[Bug 58433] RemoteIpValve not activated on redirect from mapping
https://bz.apache.org/bugzilla/show_bug.cgi?id=58433 Thomas Raehalme changed: What|Removed |Added CC||tho...@raehalme.net -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59243] New: Path traversal Attack
https://bz.apache.org/bugzilla/show_bug.cgi?id=59243 Bug ID: 59243 Summary: Path traversal Attack Product: Tomcat 7 Version: 7.0.67 Hardware: PC OS: Mac OS X 10.1 Status: NEW Severity: normal Priority: P2 Component: Servlet & JSP API Assignee: dev@tomcat.apache.org Reporter: muthukumar13402...@gmail.com RequestDispatcher.forward() method allows to access /WEB-INF folder. This is an issue ?? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59243] Path traversal Attack
https://bz.apache.org/bugzilla/show_bug.cgi?id=59243 Violeta Georgieva changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #1 from Violeta Georgieva --- Hi, Why do you think so? In the spec it is stated " 10.5 Directory Structure ...However, the contents of the WEB-INF directory are visible to servlet code using the getResource and getResourceAsStream method calls on the ServletContext, and may be exposed using the RequestDispatcher calls..." Regards, Violeta -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59243] Path traversal Attack
https://bz.apache.org/bugzilla/show_bug.cgi?id=59243 muthukumar changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID |--- --- Comment #2 from muthukumar --- I used RequestDispatcher in my app and the param for RequestDispatcher is coming from url parameter . If an attacker changes this parameter value to "/WEB-INF/web.xml" he can access my secret files . Do you proper solution??? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59243] Path traversal Attack
https://bz.apache.org/bugzilla/show_bug.cgi?id=59243 --- Comment #3 from muthukumar --- Think my scenario . It is possible to make path traversal attack . It must be a security issue? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59243] Path traversal Attack
https://bz.apache.org/bugzilla/show_bug.cgi?id=59243 Violeta Georgieva changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |INVALID --- Comment #4 from Violeta Georgieva --- (In reply to muthukumar from comment #2) > the param for RequestDispatcher is coming from url parameter . Fix you application. Regards, Violeta -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1737002 - in /tomcat/site/trunk: docs/lists.html xdocs/lists.xml
Author: markt Date: Tue Mar 29 12:32:25 2016 New Revision: 1737002 URL: http://svn.apache.org/viewvc?rev=1737002&view=rev Log: Try and improve the wording and better differentiate between getting help how to use Tomcat and help how to use the mailing lists Modified: tomcat/site/trunk/docs/lists.html tomcat/site/trunk/xdocs/lists.xml Modified: tomcat/site/trunk/docs/lists.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/lists.html?rev=1737002&r1=1737001&r2=1737002&view=diff == --- tomcat/site/trunk/docs/lists.html (original) +++ tomcat/site/trunk/docs/lists.html Tue Mar 29 12:32:25 2016 @@ -410,7 +410,7 @@ Tomcat questions to Eric or Rick themsel -Getting help with the list: +Getting help with how to use the list: Send a blank email to mailto:users-h...@tomcat.apache.org";> users-h...@tomcat.apache.org @@ -507,7 +507,7 @@ other project announcements. -Getting help with the list: +Getting help with how to use the list: Send a blank email to mailto:announce-h...@tomcat.apache.org";> announce-h...@tomcat.apache.org @@ -608,7 +608,7 @@ issues. Other questions will be ignored. -Getting help with the list: +Getting help with how to use the list: Send a blank email to mailto:dev-h...@tomcat.apache.org";> dev-h...@tomcat.apache.org, mailto:dev-digest-h...@tomcat.apache.org";> @@ -716,7 +716,7 @@ and how they can be used. -Getting help with the list: +Getting help with how to use the list: Send a blank email to mailto:taglibs-user-h...@tomcat.apache.org";> taglibs-user-h...@tomcat.apache.org, mailto:taglibs-user-digest-h...@tomcat.apache.org";> Modified: tomcat/site/trunk/xdocs/lists.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/lists.xml?rev=1737002&r1=1737001&r2=1737002&view=diff == --- tomcat/site/trunk/xdocs/lists.xml (original) +++ tomcat/site/trunk/xdocs/lists.xml Tue Mar 29 12:32:25 2016 @@ -128,7 +128,7 @@ Tomcat questions to Eric or Rick themsel us...@tomcat.apache.org - Getting help with the list: + Getting help with how to use the list: Send a blank email to mailto:users-h...@tomcat.apache.org";> users-h...