svn commit: r1822775 - in /tomcat/trunk: java/org/apache/tomcat/util/http/parser/HttpParser.java test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java webapps/docs/changelog.xml
Author: markt
Date: Wed Jan 31 09:01:40 2018
New Revision: 1822775
URL: http://svn.apache.org/viewvc?rev=1822775&view=rev
Log:
Update the host validation to permit host names and components of domain names
(excluding top-level domains) to start with a number and to ensure that
top-level domains are fully alphabetic.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
tomcat/trunk/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java?rev=1822775&r1=1822774&r2=1822775&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java Wed
Jan 31 09:01:40 2018
@@ -494,6 +494,9 @@ public class HttpParser {
int c;
int pos = 0;
+// readAheadLimit doesn't matter as all the readers passed to this
+// method buffer the entire content.
+reader.mark(1);
do {
c = reader.read();
if (c == '.') {
@@ -501,9 +504,14 @@ public class HttpParser {
// Valid
octetCount++;
octet = -1;
-} else {
+} else if (inIPv6 || octet == -1) {
throw new IllegalArgumentException(
sm.getString("http.invalidOctet",
Integer.toString(octet)));
+} else {
+// Might not be an IPv4 address. Could be a host / FQDN
with
+// a fully numeric component.
+reader.reset();
+return readHostDomainName(reader);
}
} else if (isNumeric(c)) {
if (octet == -1) {
@@ -527,6 +535,10 @@ public class HttpParser {
} else {
throw new
IllegalArgumentException(sm.getString("http.closingBracket"));
}
+} else if (!inIPv6 && (isAlpha(c) || c == '-')) {
+// Go back to the start and parse as a host / FQDN
+reader.reset();
+return readHostDomainName(reader);
} else {
throw new IllegalArgumentException(sm.getString(
"http.illegalCharacterIpv4", Character.toString((char)
c)));
@@ -535,8 +547,11 @@ public class HttpParser {
} while (true);
if (octetCount != 4) {
-throw new IllegalArgumentException(
-sm.getString("http.wrongOctetCount",
Integer.toString(octetCount)));
+// Might not be an IPv4 address. Could be a host name or a FQDN
with
+// fully numeric components. Go back to the start and parse as a
+// host / FQDN.
+reader.reset();
+return readHostDomainName(reader);
}
if (octet < 0 || octet > 255) {
throw new IllegalArgumentException(
@@ -652,9 +667,13 @@ public class HttpParser {
static int readHostDomainName(Reader reader) throws IOException {
DomainParseState state = DomainParseState.NEW;
int pos = 0;
+int segmentIndex = 0;
while (state.mayContinue()) {
-state = state.next(reader.read());
+state = state.next(reader.read(), segmentIndex);
+if (DomainParseState.PERIOD == state) {
+segmentIndex++;
+}
pos++;
}
@@ -682,28 +701,32 @@ public class HttpParser {
}
}
+private enum AllowsEnd {
+NEVER,
+FIRST,
+ALWAYS
+}
private enum DomainParseState {
-NEW( true, false, false, false, false, false, " at the start of"),
-ALPHA( true, true, true, true, true, true, " after a letter
in"),
-NUMERIC( true, true, true, true, true, true, " after a number
in"),
-PERIOD( true, false, false, false, true, true, " after a period
in"),
-HYPHEN( true, true, true, false, false, false, " after a hypen in"),
-COLON( false, false, false, false, false, false, " after a colon in"),
-END(false, false, false, false, false, false, " at the end of");
+NEW( true, false, false, AllowsEnd.NEVER, AllowsEnd.NEVER, "
at the start of"),
+ALL_ALPHA( true, true, true, AllowsEnd.ALWAYS, AllowsEnd.ALWAYS, "
after a letter in"),
+ALPHA( true, true, true, AllowsEnd.FIRST, AllowsEnd.FIRST, "
after a letter in"),
+NUMERIC( true, true, true, AllowsEnd.FIRST, AllowsEnd.FIRST, "
after a number in"),
+PERIOD(true, false, false, AllowsEnd.NEVER, AllowsEnd.NEVER, "
after a
Re: svn commit: r1822644 - in /tomcat/trunk: java/org/apache/coyote/ java/org/apache/coyote/ajp/ java/org/apache/coyote/http11/ java/org/apache/coyote/http2/ java/org/apache/tomcat/util/http/parser/ w
