Re: mod_jk 1.2.32 [was: Re: svn commit: r1127315 - /tomcat/jk/trunk/xdocs/reference/apache.xml]
> > There are enough changes for a 1.2.32 anyhows, so I would propose we > start a new release cycle in about 2 weeks. > > OK? +1 I could give RM a go if that works for ya'll - I've done a dry run already to find where everything goes. cheers tim - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 51278] New: Unable to override default servlet other than in main web.xml
https://issues.apache.org/bugzilla/show_bug.cgi?id=51278 Bug #: 51278 Summary: Unable to override default servlet other than in main web.xml Product: Tomcat 7 Version: unspecified Platform: PC Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: dev@tomcat.apache.org ReportedBy: ma...@apache.org Classification: Unclassified The default web.xml gets merged into the application's web.xml before processing of fragments, annotations and ServletContextInitializers. This means it can only be overridden in the application's web.xml. It should be possible to override in fragments, annotations and ServletContextInitializers. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 51278] Unable to override default servlet other than in main web.xml
https://issues.apache.org/bugzilla/show_bug.cgi?id=51278 Chris Beams changed: What|Removed |Added CC||cbe...@gmail.com OS/Version||All --- Comment #1 from Chris Beams 2011-05-28 08:25:07 UTC --- Thanks for filing this issue, Mark. I encountered this behavior when designing a ServletContainerInitializer for the Spring Framework. The SCI declares @HandlesTypes for a spring-specific SPI (WebApplicationInitializer). The intent of this interface is to allow users a convenient and automatically detected way to replace web.xml with code. Many users map Spring's DispatcherServlet to '/', and this works fine when done from web.xml. However, for the reasons you've described, a direct translation of this mapping into code does not work, because Tomcat's DefaultServlet has already been mapped. Your suggested resolution sounds like just what we need in the immediate term. As for the future (i.e. Servlet 3.1), perhaps the EG could consider making the overriding rules a bit more flexible. For example, FilterRegistration#addMappingForUrlPattern[1] currently accepts a boolean "isMatchAfter" argument that suggests this kind of flexibility. In any case, short term or long, the question is whether mapping to '/' will be portable. I'm about to try this same scenario against Jetty and Glassfish; it will be interesting to see if they too have ordering issues with default mappings to '/', or perhaps have already addressed this very scenario. [1] http://download.oracle.com/javaee/6/api/javax/servlet/FilterRegistration.html#addMappingForUrlPatterns(java.util.EnumSet, boolean, java.lang.String...) -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1128570 - in /tomcat/jk/trunk/tools: jkrelease.sh signfile.sh
Author: timw
Date: Sat May 28 08:46:59 2011
New Revision: 1128570
URL: http://svn.apache.org/viewvc?rev=1128570&view=rev
Log:
Adding ability to specify code signing key in release script, and failing
release when tar fails (default BSD tar on OS X borks)
Modified:
tomcat/jk/trunk/tools/jkrelease.sh
tomcat/jk/trunk/tools/signfile.sh
Modified: tomcat/jk/trunk/tools/jkrelease.sh
URL:
http://svn.apache.org/viewvc/tomcat/jk/trunk/tools/jkrelease.sh?rev=1128570&r1=1128569&r2=1128570&view=diff
==
--- tomcat/jk/trunk/tools/jkrelease.sh (original)
+++ tomcat/jk/trunk/tools/jkrelease.sh Sat May 28 08:46:59 2011
@@ -54,6 +54,7 @@ usage() {
echo "-T: package from trunk"
echo "-d: package from local directory"
echo "-p: GNU PG passphrrase used for signing"
+echo "-k: ID of GNU PG key to use for signing"
}
copy_files() {
@@ -72,14 +73,15 @@ copy_files() {
MAIN ##
conflict=0
-while getopts :v:t:r:b:d:p:Tf c
+while getopts :v:t:r:b:d:p:k:Tf c
do
case $c in
v) version=$OPTARG;;
t) tag=$OPTARG
conflict=$(($conflict+1));;
r) revision=$OPTARG;;
-p) SIGN_OPTS="--passphrase=$OPTARG";;
+k) SIGN_OPTS="--default-key=$OPTARG $SIGN_OPTS";;
+p) SIGN_OPTS="--passphrase=$OPTARG $SIGN_OPTS";;
b) branch=$OPTARG
conflict=$(($conflict+1));;
T) trunk=trunk
@@ -306,7 +308,7 @@ fi
cd ../../
# Pack
-tar cfz ${JK_DIST}.tar.gz --owner="${JK_OWNER}" --group="${JK_GROUP}"
${JK_DIST}
+tar cfz ${JK_DIST}.tar.gz --owner="${JK_OWNER}" --group="${JK_GROUP}"
${JK_DIST} || exit 1
perl ${JK_DIST}/tools/lineends.pl --cr ${JK_DIST}
zip -9 -r ${JK_DIST}.zip ${JK_DIST}
Modified: tomcat/jk/trunk/tools/signfile.sh
URL:
http://svn.apache.org/viewvc/tomcat/jk/trunk/tools/signfile.sh?rev=1128570&r1=1128569&r2=1128570&view=diff
==
--- tomcat/jk/trunk/tools/signfile.sh (original)
