglibs/taglibs-parent/trunk/ (props changed) Propchange: tomcat/taglibs/taglibs-parent/trunk/ -- --- svn:ignore (original) +++ svn:ignore Fri Mar 25 10:11:06 2011 @@ -1 +1,2 @@ *.iml +target - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1085323 - in /tomcat/trunk/java/org/apache/catalina/mbeans: GroupMBean.java MBeanUtils.java MemoryUserDatabaseMBean.java RoleMBean.java UserMBean.java
Author: markt
Date: Fri Mar 25 11:20:50 2011
New Revision: 1085323
URL: http://svn.apache.org/viewvc?rev=1085323&view=rev
Log:
Remove call to System.exit() reported by Veracode and related code clean-up
Modified:
tomcat/trunk/java/org/apache/catalina/mbeans/GroupMBean.java
tomcat/trunk/java/org/apache/catalina/mbeans/MBeanUtils.java
tomcat/trunk/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java
tomcat/trunk/java/org/apache/catalina/mbeans/RoleMBean.java
tomcat/trunk/java/org/apache/catalina/mbeans/UserMBean.java
Modified: tomcat/trunk/java/org/apache/catalina/mbeans/GroupMBean.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/mbeans/GroupMBean.java?rev=1085323&r1=1085322&r2=1085323&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/mbeans/GroupMBean.java (original)
+++ tomcat/trunk/java/org/apache/catalina/mbeans/GroupMBean.java Fri Mar 25
11:20:50 2011
@@ -22,7 +22,6 @@ import java.util.ArrayList;
import java.util.Iterator;
import javax.management.MBeanException;
-import javax.management.MBeanServer;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.RuntimeOperationsException;
@@ -75,12 +74,6 @@ public class GroupMBean extends BaseMode
/**
- * The MBeanServer in which we are registered.
- */
-protected MBeanServer mserver = MBeanUtils.createServer();
-
-
-/**
* The ManagedBean information describing this MBean.
*/
protected ManagedBean managed =
Modified: tomcat/trunk/java/org/apache/catalina/mbeans/MBeanUtils.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/mbeans/MBeanUtils.java?rev=1085323&r1=1085322&r2=1085323&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/mbeans/MBeanUtils.java (original)
+++ tomcat/trunk/java/org/apache/catalina/mbeans/MBeanUtils.java Fri Mar 25
11:20:50 2011
@@ -622,8 +622,7 @@ public class MBeanUtils {
*
* @exception MalformedObjectNameException if a name cannot be created
*/
-static ObjectName createObjectName(String domain,
-@SuppressWarnings("unused") Engine engine)
+static ObjectName createObjectName(String domain, Engine engine)
throws MalformedObjectNameException {
ObjectName name = null;
@@ -785,8 +784,7 @@ public class MBeanUtils {
*
* @exception MalformedObjectNameException if a name cannot be created
*/
-static ObjectName createObjectName(String domain,
-@SuppressWarnings("unused") MBeanFactory factory)
+static ObjectName createObjectName(String domain, MBeanFactory factory)
throws MalformedObjectNameException {
ObjectName name = new ObjectName(domain + ":type=MBeanFactory");
@@ -861,8 +859,7 @@ public class MBeanUtils {
*
* @exception MalformedObjectNameException if a name cannot be created
*/
-static ObjectName createObjectName(String domain,
-@SuppressWarnings("unused") Server server)
+static ObjectName createObjectName(String domain, Server server)
throws MalformedObjectNameException {
ObjectName name = null;
@@ -1055,13 +1052,7 @@ public class MBeanUtils {
public static synchronized MBeanServer createServer() {
if (mserver == null) {
-try {
-mserver = Registry.getRegistry(null, null).getMBeanServer();
-} catch (Throwable t) {
-ExceptionUtils.handleThrowable(t);
-t.printStackTrace(System.out);
-System.exit(1);
-}
+mserver = Registry.getRegistry(null, null).getMBeanServer();
}
return (mserver);
Modified:
tomcat/trunk/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java?rev=1085323&r1=1085322&r2=1085323&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java
Fri Mar 25 11:20:50 2011
@@ -22,7 +22,6 @@ import java.util.ArrayList;
import java.util.Iterator;
import javax.management.MBeanException;
-import javax.management.MBeanServer;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.RuntimeOperationsException;
@@ -76,12 +75,6 @@ public class MemoryUserDatabaseMBean ext
/**
- * The MBeanServer in which we are registered.