On 30/01/18 19:24, Mark Thomas wrote: > On 30/01/18 15:25, Mark Thomas wrote: >> On 30/01/18 15:15, Konstantin Kolinko wrote: >>> -1. >>> >>> Reading the algorithm in Host.parse(Reader), I think that http://610.ru/en/ >>> and a number of popular Chinese web sites won't pass this validation. >>> https://www.chinacheckup.com/blogs/articles/chinese-website-names-numbers >>> >>> https://domains-index.com/nine-millions-domain-names-just-numbers/ >> >> ACK. >> >> The host header validation was written from the RFCs. Given that those >> sites all work, I'm assuming I missed something. Let me go back to the >> RFCs and figure out what. Once I have done that, I'll update the parser >> and/or this thread as appropriate. > > I was working from RFC 952. I missed RFC 1123. Updating the host name > parser has just moved to the top of my TODO list. This should be fixed in trunk now. I need to back-port it and I have some ideas about making a little more efficient I want to test. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1822776 - /tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PooledConnectionMBean.java
Author: markt Date: Wed Jan 31 09:11:46 2018 New Revision: 1822776 URL: http://svn.apache.org/viewvc?rev=1822776&view=rev Log: Add missing ALv2 header Modified: tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PooledConnectionMBean.java Modified: tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PooledConnectionMBean.java URL: http://svn.apache.org/viewvc/tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PooledConnectionMBean.java?rev=1822776&r1=1822775&r2=1822776&view=diff == --- tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PooledConnectionMBean.java (original) +++ tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PooledConnectionMBean.java Wed Jan 31 09:11:46 2018 @@ -1,3 +1,19 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.apache.tomcat.jdbc.pool; import java.sql.SQLException; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1822777 - /tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCacheMBean.java
Author: markt Date: Wed Jan 31 09:12:20 2018 New Revision: 1822777 URL: http://svn.apache.org/viewvc?rev=1822777&view=rev Log: Add missing ALv2 header Modified: tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCacheMBean.java Modified: tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCacheMBean.java URL: http://svn.apache.org/viewvc/tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCacheMBean.java?rev=1822777&r1=1822776&r2=1822777&view=diff == --- tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCacheMBean.java (original) +++ tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCacheMBean.java Wed Jan 31 09:12:20 2018 @@ -1,3 +1,19 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.apache.tomcat.jdbc.pool.interceptor; import java.util.concurrent.atomic.AtomicInteger; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1822778 - in /tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool: interceptor/StatementCache.java jmx/JmxUtil.java
Author: markt
Date: Wed Jan 31 09:12:31 2018
New Revision: 1822778
URL: http://svn.apache.org/viewvc?rev=1822778&view=rev
Log:
ws police
Modified:
tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCache.java
tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
Modified:
tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCache.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCache.java?rev=1822778&r1=1822777&r2=1822778&view=diff
==
---
tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCache.java
(original)
+++
tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCache.java
Wed Jan 31 09:12:31 2018
@@ -252,7 +252,7 @@ public class StatementCache extends Stat
(ConcurrentHashMap)pCon.getAttributes().get(STATEMENT_CACHE_ATTR);
return cache;
}
-
+
@Override
public int getCacheSizePerConnection() {
ConcurrentHashMap cache = getCache();
Modified:
tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java?rev=1822778&r1=1822777&r2=1822778&view=diff
==
---
tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
(original)
+++
tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
Wed Jan 31 09:12:31 2018
@@ -51,7 +51,7 @@ public class JmxUtil {
private static ObjectName getObjectName(ObjectName base, String keyprop)
throws MalformedObjectNameException {
if (base == null) return null;
-StringBuilder OnameStr = new StringBuilder(base.toString());
+StringBuilder OnameStr = new StringBuilder(base.toString());
if (keyprop != null) OnameStr.append(keyprop);
ObjectName oname = new ObjectName(OnameStr.toString());
return oname;
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
About BZ 58143
