[Bug 63331] New: Tomcat crash, Problematic Frame: org.apache.tomcat.util.log.SystemLogHandler.println

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63331

Bug ID: 63331
   Summary: Tomcat crash, Problematic Frame:
org.apache.tomcat.util.log.SystemLogHandler.println
   Product: Tomcat 9
   Version: 9.0.16
  Hardware: PC
OS: Linux
Status: NEW
  Severity: blocker
  Priority: P2
 Component: Util
  Assignee: dev@tomcat.apache.org
  Reporter: obexer@fortysix.world
  Target Milestone: -

Created attachment 36516
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36516&action=edit
error report file

Tomcat crash.

Logs:

A fatal error has been detected by the Java Runtime Environment:


SIGSEGV (0xb) at pc=0x7f85961a3fb6, pid=1, tid=29


JRE version: OpenJDK Runtime Environment (11.0.2+9) (build
11.0.2+9-Debian-3bpo91)

Java VM: OpenJDK 64-Bit Server VM (11.0.2+9-Debian-3bpo91, mixed mode, sharing,
tiered, compressed oops, serial gc, linux-amd64)

Problematic frame:

J 10632 c1
org.apache.tomcat.util.log.SystemLogHandler.println(Ljava/lang/String;)V (9
bytes) @ 0x7f85961a3fb6 [0x7f85961a3f60+0x0056]


Core dump will be written. Default location: Core dumps may be processed with
"/usr/share/apport/apport %p %s %c %d %P" (or dumping to
/usr/local/tomcat/core.1)


An error report file with more information is saved as:

/usr/local/tomcat/hs_err_pid1.log
Could not load hsdis-amd64.so; library not loadable; PrintAssembly is disabled

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63331] Tomcat crash, Problematic Frame: org.apache.tomcat.util.log.SystemLogHandler.println

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63331

Mark Thomas  changed:

   What|Removed |Added

 Resolution|--- |INVALID
 Status|NEW |RESOLVED

--- Comment #1 from Mark Thomas  ---
That is a JVM bug. Please report it to the OpenJDK team.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 7.0.x updated: Fix checkstyle warnings

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/7.0.x by this push:
 new 7254a63  Fix checkstyle warnings
7254a63 is described below

commit 7254a6375a4627dc17d309bbea119a71966deb93
Author: Mark Thomas 
AuthorDate: Wed Apr 10 09:13:06 2019 +0100

Fix checkstyle warnings
---
 test/org/apache/tomcat/websocket/TesterFirehoseServer.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/test/org/apache/tomcat/websocket/TesterFirehoseServer.java 
b/test/org/apache/tomcat/websocket/TesterFirehoseServer.java
index 222ed05..ab09b6a 100644
--- a/test/org/apache/tomcat/websocket/TesterFirehoseServer.java
+++ b/test/org/apache/tomcat/websocket/TesterFirehoseServer.java
@@ -28,6 +28,7 @@ import java.util.concurrent.atomic.AtomicInteger;
 
 import javax.servlet.ServletContextEvent;
 import javax.websocket.ClientEndpointConfig;
+import javax.websocket.ClientEndpointConfig.Configurator;
 import javax.websocket.ContainerProvider;
 import javax.websocket.DeploymentException;
 import javax.websocket.OnClose;
@@ -37,10 +38,11 @@ import javax.websocket.OnOpen;
 import javax.websocket.RemoteEndpoint.Basic;
 import javax.websocket.Session;
 import javax.websocket.WebSocketContainer;
-import javax.websocket.ClientEndpointConfig.Configurator;
 import javax.websocket.server.ServerContainer;
 import javax.websocket.server.ServerEndpoint;
 