+++ tomcat/jk/trunk/tools/signfile.sh Sat May 28 08:46:59 2011
@@ -25,6 +25,10 @@ do
;;
esac
case "$o" in
+--default-key=* )
+gpgopts="$gpgopts --default-key $a"
+shift
+;;
--passphrase=* )
gpgopts="$gpgopts --passphrase $a"
shift
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 51278] Unable to override default servlet other than in main web.xml
https://issues.apache.org/bugzilla/show_bug.cgi?id=51278 --- Comment #2 from Chris Beams 2011-05-28 09:56:11 UTC --- update: I've just tried this same ServletContainerInitializer scenario under Glassfish 3.1 and the override works as desired. This is especially interesting given that the catalina DefaultServlet is mapped to '/' in this environment as well. It suggests that they have specifically addressed this issue, perhaps in a fashion similar to the one Mark describes above. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 51283] New: Session Fixation is solved without an invalidating of an existing HTTP session
https://issues.apache.org/bugzilla/show_bug.cgi?id=51283 Bug #: 51283 Summary: Session Fixation is solved without an invalidating of an existing HTTP session Product: Tomcat 7 Version: 7.0.12 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: dev@tomcat.apache.org ReportedBy: michael_fur...@hotmail.com Classification: Unclassified Created attachment 27082 --> https://issues.apache.org/bugzilla/attachment.cgi?id=27082 The AuthenticatorBase.java file with fix that invalidating of an existing HTTP session after an authentication Session Fixation Vulnerability is solved recently in Tomcat 6 and in Tomcat 7. Unfortunately, Session Fixation is solved without an invalidating of an existing HTTP session. I do agree, that generation of new session ID solves many Session Fixation attacks. Any case, an advanced attacker is able to put a vulnerable object in a known HTTP session and then force the session on a user. Please not that in this case the HTTP session will have new ID and an attacker will not be able to access the session from a client. Any case, with the vulnerable object in the session he can access to other object and may be even to send it remotely. I do recommend to change the implementation and to invalidate the existing HTTP session after the authentication. Please find attached code with a fix. I tested this code in my development environment. Best regards, Michael Security Architect -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 51284] New: Session Fixation is solved without an invalidating of an existing HTTP session
https://issues.apache.org/bugzilla/show_bug.cgi?id=51284 Bug #: 51284 Summary: Session Fixation is solved without an invalidating of an existing HTTP session Product: Tomcat 6 Version: 6.0.29 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: dev@tomcat.apache.org ReportedBy: michael_fur...@hotmail.com Classification: Unclassified Created attachment 27083 --> https://issues.apache.org/bugzilla/attachment.cgi?id=27083 The AuthenticatorBase.java file with fix that invalidating of an existing HTTP session after an authentication Session Fixation Vulnerability is solved recently in Tomcat 6 and in Tomcat 7. Unfortunately, Session Fixation is solved without an invalidating of an existing HTTP session. I do agree, that generation of new session ID solves many Session Fixation attacks. Any case, an advanced attacker is able to put a vulnerable object in a known HTTP session and then force the session on a user. Please not that in this case the HTTP session will have new ID and an attacker will not be able to access the session from a client. Any case, with the vulnerable object in the session he can access to other object and may be even to send it remotely. I do recommend to change the implementation and to invalidate the existing HTTP session after the authentication. Please find attached code with a fix. I tested this code in my development environment. Best regards, Michael Security Architect -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 51264] Context/Manager/Store configuration proposal
https://issues.apache.org/bugzilla/show_bug.cgi?id=51264 --- Comment #2 from Felix Schumacher 2011-05-28 14:34:24 UTC --- Created attachment 27084 --> https://issues.apache.org/bugzilla/attachment.cgi?id=27084 Implements configuration option for jndi based DataSource. Implements configuration option for jndi based DataSource. New attribute "dataSourceName" for JDBCStore. If this attribute is set, it will be used to get a DataSource from JNDI. If a DataSource was found, it will be used instead of direct configuration via "connectionURL" and "driverName". -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 51283] Session Fixation is solved without an invalidating of an existing HTTP session