Just a short explanation why I reopened BZ 58143: All is well for TC 8.0-9.0, but for TC 7.0 Spring Load time Weaving is broken since 7.0.70. You might remember that we implemented an additional interface in the WebappClassLoader to make adding weavers more easy. That was backported to TC 7 around 7.0.64 and worked quite well. Later there was an optimization in the loader cache that unified cache keys for resources and classes (in all TC branches). This optimization broke the weaving, because Spring first loads the classes as resources to check for annotations, then when the class is actual being used the weaving happens. After sharing the cache key between resources and classes, the first loading as a resource fills the cache but weaving is not yet set up by Spring, the second loading, then as a class, was directly fulfilled from the cache and no weaving happened. Now for TC 8, 8.5 and 9.0 there was another WebappClassLoader change which moved the call to the weavers from the method findResourceInternal(), that is shared between resource and class loading, to findClassInternal() and weaving worked again. So in the above BZ I suggest to do the same code move for TC 7. I attached a patch to the BZ that only contains the code move and not the few other changes that were part of the original commit in the newer branches. For details (revision numbers, suggested patch, test webapp) please see the BZ. For me the test suite for TC 7 still runs fine after applying the patch. I can of course apply the patch myself, but since I stripped parts of the original commit and the class loader is a very important part, I wanted to give some explanations and also give some time for remarks. Thanks and regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1822784 - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html docs/security-native.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml xd
Author: markt Date: Wed Jan 31 10:21:58 2018 New Revision: 1822784 URL: http://svn.apache.org/viewvc?rev=1822784&view=rev Log: Make CVE-2017-15698 and CVE-2017-15706 public Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/docs/security-native.html tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml tomcat/site/trunk/xdocs/security-native.xml Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1822784&r1=1822783&r2=1822784&view=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Wed Jan 31 10:21:58 2018 @@ -208,6 +208,9 @@ Apache Tomcat 7.x vulnerabilities +Fixed in Apache Tomcat 7.0.84 + + Fixed in Apache Tomcat 7.0.82 @@ -373,6 +376,46 @@ + +24 January 2018 Fixed in Apache Tomcat 7.0.84 + + + + +Low: Incorrectly documented CGI search algorithm + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706"; rel="nofollow">CVE-2017-15706 + + + + +Note: The issue below was fixed in Apache Tomcat 7.0.83 but the + release vote for the 7.0.83 release candidate did not pass. Therefore, + although users must download 7.0.84 to obtain a version that includes + the fix for this issue, version 7.0.83 is not included in the list of + affected versions. + + + +As part of the fix for bug https://bz.apache.org/bugzilla/show_bug.cgi?id=61201";>61201, the description of the + search algorithm used by the CGI Servlet to identify which script to + execute was updated. The update was not correct. As a result, some + scripts may have failed to execute as expected and other scripts may have + been executed unexpectedly. Note that the behaviour of the CGI servlet + has remained unchanged in this regard. It is only the documentation of + the behaviour that was wrong and has been corrected. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1814828";>1814828. + + +This issue was reported to the Apache Tomcat Security Team by Michael + Grenier on 17 September 2017 and made public on 31 January 2018. + + +Affects: 7.0.79 to 7.0.82 + + + 4 October 2017 Fixed in Apache Tomcat 7.0.82 Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1822784&r1=1822783&r2=1822784&view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Wed Jan 31 10:21:58 2018 @@ -208,6 +208,12 @@ Apache Tomcat 8.x vulnerabilities +Fixed in Apache Tomcat 8.0.48 + + +Fixed in Apache Tomcat 8.5.24 + + Fixed in Apache Tomcat 8.0.47 @@ -340,6 +346,68 @@ + +12 December 2017 Fixed in Apache Tomcat 8.0.48 + + + + +Low: Incorrectly documented CGI search algorithm + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706"; rel="nofollow">CVE-2017-15706 + + + +As part of the fix for bug https://bz.apache.org/bugzilla/show_bug.cgi?id=61201";>61201, the description of the + search algorithm used by the CGI Servlet to identify which script to + execute was updated. The update was not correct. As a result, some + scripts may have failed to execute as expected and other scripts may have + been executed unexpectedly. Note that the behaviour of the CGI servlet + has remained unchanged in this regard. It is only the documentation of + the behaviour that was wrong and has been corrected. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1814827";>1814827. + + +This issue was reported to the Apache Tomcat Security Team by Michael + Grenier on 17 September 2017 and made public on 31 January 2018. + + +Affects: 8.0.45 to 8.0.47 + + + + +30 November 2017 Fixed in Apache Tomcat 8.5.24 + + + + +Low: Incorrectly documented CGI search algorithm + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706"; rel="nofollow">CVE-2017-15706 + + + +As part of the fix for bug https://bz.apache.org/bugzilla/show_bug.cgi?id=61201";>61201, the description of the + search algorithm used by the CGI Servlet to identify which script to + execute was updated. The update was not correct. As a result, some + scripts may have failed to execute as expected and other scripts may have + been executed unexpectedly. Note that the behaviour of the CGI servlet + has remained unchanged in this regard. It is only the documentation of + the behaviour that was wrong and has been corrected. + + +This wa
[SECURITY] CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted
CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat Native 1.2.0 to 1.2.14 Apache Tomcat Native 1.1.23 to 1.1.34 Description: When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 1.2.16 or later Note: 1.2.15 was not released This version was included in Apache Tomcat 9.0.2 onwards, 8.5.24 onwards, 8.0.48 onwards and 7.0.84 onwards. Credit: This issue was reported responsibly to the Apache Tomcat Security Team by Jonas Klempel. History: 2018-01-31 Original advisory References: [1] http://tomcat.apache.org/security-native.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2017-15706 Apache Tomcat Incorrectly documented CGI search algorithm
CVE-2017-15706 Apache Tomcat Incorrectly documented CGI search algorithm Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M22 to 9.0.1 Apache Tomcat 8.5.16 to 8.5.23 Apache Tomcat 8.0.45 to 8.0.47 Apache Tomcat 7.0.79 to 7.0.82 Description: As part of the fix for bug 61201, the description of the search algorithm used by the CGI Servlet to identify which script to execute was updated. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected. Mitigation: Users of the affected versions should review the CGI documentation from one of the following versions and ensure that the described CGI search algorithm matches their expectation: - Apache Tomcat 9.0.2 or later - Apache Tomcat 8.5.24 or later - Apache Tomcat 8.0.48 or later - Apache Tomcat 7.0.84 or later (Apache Tomcat 7.0.83 has the fix but was not released) Credit: This issue was reported responsibly to the Apache Tomcat Security Team by Michael Grenier. History: 2018-01-31 Original advisory References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57830] Add support for ProxyProtocol
https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 asanc...@mga.es changed: What|Removed |Added CC||asanc...@mga.es -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57830] Add support for ProxyProtocol
https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 asanc...@mga.es changed: What|Removed |Added CC|asanc...@mga.es | -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62067] New: HttpConstraint not applied when Servlet mapped ""
https://bz.apache.org/bugzilla/show_bug.cgi?id=62067
Bug ID: 62067
Summary: HttpConstraint not applied when Servlet mapped ""
Product: Tomcat 8
Version: 8.5.27
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Specification APIs
Assignee: dev@tomcat.apache.org
Reporter: p.rosend...@aenova.nl
Target Milestone:
Created attachment 35711
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35711&action=edit
Source demonstrating the problem
Overview:
When mapping a servlet to the url pattern "", and specifying a security
constraint like TransportGuarantee.CONFIDENTIAL, the constraint is not applied.