+import org.junit.Assert;
+
 import org.apache.catalina.Context;
 import org.apache.catalina.servlets.DefaultServlet;
 import org.apache.catalina.startup.Tomcat;
@@ -49,7 +51,6 @@ import 
org.apache.tomcat.websocket.TesterMessageCountClient.BasicText;
 import 
org.apache.tomcat.websocket.TesterMessageCountClient.TesterProgrammaticEndpoint;
 import org.apache.tomcat.websocket.server.Constants;
 import org.apache.tomcat.websocket.server.WsContextListener;
-import org.junit.Assert;
 
 /**
  * Sends {@link #MESSAGE_COUNT} messages of size {@link #MESSAGE_SIZE} bytes as


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 7.0.x updated: Revert local change made for load testing

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/7.0.x by this push:
 new 806195b  Revert local change made for load testing
806195b is described below

commit 806195be94bc6460fe2a08f1e77d0c653a000612
Author: Mark Thomas 
AuthorDate: Wed Apr 10 09:14:48 2019 +0100

Revert local change made for load testing
---
 test/org/apache/tomcat/websocket/TesterFirehoseServer.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/org/apache/tomcat/websocket/TesterFirehoseServer.java 
b/test/org/apache/tomcat/websocket/TesterFirehoseServer.java
index ab09b6a..2aa3aef 100644
--- a/test/org/apache/tomcat/websocket/TesterFirehoseServer.java
+++ b/test/org/apache/tomcat/websocket/TesterFirehoseServer.java
@@ -58,7 +58,7 @@ import org.apache.tomcat.websocket.server.WsContextListener;
  */
 public class TesterFirehoseServer {
 
-public static final int MESSAGE_COUNT = 100;
+public static final int MESSAGE_COUNT = 10;
 public static final String MESSAGE;
 public static final int MESSAGE_SIZE = 1024;
 public static final int WAIT_TIME_MILLIS = 6;


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated (7fc16d1 -> 5af4ef5)

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from 7fc16d1  Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63320 
Ensure that StatementCache caches statements that include arrays in arguments.
 new 4fcdf70  Escape debug output to aid readability
 new 8db79d0  Escape error message to aid readability
 new 80a709a  Use constants for encoding types
 new 1c1d49e  Limit CGI command line arguments
 new 5bc4e6d  Limit CGI command line arguments
 new a8ebe68  Test CGI decoded command line argument pattern
 new 5af4ef5  Disable enableCmdLineArguments be default. Hardening for 
CVE-2019-0232

The 19143 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 conf/web.xml   |  22 +
 java/org/apache/catalina/servlets/CGIServlet.java  |  88 --
 .../catalina/servlets/LocalStrings.properties  |   2 +
 java/org/apache/catalina/ssi/SSIEcho.java  |  15 ++-
 java/org/apache/catalina/ssi/SSIMediator.java  |  13 ++-
 java/org/apache/catalina/ssi/SSIPrintenv.java  |   3 +-
 .../servlets/TestCGIServletCmdLineArguments.java   | 101 +
 webapps/docs/cgi-howto.xml |  19 +++-
 webapps/docs/changelog.xml |  26 ++
 webapps/docs/security-howto.xml|   8 ++
 10 files changed, 272 insertions(+), 25 deletions(-)
 create mode 100755 
test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch master updated (9ea280c -> 95e0a06)

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from 9ea280c  Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63320 
Ensure that StatementCache caches statements that include arrays in arguments.
 new 15fcd16  Escape debug output to aid readability
 new 785b8b8  Escape error message to aid readability
 new 0e14d67  Use constants for encoding types
 new 55f4eba  Limit CGI command line arguments
 new 4b244d8  Limit CGI command line arguments
 new 95e0a06  Test CGI decoded command line argument pattern