@tomcat.apache.org @@ -198,7 +198,7 @@ other project announcements. This is only available to Tomcat committers. - Getting help with the list: + Getting help with how to use the list: Send a blank email to mailto:announce-h...@tomcat.apache.org";> announce-h...@tomcat.apache.org @@ -271,7 +271,7 @@ issues. Other questions will be ignored. dev@tomcat.apache.org - Getting help with the list: + Getting help with how to use the list: Send a blank email to mailto:dev-h...@tomcat.apache.org";> dev-h...@tomcat.apache.org, mailto:dev-digest-h...@tomcat.apache.org";> @@ -351,7 +351,7 @@ and how they can be used. taglibs-u...@tomcat.apache.org - Getting help with the list: + Getting help with how to use the list: Send a blank email to mailto:taglibs-user-h...@tomcat.apache.org";> taglibs-user-h...@tomcat.apache.org, mailto:taglibs-user-digest-h...@tomcat.apache.org";> - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59247] New: Using the IBM JDK with the security manager results in java.lang.RuntimePermission warning
https://bz.apache.org/bugzilla/show_bug.cgi?id=59247
Bug ID: 59247
Summary: Using the IBM JDK with the security manager results in
java.lang.RuntimePermission warning
Product: Tomcat 8
Version: 8.0.32
Hardware: PC
OS: Linux
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: csuth...@redhat.com
Created attachment 33707
--> https://bz.apache.org/bugzilla/attachment.cgi?id=33707&action=edit
policy patch proposal
When using the IBM JDK and the security manager the following warnings are
logged:
WARNING [localhost-startStop-1]
org.apache.juli.ClassLoaderLogManager.readConfiguration Reading
logging.properties is not permitted in some context. See "per context logging"
in the default catalina.policy file.
WARNING [localhost-startStop-1]
org.apache.juli.ClassLoaderLogManager.readConfiguration Original error was:
Access denied ("java.lang.RuntimePermission"
"accessClassInPackage.org.apache.catalina.loader")
I do not observe any negative effects of this warning, however I am only doing
minimal testing and would like someone to review it to validate whether or not
it is an issue. I assume that something not being able to load the
logging.properties means that it isn't logging either.
It looks like adding the permission to the catalina.policy resolves the
warning. I am attaching the patch which seems to work for me along with a few
other files for review. Note that this does not seem to occur on trunk (though
it does throw some warnings also), but it does on tomcat8 and previous
versions. Also note that the added permission in the patch proposal does not
exist in trunk, so I'm not sure if it is the way to go or not.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59247] Using the IBM JDK with the security manager results in java.lang.RuntimePermission warning
https://bz.apache.org/bugzilla/show_bug.cgi?id=59247 --- Comment #1 from Coty Sutherland --- Created attachment 33708 --> https://bz.apache.org/bugzilla/attachment.cgi?id=33708&action=edit More files from testing In this attachment I've included the catalina.out logs from the tomcat8 tests using IBM Java 7 and 8, tomcat9 catalina.out from IBM Java 8, and the java -version output from each java version. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59247] Using the IBM JDK with the security manager results in java.lang.RuntimePermission warning
https://bz.apache.org/bugzilla/show_bug.cgi?id=59247 --- Comment #2 from Coty Sutherland --- Created attachment 33709 --> https://bz.apache.org/bugzilla/attachment.cgi?id=33709&action=edit java.security.debug stack trace I forgot to include the stack trace in the previous tarball. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59220] AsyncListener#onComplete not called after timeout if buffer is flushed
https://bz.apache.org/bugzilla/show_bug.cgi?id=59220 --- Comment #3 from Scott Nicklous --- Hi Violeta and Remy, thank you very much for having a look at this so quickly (and thank you, Remy for fixing 59213 so promptly!). The example servlets I provided were for the purpose of reproducing the problem rather than for illustrating the use case. I would like to explain my use case more clearly. I'm working on the Apache Pluto project, which is the reference implementation for JSR 286 Portlet Specification 2.0, and which will be the reference implementation for JSR 362 Portlet Specification 3.0. Pluto is a minimal portal server that implements the required API for portlet applications. For version 3.0, we want to provide async support for portlet applications. The portlet