Steps to Reproduce:
1) Define a servlet and annotate with:
@WebServlet (name = "Root", urlPatterns = { "" })
@ServletSecurity(@HttpConstraint(transportGuarantee =
ServletSecurity.TransportGuarantee.CONFIDENTIAL))
2) Deploy as the ROOT web app on Tomcat configured with a HTTP and a HTTPS
connector
3) Access the server with, for example: wget http://localhost:8080/
Actual Results:
The resource is retrieved over HTTP
Expected Results:
Tomcat initially responds with a redirect, and the resource is retrieved
over HTTPS
Remarks:
Access should be denied in case of a configuration error (such
redirectPort=0 on the HTTP connector)
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1822809 - in /tomcat/trunk/java/org/apache: catalina/connector/Response.java coyote/Response.java
Author: markt Date: Wed Jan 31 15:14:25 2018 New Revision: 1822809 URL: http://svn.apache.org/viewvc?rev=1822809&view=rev Log: Push the error state tracking down to the Coyote Response so it becomes accessible to the early stages of request processing. The intention is to use this to enable those early stage errors to be handled by the standard error reporting mechanisms rather than just a status code and a blank page. Modified: tomcat/trunk/java/org/apache/catalina/connector/Response.java tomcat/trunk/java/org/apache/coyote/Response.java Modified: tomcat/trunk/java/org/apache/catalina/connector/Response.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Response.java?rev=1822809&r1=1822808&r2=1822809&view=diff == --- tomcat/trunk/java/org/apache/catalina/connector/Response.java (original) +++ tomcat/trunk/java/org/apache/catalina/connector/Response.java Wed Jan 31 15:14:25 2018 @@ -36,7 +36,6 @@ import java.util.Locale; import java.util.Map; import java.util.TimeZone; import java.util.Vector; -import java.util.concurrent.atomic.AtomicInteger; import java.util.function.Supplier; import javax.servlet.ServletOutputStream; @@ -179,37 +178,6 @@ public class Response implements HttpSer */ private boolean isCharacterEncodingSet = false; -/** - * With the introduction of async processing and the possibility of - * non-container threads calling sendError() tracking the current error - * state and ensuring that the correct error page is called becomes more - * complicated. This state attribute helps by tracking the current error - * state and informing callers that attempt to change state if the change - * was successful or if another thread got there first. - * - * - * The state machine is very simple: - * - * 0 - NONE - * 1 - NOT_REPORTED - * 2 - REPORTED - * - * - * -->>-- >NONE - * | || - * | || setError() - * ^ ^| - * | | \|/ - * | |-<-NOT_REPORTED - * || - * ^| report() - * || - * | \|/ - * |0; +return getCoyoteResponse().isError(); } public boolean isErrorReportRequired() { -return errorState.get() == 1; +return getCoyoteResponse().isErrorReportRequired(); } public boolean setErrorReported() { -return errorState.compareAndSet(1, 2); +return getCoyoteResponse().setErrorReported(); } Modified: tomcat/trunk/java/org/apache/coyote/Response.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/Response.java?rev=1822809&r1=1822808&r2=1822809&view=diff == --- tomcat/trunk/java/org/apache/coyote/Response.java (original) +++ tomcat/trunk/java/org/apache/coyote/Response.java Wed Jan 31 15:14:25 2018 @@ -24,6 +24,7 @@ import java.nio.charset.Charset; import java.util.Locale; import java.util.Map; import java.util.concurrent.atomic.AtomicBoolean; +import java.util.concurrent.atomic.AtomicInteger; import java.util.function.Supplier; import javax.servlet.WriteListener; @@ -128,8 +129,40 @@ public final class Response { */ Exception errorException = null; +/** + * With the introduction of async processing and the possibility of + * non-container threads calling sendError() tracking the current error + * state and ensuring that the correct error page is called becomes more + * complicated. This state attribute helps by tracking the current error + * state and informing callers that attempt to change state if the change + * was successful or if another thread got there first. + * + * + * The state machine is very simple: + * + * 0 - NONE +
[Bug 62048] Missing logout function in Manager and Host-Manager webapps
https://bz.apache.org/bugzilla/show_bug.cgi?id=62048 Mark Thomas changed: What|Removed |Added Severity|normal |enhancement -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1822841 - /tomcat/trunk/java/org/apache/catalina/ha/session/DeltaManager.java