- */
-protected MBeanServer mserver = MBeanUtils.createServer();
-
-
-/**
* The ManagedBean information describing this MBean.
*/
protected ManagedBe
svn commit: r1085336 - in /tomcat/trunk: java/org/apache/catalina/util/LocalStrings.properties java/org/apache/catalina/util/SessionIdGenerator.java webapps/docs/changelog.xml
Author: markt
Date: Fri Mar 25 11:50:27 2011
New Revision: 1085336
URL: http://svn.apache.org/viewvc?rev=1085336&view=rev
Log:
Include the seed time when calculating the time taken to create SecureRandom
instances for session ID generation, report excessive times (greater than
100ms) at INFO level and provide a value for the message key so a meaningful
message appears in the logs.
Modified:
tomcat/trunk/java/org/apache/catalina/util/LocalStrings.properties
tomcat/trunk/java/org/apache/catalina/util/SessionIdGenerator.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/util/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/util/LocalStrings.properties?rev=1085336&r1=1085335&r2=1085336&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/util/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/catalina/util/LocalStrings.properties Fri Mar
25 11:50:27 2011
@@ -36,6 +36,7 @@ requestUtil.parseParameters.uee=Unable t
requestUtil.urlDecode.missingDigit=The % character must be followed by two
hexademical digits
requestUtil.urlDecode.uee=Unable to URL decode the specified input since the
encoding [{0}] is not supported.
SecurityUtil.doAsPrivilege=An exception occurs when running the
PrivilegedExceptionAction block.
+sessionIdGenerator.createRandom=Creation of SecureRandom instance for session
ID generation using [{0}] took [{1}] milliseconds.
sessionIdGenerator.random=Exception initializing random number generator of
class [{0}]. Falling back to java.secure.SecureRandom
sessionIdGenerator.randomAlgorithm=Exception initializing random number
generator using algorithm [{0}]
sessionIdGenerator.randomProviderException initializing random number
generator using provider [{0}]
Modified: tomcat/trunk/java/org/apache/catalina/util/SessionIdGenerator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/util/SessionIdGenerator.java?rev=1085336&r1=1085335&r2=1085336&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/util/SessionIdGenerator.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/util/SessionIdGenerator.java Fri Mar
25 11:50:27 2011
@@ -242,12 +242,13 @@ public class SessionIdGenerator {
result = new SecureRandom();
}
-if(log.isDebugEnabled()) {
-long t2=System.currentTimeMillis();
-if( (t2-t1) > 100 )
-log.debug(sm.getString("sessionIdGenerator.createRandom",
-Long.valueOf(t2-t1)));
-}
+// Force seeding to take place
+result.nextInt();
+
+long t2=System.currentTimeMillis();
+if( (t2-t1) > 100 )
+log.info(sm.getString("sessionIdGenerator.createRandom",
+result.getAlgorithm(), Long.valueOf(t2-t1)));
return result;
}
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1085336&r1=1085335&r2=1085336&view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Mar 25 11:50:27 2011
@@ -85,6 +85,12 @@
Resolve some refactoring TODOs in the implementation of the new Context
attribute "swallowAbortedUploads". (markt)
+
+Include the seed time when calculating the time taken to create
+SecureRandom instances for session ID generation, report excessive
times
+(greater than 100ms) at INFO level and provide a value for the message
+key so a meaningful message appears in the logs. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1085338 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Author: markt
Date: Fri Mar 25 11:53:36 2011
New Revision: 1085338
URL: http://svn.apache.org/viewvc?rev=1085338&view=rev
Log:
No need to specify a default
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1085338&r1=1085337&r2=1085338&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Fri Mar 25 11:53:36 2011
@@ -29,7 +29,6 @@ import java.net.SocketException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CRL;
import java.security.cert.CRLException;
@@ -103,7 +102,7 @@ public class JSSESocketFactory implement