The 20712 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 conf/web.xml   |  22 +
 java/org/apache/catalina/servlets/CGIServlet.java  |  86 --
 .../catalina/servlets/LocalStrings.properties  |   2 +
 java/org/apache/catalina/ssi/SSIEcho.java  |  15 ++-
 java/org/apache/catalina/ssi/SSIMediator.java  |  14 ++-
 java/org/apache/catalina/ssi/SSIPrintenv.java  |   3 +-
 .../servlets/TestCGIServletCmdLineArguments.java   | 101 +
 webapps/docs/cgi-howto.xml |  17 +++-
 webapps/docs/changelog.xml |  21 +
 webapps/docs/security-howto.xml|   8 ++
 10 files changed, 266 insertions(+), 23 deletions(-)
 create mode 100755 
test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 7.0.x updated (806195b -> 841d5b2)

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from 806195b  Revert local change made for load testing
 new 44ec74c  Escape debug output to aid readability
 new 251f61d  Escape error message to aid readability
 new 823d462  Use constants for encoding types
 new 6664438  Limit CGI command line arguments
 new 7f0221b  Limit CGI command line arguments
 new ec48c62  Test CGI decoded command line argument pattern
 new 841d5b2  Disable enableCmdLineArguments be default. Hardening for 
CVE-2019-0232

The 11958 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 conf/web.xml   |  22 +
 java/org/apache/catalina/servlets/CGIServlet.java  |  87 --
 .../catalina/servlets/LocalStrings.properties  |   2 +
 java/org/apache/catalina/ssi/SSIEcho.java  |  15 ++-
 java/org/apache/catalina/ssi/SSIMediator.java  |  13 ++-
 java/org/apache/catalina/ssi/SSIPrintenv.java  |   5 +-
 .../servlets/TestCGIServletCmdLineArguments.java   | 101 +
 webapps/docs/cgi-howto.xml |  19 +++-
 webapps/docs/changelog.xml |  26 ++
 webapps/docs/security-howto.xml|   8 ++
 10 files changed, 272 insertions(+), 26 deletions(-)
 create mode 100755 
test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1857239 - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml

2019-04-10 Thread markt 
Author: markt
Date: Wed Apr 10 11:02:51 2019
New Revision: 1857239

URL: http://svn.apache.org/viewvc?rev=1857239&view=rev
Log:
Add details of CVE-2019-0232

Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml

Modified: tomcat/site/trunk/docs/security-7.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1857239&r1=1857238&r2=1857239&view=diff
==
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Wed Apr 10 11:02:51 2019
@@ -211,6 +211,9 @@
 Apache Tomcat 7.x 
vulnerabilities
 
 
+Fixed in Apache Tomcat 7.0.94
+
+
 Fixed in Apache Tomcat 7.0.91
 
 
@@ -394,6 +397,40 @@
 
   
 
+
+not yet released Fixed in Apache Tomcat 
7.0.94
+
+
+
+
+Important: Remote Code Execution on Windows
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232"; 
rel="nofollow">CVE-2019-0232
+
+
+
+When running on Windows with enableCmdLineArguments enabled, the CGI
+   Servlet is vulnerable to Remote Code Execution due to a bug in the way
+   the JRE passes command line arguments to Windows. The CGI Servlet is
+   disabled by default. For a detailed explanation of the JRE behaviour, 
see
+   https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html";>Markus
+   Wulftange's blog and this archived
+   https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/";>MSDN
+   blog.
+
+
+This was fixed with commit https://github.com/apache/tomcat/commit/7f0221b";>7f0221b.
+
+
+This issue was identified by an external security researcher and reported
+   to the Apache Tomcat security team via the bug bounty program sponsored
+   by the EU FOSSA-2 project on 3rd March 2019. The issue was made public 
on
+   10 April 2019.
+
+
+Affects: 7.0.0 to 7.0.93
+
+  
+
 
 19 September 2018 Fixed in Apache Tomcat 
7.0.91
 

Modified: tomcat/site/trunk/docs/security-8.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1857239&r1=1857238&r2=1857239&view=diff
==
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Wed Apr 10 11:02:51 2019
@@ -211,6 +211,9 @@
 Apache Tomcat 8.x 
vulnerabilities
 
 
+Fixed in Apache Tomcat 8.5.40
+
+
 Fixed in Apache Tomcat 8.5.38
 
 
@@ -373,6 +376,40 @@
 
   
 