specification can make recommendations about how portlet applications should do error handling, but can't really guarantee that the portlet apps will follow the recommendations. The Pluto server has to allocate resources to support the portlet applications during async processing and needs a reliable way to release those resources even if a timeout or error condition occurs. It seems to me that the natural way to do that would be for the Pluto server to register an AsyncListener on behalf of the portlet application in order to release the resources when onComplete() is called. However, this bug along with 59219 means that in these edge cases, Pluto will not be able to release the resources, which could potentially result in a memory leak. That said, I understand that these really are edge cases, and I can't really say how high the priority should be in the grand scheme of things. But it would be very nice if they could be fixed at some point as time & priority allows. :-) thanks again, Scott -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59220] AsyncListener#onComplete not called after timeout if buffer is flushed
https://bz.apache.org/bugzilla/show_bug.cgi?id=59220 --- Comment #4 from Remy Maucherat --- The question is really about the cases where complete should be called for the application (which didn't call it although it should have). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59243] Path traversal Attack
https://bz.apache.org/bugzilla/show_bug.cgi?id=59243 --- Comment #5 from Christopher Schultz --- (In reply to Violeta Georgieva from comment #4) > Fix your application. Correct. The path-traversal vulnerability has been introduced by your own application, not by Tomcat. One of the best ways to prevent this kind of thing is to white-list certain paths that are acceptable (and won't ever cause a path-traversal issue). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59220] AsyncListener#onComplete not called after timeout if buffer is flushed
https://bz.apache.org/bugzilla/show_bug.cgi?id=59220 --- Comment #5 from Scott Nicklous --- I know what you mean and agree with you. >From Tomcat's point of view, the Pluto portal is an application. However, Pluto itself hosts portlet applications that may come from various sources. The question is how can Pluto release its resources allocated to a portlet async request if the portlet application misbehaves or has an exception and does not call complete()? My idea was that Pluto could register an AsyncListener of its own (in addition to any AsyncListeners possibly registered by the portlet applications) to release its resources during the onComplete call. But that only works if the underlying container (Tomcat, in this case) assures that onComplete is called under all circumstances. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59220] AsyncListener#onComplete not called after timeout if buffer is flushed
https://bz.apache.org/bugzilla/show_bug.cgi?id=59220 --- Comment #6 from Violeta Georgieva --- (In reply to Scott Nicklous from comment #5) > I know what you mean and agree with you. > > From Tomcat's point of view, the Pluto portal is an application. However, > Pluto itself hosts portlet applications that may come from various sources. > The question is how can Pluto release its resources allocated to a portlet > async request if the portlet application misbehaves or has an exception and > does not call complete()? > > My idea was that Pluto could register an AsyncListener of its own (in > addition to any AsyncListeners possibly registered by the portlet > applications) to release its resources during the onComplete call. But that > only works if the underlying container (Tomcat, in this case) assures that > onComplete is called under all circumstances. The idea here is that you should call AsyncContext.complete() in onTimeout event that your listener will receive instead of waiting for container to call AsyncContext.complete() and then onComplete(). In your example if I add AsyncContext.complete() in basic.servlet.TestedListener.onTimeout(AsyncEvent) then the third use case is working. Do you think this will work for your scenario? Regards, Violeta -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59243] Path traversal Attack
https://bz.apache.org/bugzilla/show_bug.cgi?id=59243 --- Comment #6 from muthukumar --- Ok We whitelisted that paths.. But we want a proper solution . Whitelisted is a proper solution ? Please explain me the CVE 2008-5515 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