Author: markt Date: Wed Jan 31 22:44:25 2018 New Revision: 1822841 URL: http://svn.apache.org/viewvc?rev=1822841&view=rev Log: SpotBugs Fix sync warning Modified: tomcat/trunk/java/org/apache/catalina/ha/session/DeltaManager.java Modified: tomcat/trunk/java/org/apache/catalina/ha/session/DeltaManager.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/ha/session/DeltaManager.java?rev=1822841&r1=1822840&r2=1822841&view=diff == --- tomcat/trunk/java/org/apache/catalina/ha/session/DeltaManager.java (original) +++ tomcat/trunk/java/org/apache/catalina/ha/session/DeltaManager.java Wed Jan 31 22:44:25 2018 @@ -86,7 +86,7 @@ public class DeltaManager extends Cluste new ArrayList<>(); private boolean receiverQueue = false ; private boolean stateTimestampDrop = true ; -private long stateTransferCreateSendTime; +private volatile long stateTransferCreateSendTime; // stats attributes - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1822851 - in /tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool: PooledConnectionMBean.java interceptor/StatementCacheMBean.java
Author: kfujino Date: Thu Feb 1 07:52:52 2018 New Revision: 1822851 URL: http://svn.apache.org/viewvc?rev=1822851&view=rev Log: Add missing ALv2 header Modified: tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PooledConnectionMBean.java tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCacheMBean.java Modified: tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PooledConnectionMBean.java URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PooledConnectionMBean.java?rev=1822851&r1=1822850&r2=1822851&view=diff == --- tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PooledConnectionMBean.java (original) +++ tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PooledConnectionMBean.java Thu Feb 1 07:52:52 2018 @@ -1,3 +1,19 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.apache.tomcat.jdbc.pool; import java.sql.SQLException; Modified: tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCacheMBean.java URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCacheMBean.java?rev=1822851&r1=1822850&r2=1822851&view=diff == --- tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCacheMBean.java (original) +++ tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/interceptor/StatementCacheMBean.java Thu Feb 1 07:52:52 2018 @@ -1,3 +1,18 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.apache.tomcat.jdbc.pool.interceptor; import java.util.concurrent.atomic.AtomicInteger; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1822853 - /tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
Author: kfujino
Date: Thu Feb 1 07:57:10 2018
New Revision: 1822853
URL: http://svn.apache.org/viewvc?rev=1822853&view=rev
Log:
format
Modified:
tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
Modified:
tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java?rev=1822853&r1=1822852&r2=1822853&view=diff
==
---
tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
(original)
+++
tomcat/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
Thu Feb 1 07:57:10 2018
@@ -51,7 +51,7 @@ public class JmxUtil {
private static ObjectName getObjectName(ObjectName base, String keyprop)
throws MalformedObjectNameException {
if (base == null) return null;
-StringBuilder OnameStr = new StringBuilder(base.toString());
+StringBuilder OnameStr = new StringBuilder(base.toString());
if (keyprop != null) OnameStr.append(keyprop);
ObjectName oname = new ObjectName(OnameStr.toString());
return oname;
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1822854 - /tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
Author: kfujino
Date: Thu Feb 1 07:57:56 2018
New Revision: 1822854
URL: http://svn.apache.org/viewvc?rev=1822854&view=rev
Log:
format
Modified:
tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
Modified:
tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java?rev=1822854&r1=1822853&r2=1822854&view=diff
==
---
tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
(original)
+++
tomcat/tc8.5.x/trunk/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/jmx/JmxUtil.java
Thu Feb 1 07:57:56 2018
@@ -51,7 +51,7 @@ public class JmxUtil {
private static ObjectName getObjectName(ObjectName base, String keyprop)
throws MalformedObjectNameException {
if (base == null) return null;
-StringBuilder OnameStr = new StringBuilder(base.toString());
+StringBuilder OnameStr = new StringBuilder(base.toString());
if (keyprop != null) OnameStr.append(keyprop);
ObjectName oname = new ObjectName(OnameStr.toString());
return oname;
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