+
+not yet released Fixed in Apache Tomcat 
8.5.40
+
+
+
+
+Important: Remote Code Execution on Windows
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232"; 
rel="nofollow">CVE-2019-0232
+
+
+
+When running on Windows with enableCmdLineArguments enabled, the CGI
+   Servlet is vulnerable to Remote Code Execution due to a bug in the way
+   the JRE passes command line arguments to Windows. The CGI Servlet is
+   disabled by default. For a detailed explanation of the JRE behaviour, 
see
+   https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html";>Markus
+   Wulftange's blog and this archived
+   https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/";>MSDN
+   blog.
+
+
+This was fixed with commit https://github.com/apache/tomcat/commit/5bc4e6d";>5bc4e6d.
+
+
+This issue was identified by an external security researcher and reported
+   to the Apache Tomcat security team via the bug bounty program sponsored
+   by the EU FOSSA-2 project on 3rd March 2019. The issue was made public 
on
+   10 April 2019.
+
+
+Affects: 8.5.0 to 8.5.39
+
+  
+
 
 8 February 2019 Fixed in Apache Tomcat 
8.5.38
 

Modified: tomcat/site/trunk/docs/security-9.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1857239&r1=1857238&r2=1857239&view=diff
==
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Wed Apr 10 11:02:51 2019
@@ -211,6 +211,9 @@
 Apache Tomcat 9.x 
vulnerabilities
 
 
+Fixed in Apache Tomcat 9.0.18
+
+
 Fixed in Apache Tomcat 9.0.16
 
 
@@ -313,6 +316,42 @@
 
   
 
+
+not yet released Fixed in Apache Tomcat 
9.0.18
+
+
+
+
+Important: Remote Code Execution on Windows
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232"; 
rel="nofollow">CVE-2019-0232
+
+
+
+When running on Windows with enableCmdLineArguments enabled, the CGI
+   Servlet is vulnerable

[SECURITY] CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows

2019-04-10 Thread Mark Thomas 
CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.17
Apache Tomcat 8.5.0 to 8.5.39
Apache Tomcat 7.0.0 to 7.0.93

Description:
When running on Windows with enableCmdLineArguments enabled, the CGI
Servlet is vulnerable to Remote Code Execution due to a bug in the way
the JRE passes command line arguments to Windows. The CGI Servlet is
disabled by default. The CGI option enableCmdLineArguments is disabled
by default in Tomcat 9.0.x (and will be disabled by default in all
versions in response to this vulnerability). For a detailed explanation
of the JRE behaviour, see Markus Wulftange's blog [1] and this archived
MSDN blog [2].

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Ensure the CGI Servlet initialisation parameter enableCmdLineArguments
is set to false
- Upgrade to Apache Tomcat 9.0.18 or later when released
- Upgrade to Apache Tomcat 8.5.40 or later when released
- Upgrade to Apache Tomcat 7.0.93 or later when released
This announcement is being made before the releases are available as the
change to fix this issue is obviously security related.


Credit:
This issue was identified by an external security researcher and
reported to the Apache Tomcat security team via the bug bounty program
sponsored by the EU FOSSA-2 project.

References:
[1]
https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
[2]
https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
[3] http://tomcat.apache.org/security-9.html
[4] http://tomcat.apache.org/security-8.html
[5] http://tomcat.apache.org/security-7.html

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

buildbot failure in on tomcat-7-trunk

2019-04-10 Thread buildbot 
The Buildbot has detected a new failure on builder tomcat-7-trunk while 
building tomcat. Full details are available at:
https://ci.apache.org/builders/tomcat-7-trunk/builds/1319

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: silvanus_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-7-commit' 
triggered this build
Build Source Stamp: [branch 7.0.x] 841d5b24c6950e0510688a5597cde9ae1f094a0d
Blamelist: Mark Thomas 