SSLContext context;
try {
context = SSLContext.getInstance("TLS");
-context.init(null, null, new SecureRandom());
+context.init(null, null, null);
SSLServerSocketFactory ssf = context.getServerSocketFactory();
String ciphers[] = ssf.getSupportedCipherSuites();
for (String cipher : ciphers) {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1085340 - in /tomcat/trunk/test/org/apache/tomcat/util/net: TestSsl.java TesterSupport.java
Author: markt
Date: Fri Mar 25 11:58:51 2011
New Revision: 1085340
URL: http://svn.apache.org/viewvc?rev=1085340&view=rev
Log:
No need to specify a default
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/TestSsl.java
tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TestSsl.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TestSsl.java?rev=1085340&r1=1085339&r2=1085340&view=diff
==
--- tomcat/trunk/test/org/apache/tomcat/util/net/TestSsl.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/TestSsl.java Fri Mar 25
11:58:51 2011
@@ -97,8 +97,7 @@ public class TestSsl extends TomcatBaseT
tomcat.start();
SSLContext sslCtx = SSLContext.getInstance("TLS");
-sslCtx.init(null, TesterSupport.getTrustManagers(),
-new java.security.SecureRandom());
+sslCtx.init(null, TesterSupport.getTrustManagers(), null);
SSLSocketFactory socketFactory = sslCtx.getSocketFactory();
SSLSocket socket = (SSLSocket) socketFactory.createSocket("localhost",
getPort());
@@ -161,8 +160,7 @@ public class TestSsl extends TomcatBaseT
tomcat.start();
SSLContext sslCtx = SSLContext.getInstance("TLS");
-sslCtx.init(null, TesterSupport.getTrustManagers(),
-new java.security.SecureRandom());
+sslCtx.init(null, TesterSupport.getTrustManagers(), null);
SSLSocketFactory socketFactory = sslCtx.getSocketFactory();
SSLSocket socket = (SSLSocket) socketFactory.createSocket("localhost",
getPort());
Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?rev=1085340&r1=1085339&r2=1085340&view=diff
==
--- tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java Fri Mar 25
11:58:51 2011
@@ -23,7 +23,6 @@ import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import javax.net.ssl.KeyManager;
@@ -56,7 +55,7 @@ public final class TesterSupport {
SSLContext context;
try {
context = SSLContext.getInstance("TLS");
-context.init(null, null, new SecureRandom());
+context.init(null, null, null);
SSLServerSocketFactory ssf = context.getServerSocketFactory();
String ciphers[] = ssf.getSupportedCipherSuites();
for (String cipher : ciphers) {
@@ -133,7 +132,7 @@ public final class TesterSupport {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(TesterSupport.getUser1KeyManagers(),
TesterSupport.getTrustManagers(),
-new java.security.SecureRandom());
+null);
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(
sc.getSocketFactory());
} catch (Exception e) {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1085346 - in /tomcat/trunk: java/org/apache/catalina/tribes/util/LocalStrings.properties java/org/apache/catalina/tribes/util/UUIDGenerator.java webapps/docs/changelog.xml
Author: markt
Date: Fri Mar 25 12:20:39 2011
New Revision: 1085346
URL: http://svn.apache.org/viewvc?rev=1085346&view=rev
Log:
Securely seed the SecureRandom instance used for UUID generation and report
excessive creation time (greater than 100ms) at INFO level.
Added:
tomcat/trunk/java/org/apache/catalina/tribes/util/LocalStrings.properties
(with props)
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/util/UUIDGenerator.java
tomcat/trunk/webapps/docs/changelog.xml
Added: tomcat/trunk/java/org/apache/catalina/tribes/util/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/util/LocalStrings.properties?rev=1085346&view=auto
==
--- tomcat/trunk/java/org/apache/catalina/tribes/util/LocalStrings.properties
(added)
+++ tomcat/trunk/java/org/apache/catalina/tribes/util/LocalStrings.properties
Fri Mar 25 12:20:39 2011
@@ -0,0 +1,16 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+uuidGenerator.createRandom=Creation of SecureRandom instance for UUID
generation using [{0}] took [{1}] milliseconds.