https://issues.apache.org/bugzilla/show_bug.cgi?id=51283 --- Comment #1 from Mark Thomas 2011-05-28 15:14:09 UTC --- *** Bug 51284 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 51284] Session Fixation is solved without an invalidating of an existing HTTP session
https://issues.apache.org/bugzilla/show_bug.cgi?id=51284 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution||DUPLICATE --- Comment #1 from Mark Thomas 2011-05-28 15:14:09 UTC --- *** This bug has been marked as a duplicate of bug 51283 *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 51283] Session Fixation is solved without an invalidating of an existing HTTP session
https://issues.apache.org/bugzilla/show_bug.cgi?id=51283 --- Comment #2 from Mark Thomas 2011-05-28 18:29:11 UTC --- Users can't place objects into the session. Only the application can do that. If the application is doing something that is security sensitive before authentication, I would class that as an application flaw. I'm having trouble coming up with an scenarios where this would be an issue that I don't view as an application rather than container problem. With such a scenario I could see an argument to make the behaviour on authentication configurable (do nothing / change ID / create new session). Without such a scenario this issue is going to get resolved as invalid. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 51274] Missing messages in PersistentManagerBase
https://issues.apache.org/bugzilla/show_bug.cgi?id=51274 Mark Thomas changed: What|Removed |Added Attachment #27074|0 |1 is patch|| Attachment #27074|application/octet-stream|text/plain mime type|| -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1128752 - in /tomcat/trunk: java/org/apache/catalina/session/LocalStrings.properties webapps/docs/changelog.xml
Author: markt
Date: Sat May 28 18:45:51 2011
New Revision: 1128752
URL: http://svn.apache.org/viewvc?rev=1128752&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51274
Add missing i18n strings in PersistentManagerBase.
Patch provided by Eiji Takahashi.
Modified:
tomcat/trunk/java/org/apache/catalina/session/LocalStrings.properties
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/session/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/session/LocalStrings.properties?rev=1128752&r1=1128751&r2=1128752&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/session/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/catalina/session/LocalStrings.properties Sat
May 28 18:45:51 2011
@@ -74,3 +74,5 @@ persistentManager.swapTooManyActive=Swap
persistentManager.processSwaps=Checking for sessions to swap out, {0} active
sessions in memory
persistentManager.activeSession=Session {0} has been idle for {1} seconds
persistentManager.swapIn=Swapping session {0} in from Store
+persistentManager.swapInException=Exception in the Store during swapIn: {0}
+persistentManager.swapInInvalid=Swapped session {0} is invalid
\ No newline at end of file
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1128752&r1=1128751&r2=1128752&view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat May 28 18:45:51 2011
@@ -63,6 +63,10 @@
51221: Correct Spanish translation of text used in a 302
response. Patch provided by Paco Soberón. (markt)
+
+51274: Add missing i18n strings in PersistentManagerBase.
+Patch provided by Eiji Takahashi. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 51274] Missing messages in PersistentManagerBase
https://issues.apache.org/bugzilla/show_bug.cgi?id=51274 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #1 from Mark Thomas 2011-05-28 18:45:40 UTC --- Thanks for the patch. Applied to trunk and will be included in 7.0.15 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 33453] Jasper should recompile JSP files whose datestamps change in either direction (not just newer)
https://issues.apache.org/bugzilla/show_bug.cgi?id=33453 --- Comment #68 from Mark Thomas 2011-05-28 18:55:51 UTC --- Feedback on proposed TC7 patch: http://tomcat.markmail.org/thread/mbjdpr4bvw6gzx62 -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 51240] maxConnections not honors config when acceptorThreadCount > 1
https://issues.apache.org/bugzilla/show_bug.cgi?id=51240 --- Comment #5 from Mark Thomas 2011-05-28 19:25:54 UTC --- On reflection I decided to leave the acceptorThreadCount configuration option. It already defaults to one and since the acceptor thread does more the just call socket.accept() if there is a spike in new connections, it is possible that multiple acceptor threads may offer some limited benefit. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