BUILD FAILED: failed compile_1

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 7.0.x updated: Correct backport for Java 6

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/7.0.x by this push:
 new bd4f326  Correct backport for Java 6
bd4f326 is described below

commit bd4f3267d1ac0894029c652ad11e6ad15b3344e5
Author: Mark Thomas 
AuthorDate: Wed Apr 10 12:37:53 2019 +0100

Correct backport for Java 6
---
 .../apache/catalina/servlets/TestCGIServletCmdLineArguments.java  | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git 
a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java 
b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java
index 16398c2..15f4d16 100755
--- a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java
+++ b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java
@@ -28,7 +28,7 @@ import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
 import org.junit.runners.Parameterized.Parameter;
 
-import org.apache.tomcat.util.compat.JrePlatform;
+import org.apache.naming.resources.JrePlatform;
 
 @RunWith(Parameterized.class)
 public class TestCGIServletCmdLineArguments {
@@ -50,7 +50,9 @@ public class TestCGIServletCmdLineArguments {
 Field f = 
CGIServlet.class.getDeclaredField("cmdLineArgumentsDecodedPattern");
 f.setAccessible(true);
 p = (Pattern) f.get(cgiServlet);
-} catch (IllegalAccessException | NoSuchFieldException | 
SecurityException e) {
+} catch (IllegalAccessException e) {
+} catch (NoSuchFieldException e) {
+} catch (SecurityException e) {
 }
 
 Assert.assertEquals(defaultDecodedPatternWindows, p);
@@ -59,7 +61,7 @@ public class TestCGIServletCmdLineArguments {
 
 @Parameterized.Parameters(name = "{index}: argument[{0}], allowed[{1}]")
 public static Collection parameters() {
-List params = new ArrayList<>();
+List params = new ArrayList();
 params.add(new Object[] { "", Boolean.FALSE } );
 params.add(new Object[] { "<", Boolean.FALSE } );
 params.add(new Object[] { "\"", Boolean.FALSE } );


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] tag 9.0.18 created (now 9b0004c)

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


  at 9b0004c  (commit)
This tag includes the following new commits:

 new 9b0004c  Tag 9.0.18

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 01/01: Tag 9.0.18

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 9b0004cf29f0a53e816d1047d9b25c03f0e295b5
Author: Mark Thomas 
AuthorDate: Wed Apr 10 12:57:17 2019 +0100

Tag 9.0.18
---
 build.properties.default   | 2 +-
 webapps/docs/changelog.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index ae29d14..805bb1f 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -27,7 +27,7 @@ version.major=9
 version.minor=0
 version.build=18
 version.patch=0
-version.suffix=-dev
+version.suffix=
 
 # - Build control flags -
 # Note enabling validation uses Checkstyle which is LGPL licensed
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ccf6455..13d9df2 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -44,7 +44,7 @@
   They eventually become mixed with the numbered issues (i.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
   
 
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch master updated: Fix failing test

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
 new 03272c8  Fix failing test
03272c8 is described below

commit 03272c89802431625958df1c4674d11e1a4a3f65
Author: Mark Thomas 
AuthorDate: Wed Apr 10 13:28:47 2019 +0100

Fix failing test
---
 test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git 
a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java 
b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java
index 16398c2..c2bbae3 100755
--- a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java
+++ b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java
@@ -53,7 +53,8 @@ public class TestCGIServletCmdLineArguments {
 } catch (IllegalAccessException | NoSuchFieldException | 
SecurityException e) {
 }
 
-Assert.assertEquals(defaultDecodedPatternWindows, p);
+Assert.assertNotNull(p);
+Assert.assertEquals(defaultDecodedPatternWindows.toString(), 
p.toString());
 }
 }
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 7.0.x updated: Fix failing test

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/7.0.x by this push:
 new e451c30  Fix failing test
e451c30 is described below

commit e451c30cdc42c87ff750fe751d1860052bc35dbe
Author: Mark Thomas 
AuthorDate: Wed Apr 10 13:28:47 2019 +0100