Propchange:
tomcat/trunk/java/org/apache/catalina/tribes/util/LocalStrings.properties
--
svn:eol-style = native
Modified: tomcat/trunk/java/org/apache/catalina/tribes/util/UUIDGenerator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/util/UUIDGenerator.java?rev=1085346&r1=1085345&r2=1085346&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/tribes/util/UUIDGenerator.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/tribes/util/UUIDGenerator.java Fri
Mar 25 12:20:39 2011
@@ -19,12 +19,19 @@ package org.apache.catalina.tribes.util;
import java.security.SecureRandom;
import java.util.Random;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+
/**
* simple generation of a UUID
* @author Filip Hanik
* @version 1.0
*/
public class UUIDGenerator {
+private static final Log log = LogFactory.getLog(UUIDGenerator.class);
+protected static final StringManager sm =
+StringManager.getManager("org.apache.catalina.tribes.util");
+
public static final int UUID_LENGTH = 16;
public static final int UUID_VERSION = 4;
public static final int BYTES_PER_INT = 4;
@@ -32,9 +39,17 @@ public class UUIDGenerator {
protected static SecureRandom secrand = null;
protected static Random rand = new Random();
+
static {
+long start = System.currentTimeMillis();
secrand = new SecureRandom();
-secrand.setSeed(rand.nextLong());
+// seed the generator
+secrand.nextInt();
+long time = System.currentTimeMillis() - start;
+if (time > 100) {
+log.info(sm.getString("uuidGenerator.createRandom",
+secrand.getAlgorithm(), Long.valueOf(time)));
+}
}
public static byte[] randomUUID(boolean secure) {
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1085346&r1=1085345&r2=1085346&view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Mar 25 12:20:39 2011
@@ -116,6 +116,15 @@
+
+
+
+Securely seed the SecureRandom instance used for UUID generation and
+report excessive creation time (greater than 100ms) at INFO level.
+(markt)
+
+
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Veracode scan of 7.0.11
I received notification that Veracode had scanned Tomcat 7.0.11 today. I thought folks would be interested in the results (committers can request an account to get access to the full details). Of the 33 flaws reported: - 1 was a coding error (fixed in r1085303) - 1 unnecessary call to System.exit() (fixed in r1085323) - 2 were related to Random/SecureRandom entropy in the Tribes UUID generator (fixed in r1085346) - 7 were triggered by test code shipped in the JSTL 1.1 jar in the examples (will be fixed when 1.2 is released and we update) - 22 were false positives Overall, still a lot of false positives but now few enough that things we might actually want to change/find are relatively easy to spot. Of the things I did change, only the first might have caused a problem for users. The rest was more clean-up. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50958] ISAPI HTTP Response Splitting Vulnerability
https://issues.apache.org/bugzilla/show_bug.cgi?id=50958 Volker Leidl changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID | --- Comment #2 from Volker Leidl 2011-03-25 08:34:24 EDT --- Let me try and make my point again. > No it isn't. An HTTP response splitting attack is something triggered by > client > input, not by an application. Fair enough. A response splitting attack is triggered by the client. However, the root of the problem has nothing to do with client input. It's the application that doesn't honour the HTTP protocol. RFC 2616 seems to go through considerable lengths to disallow two or more consecutive CRLF pairs in various locations, including header values (see the TEXT, token, separators, and quoted-string productions in the BNF). I could easily imagine problems (not necessarily exploits) being caused by header values coming from other sources than client input. The question is: where is the best place to enforce that conformance? In the specific case of IIS + ISAPI + Tomcat + web app, I think it should be the ISAPI filter that enforces the protocol restrictions. I'm aware that this might just be my opinion, but here's why I believe that: The web application just talks to an abstract interface, which is the Servlet API. Nowhere does the API disallow the provision of header values with two consecutive CRLF pairs. Also, why do I have to litter my web apps with code that strips them out? After all, that's what the API is for, it should abstract from the low-level protocol details. This is quite different to SQL or JS injection attacks, where the low-level details are not abstracted away from the application. Finally, not enforcing this limit in one common place will make that vulnerability crop up again and again. After all, developers are human, so they make mistakes. > > That the HTTP connectors and the newer AJP connectors stop developers shooting > themselves in the foot (at least in this way) whereas the older BIO AJP does > not (the filtering is in the Tomcat connector not the ISAPI native code) is a > benefit of the newer connectors but does not represent a vulnerability in the > older BIO AJP connector. I'm not sure why the AJP connector should strip CRLFs at all. AJP is a binary protocol and variable length strings are prefixed with a byte length. They're not delimited by CRLFs, like in HTTP. I've tried Tomcat 5.5, 6, and 7, and only the AJP connector that comes with 7 seems to do the stripping. So if I'm stuck with 5.5 or 6 I can't take advantage of that feature. I don't know why the decision was made to change the newer AJP connector, but I wouldn't blame it for not doing it. I think the best place to enforce the protocol is where the structured message is serialised into HTTP. I can see the code in front of me where that happens. It's in line 1050 of jk_isapi_plugin.c (rev 1085325). Simply copying the header value into the response is like constructing a URL without encoding URL parameters. And if you're still not convinced, Apache httpd in combination with mod_proxy_ajp also strips out CRLFs. Regards, Volker -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50958] ISAPI HTTP Response Splitting Vulnerability
https://issues.apache.org/bugzilla/show_bug.cgi?id=50958 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||INVALID --- Comment #3 from Mark Thomas 2011-03-25 09:02:42 EDT --- The users list is the place to see further assistance, such as how to use the newer BIO AJP connector with Tomcat 6. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1085303 - /tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
On 25 March 2011 09:55, wrote:
> Author: markt
> Date: Fri Mar 25 09:55:29 2011
> New Revision: 1085303
>
> URL: http://svn.apache.org/viewvc?rev=1085303&view=rev
> Log:
> Fix string comparison - reported by Veracode
Findbugs does not catch that?
> Modified:
> tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
>
> Modified: tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java?rev=1085303&r1=1085302&r2=1085303&view=diff
> ==
> --- tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
> (original)
> +++ tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java Fri Mar
> 25 09:55:29 2011
> @@ -609,7 +609,7 @@ public class ContextConfig
>
> // Add as watched resource so that cascade reload occurs if a
> default
> // config file is modified/added/removed
> - if (contextXml.getProtocol() == "file") {
> + if ("file".equals(contextXml.getProtocol())) {
> context.addWatchedResource(
> (new File(contextXml.toURI())).getAbsolutePath());
> }
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1085323 - in /tomcat/trunk/java/org/apache/catalina/mbeans: GroupMBean.java MBeanUtils.java MemoryUserDatabaseMBean.java RoleMBean.java UserMBean.java
On 25 March 2011 11:20, wrote: > Author: markt > Date: Fri Mar 25 11:20:50 2011 > New Revision: 1085323 > > URL: http://svn.apache.org/viewvc?rev=1085323&view=rev > Log: > Remove call to System.exit() reported by Veracode and related code clean-up Again, I thought Findbugs checks for System.exit() - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50958] ISAPI HTTP Response Splitting Vulnerability
https://issues.apache.org/bugzilla/show_bug.cgi?id=50958 --- Comment #4 from Volker Leidl 2011-03-25 12:50:50 EDT --- I'm using 5.5, but that wasn't the point. Never mind, I'm obviously wasting my time here. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50950] NotSerializableException: org.apache.catalina.realm.GenericPrincipal
https://issues.apache.org/bugzilla/show_bug.cgi?id=50950 --- Comment #2 from Ronald Klop 2011-03-25 12:51:55 EDT --- Created an attachment (id=26798) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=26798) server.xml and context to reproduce the issue If you set up a cluster and ask for /index.jsp than it is ok. If you ask for /intern/index.jsp (behind a password) than you get serialization exceptions. As far as I see, there is no other Realm type which is serializable. Why is this object on the session anyway? Mar 25, 2011 5:35:17 PM org.apache.catalina.ha.session.DeltaManager requestCompleted SEVERE: Unable to serialize delta request for sessionid [F9D61003F2344ED314504FDE3BDF9FDA] java.io.NotSerializableException: org.apache.catalina.realm.GenericPrincipal at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1180) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:346) at java.util.LinkedList.writeObject(LinkedList.java:960) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50950] NotSerializableException: org.apache.catalina.realm.GenericPrincipal
https://issues.apache.org/bugzilla/show_bug.cgi?id=50950 Ronald Klop changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|WORKSFORME | -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50950] NotSerializableException: org.apache.catalina.realm.GenericPrincipal
https://issues.apache.org/bugzilla/show_bug.cgi?id=50950 --- Comment #3 from Ronald Klop 2011-03-25 12:53:38 EDT --- You asked for the complete stack. Mar 25, 2011 5:35:17 PM org.apache.catalina.ha.session.DeltaManager requestCompleted SEVERE: Unable to serialize delta request for sessionid [F9D61003F2344ED314504FDE3BDF9FDA] java.io.NotSerializableException: org.apache.catalina.realm.GenericPrincipal at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1180) at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:346) at java.util.LinkedList.writeObject(LinkedList.java:960) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:962) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1480) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174) at java.io.ObjectOutputStream.access$300(ObjectOutputStream.java:161) at java.io.ObjectOutputStream$PutFieldImpl.writeFields(ObjectOutputStream.java:1687) at java.io.ObjectOutputStream.writeFields(ObjectOutputStream.java:478) at javax.security.auth.Subject$SecureSet.writeObject(Subject.java:1300) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:962) at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1480) at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1416) at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1174) at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1528) at java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:438) -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Veracode scan of 7.0.11
That's really cool, Mark. I'm glad you're doing this. I know we all have our doubts about scanning tools like this. But my main issue with them is always so many false positives that it feels hopeless. You seem to have fixed that. Thanks, Yoav On Fri, Mar 25, 2011 at 8:22 AM, Mark Thomas wrote: > I received notification that Veracode had scanned Tomcat 7.0.11 today. I > thought folks would be interested in the results (committers can request > an account to get access to the full details). > > Of the 33 flaws reported: > - 1 was a coding error (fixed in r1085303) > - 1 unnecessary call to System.exit() (fixed in r1085323) > - 2 were related to Random/SecureRandom entropy in the Tribes UUID > generator (fixed in r1085346) > - 7 were triggered by test code shipped in the JSTL 1.1 jar in the > examples (will be fixed when 1.2 is released and we update) > - 22 were false positives > > Overall, still a lot of false positives but now few enough that things > we might actually want to change/find are relatively easy to spot. Of > the things I did change, only the first might have caused a problem for > users. The rest was more clean-up. > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48685] Spnego Support in Tomcat
https://issues.apache.org/bugzilla/show_bug.cgi?id=48685 --- Comment #21 from Mark Thomas 2011-03-25 13:59:58 EDT --- I'm looking at this now and currently trying to figure out the additional configuration required (JAAS, keytab, etc). Any notes you can provide that would save me from figuring stuff out from scratch would help. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1085502 - /tomcat/trunk/res/checkstyle/org-import-control.xml
Author: markt Date: Fri Mar 25 18:18:35 2011 New Revision: 1085502 URL: http://svn.apache.org/viewvc?rev=1085502&view=rev Log: Add another non-Java J2SE package. This is required for SPNEGO support. Modified: tomcat/trunk/res/checkstyle/org-import-control.xml Modified: tomcat/trunk/res/checkstyle/org-import-control.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/res/checkstyle/org-import-control.xml?rev=1085502&r1=1085501&r2=1085502&view=diff == --- tomcat/trunk/res/checkstyle/org-import-control.xml (original) +++ tomcat/trunk/res/checkstyle/org-import-control.xml Fri Mar 25 18:18:35 2011 @@ -33,6 +33,7 @@ + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48685] Spnego Support in Tomcat
https://issues.apache.org/bugzilla/show_bug.cgi?id=48685 --- Comment #22 from Michael Osipov <1983-01...@gmx.net> 2011-03-25 15:07:45 EDT --- (In reply to comment #21) > I'm looking at this now and currently trying to figure out the additional > configuration required (JAAS, keytab, etc). Any notes you can provide that > would save me from figuring stuff out from scratch would help. Mark, did you check the Authenticator and Realm JavaDocs? More over, you'll need to some some system properties. I'll post the exact ones on monday because I don't have accesss to the files from work atm. You'll need to provide at least: -Djava.security.auth.login.config and -Djava.security.krb5.conf -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48685] Spnego Support in Tomcat
https://issues.apache.org/bugzilla/show_bug.cgi?id=48685 --- Comment #23 from Mark Thomas 2011-03-25 15:18:08 EDT --- Doh. I missed the javadoc completely. My bad. I'll take a look over the weekend and get back to you. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1085574 - in /tomcat/trunk: java/org/apache/catalina/connector/MapperListener.java webapps/docs/changelog.xml
Author: markt
Date: Fri Mar 25 21:59:07 2011
New Revision: 1085574
URL: http://svn.apache.org/viewvc?rev=1085574&view=rev
Log:
Don't register Contexts that fail to start with the Mapper.
Modified:
tomcat/trunk/java/org/apache/catalina/connector/MapperListener.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/connector/MapperListener.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/MapperListener.java?rev=1085574&r1=1085573&r2=1085574&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/connector/MapperListener.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/connector/MapperListener.java Fri Mar
25 21:59:07 2011
@@ -290,7 +290,9 @@ public class MapperListener extends Life
mapper.addHost(host.getName(), aliases, host);
for (Container container : host.findChildren()) {
-registerContext((Context) container);
+if (container.getState().isAvailable()) {
+registerContext((Context) container);
+}
}
if(log.isDebugEnabled()) {
log.debug(sm.getString("mapperListener.registerHost",
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1085574&r1=1085573&r2=1085574&view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Mar 25 21:59:07 2011
@@ -91,6 +91,9 @@
(greater than 100ms) at INFO level and provide a value for the message
key so a meaningful message appears in the logs. (markt)
+
+Don't register Contexts that fail to start with the Mapper.
(markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50950] NotSerializableException: org.apache.catalina.realm.GenericPrincipal
https://issues.apache.org/bugzilla/show_bug.cgi?id=50950 --- Comment #4 from Konstantin Kolinko 2011-03-25 18:45:16 EDT --- (In reply to comment #3) > You asked for the complete stack. The stack trace is still incomplete. What calls the last line in your comment (below)? - where the ObjectOutputStream is called from? >(...) > java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:438) Note, that is is not necessary to paste the stacktrace as a comment: you can attach it as a file. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50975] New: IIS connector times out on Transfer Encoded content, never sending the chunked content
https://issues.apache.org/bugzilla/show_bug.cgi?id=50975 Summary: IIS connector times out on Transfer Encoded content, never sending the chunked content Product: Tomcat Connectors Version: unspecified Platform: PC Status: NEW Severity: major Priority: P2 Component: isapi AssignedTo: dev@tomcat.apache.org ReportedBy: aaron.john...@soa.com Created an attachment (id=26799) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=26799) Zip of logs and network traces We have a client application making calls through web services that are using Transfer-Encoding: chunked. This scenario hasn't ever worked possibly due to bug 48940 and bug 48763. It works fine against a wide variety of other setups (JBoss/WebSphere/WebLogic/Apache/IBM IHS/iPlanet) that don't include the IIS connector. In the isapi_redirect.properties file I have enable_chunked_encoding=true -- though not sure it matters post 1.2.28. Here are the symptoms: 1.2.27 (chunked and non chunked versions) - Some POST/T-E=chunked requests work, others fail. 1.2.28 (chunked and non chunked versions) - Some POST/T-E=chunked requests work, others fail. 1.2.30 - Read times out on the client waiting for a response 1.2.31 - Read times out on the client waiting for a response I'm attributing the failure of 1.2.27/28 on already known/fixed bugs and focusing on the behavior for 1.2.31. Network tracing between both the client and connector and the connector and JBoss 4.3.0 indicate that the client is sending a complete request and that the connector is still waiting for something else from the client, or has received it but isn't sending the chunked content to JBoss. Specifically of interest is that the connector is sending: REQ:POST /rm/services/ServerInfo.asmx But never sends the chunked content The attachment has two sets of files for two scenarios, a WireShark network trace and the isapi_redirect.log. Environment: The client_to_connector scenario was on Windows 7 x64 / IIS 7.5.7600.16385 / isapi_redirect-1.2.31.dll for amd64 The connector_to_jboss scenario was on Windows Server 2008 x64 / IIS 7.5.7600.16385 / isapi_redirect-1.2.31.dll for amd64 -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50958] ISAPI HTTP Response Splitting Vulnerability
https://issues.apache.org/bugzilla/show_bug.cgi?id=50958 --- Comment #5 from Konstantin Kolinko 2011-03-25 18:53:19 EDT --- It must be reminded that bugzilla is an inappropriate place to report security issues. See http://tomcat.apache.org/security.html -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