Fix failing test
---
 test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git 
a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java 
b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java
index 15f4d16..6b48062 100755
--- a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java
+++ b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java
@@ -55,7 +55,8 @@ public class TestCGIServletCmdLineArguments {
 } catch (SecurityException e) {
 }
 
-Assert.assertEquals(defaultDecodedPatternWindows, p);
+Assert.assertNotNull(p);
+Assert.assertEquals(defaultDecodedPatternWindows.toString(), 
p.toString());
 }
 }
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated: Fix failing test

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new 7b961c2  Fix failing test
7b961c2 is described below

commit 7b961c26af8b3057e4d100e74814e6e04dfb946e
Author: Mark Thomas 
AuthorDate: Wed Apr 10 13:28:47 2019 +0100

Fix failing test
---
 test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git 
a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java 
b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java
index 16398c2..c2bbae3 100755
--- a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java
+++ b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java
@@ -53,7 +53,8 @@ public class TestCGIServletCmdLineArguments {
 } catch (IllegalAccessException | NoSuchFieldException | 
SecurityException e) {
 }
 
-Assert.assertEquals(defaultDecodedPatternWindows, p);
+Assert.assertNotNull(p);
+Assert.assertEquals(defaultDecodedPatternWindows.toString(), 
p.toString());
 }
 }
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] tag 9.0.18 deleted (was 9b0004c)

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


*** WARNING: tag 9.0.18 was deleted! ***

 was 9b0004c  Tag 9.0.18

This change permanently discards the following revisions:

 discard 9b0004c  Tag 9.0.18


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] tag 9.0.18 created (now 0862607)

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


  at 0862607  (commit)
This tag includes the following new commits:

 new 0862607  Tag 9.0.18

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 01/01: Tag 9.0.18

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 0862607e5da91a7c476a6350288d8d8a9380f556
Author: Mark Thomas 
AuthorDate: Wed Apr 10 13:36:27 2019 +0100

Tag 9.0.18
---
 build.properties.default   | 2 +-
 webapps/docs/changelog.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index ae29d14..805bb1f 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -27,7 +27,7 @@ version.major=9
 version.minor=0
 version.build=18
 version.patch=0
-version.suffix=-dev
+version.suffix=
 
 # - Build control flags -
 # Note enabling validation uses Checkstyle which is LGPL licensed
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ccf6455..13d9df2 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -44,7 +44,7 @@
   They eventually become mixed with the numbered issues (i.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
   
 
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

buildbot success in on tomcat-7-trunk

2019-04-10 Thread buildbot 
The Buildbot has detected a restored build on builder tomcat-7-trunk while 
building tomcat. Full details are available at:
https://ci.apache.org/builders/tomcat-7-trunk/builds/1320

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: silvanus_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-7-commit' 
triggered this build
Build Source Stamp: [branch 7.0.x] bd4f3267d1ac0894029c652ad11e6ad15b3344e5
Blamelist: Mark Thomas 

Build succeeded!

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r33545 - in /dev/tomcat/tomcat-9/v9.0.18: ./ bin/ bin/embed/ src/

2019-04-10 Thread markt 
Author: markt
Date: Wed Apr 10 13:13:30 2019
New Revision: 33545

Log:
Upload 9.0.18 for release

Added:
dev/tomcat/tomcat-9/v9.0.18/
dev/tomcat/tomcat-9/v9.0.18/KEYS
dev/tomcat/tomcat-9/v9.0.18/README.html
dev/tomcat/tomcat-9/v9.0.18/RELEASE-NOTES
dev/tomcat/tomcat-9/v9.0.18/bin/
dev/tomcat/tomcat-9/v9.0.18/bin/README.html
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-deployer.tar.gz   
(with props)
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-deployer.tar.gz.asc
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-deployer.tar.gz.sha512
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-deployer.zip   (with 
props)
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-deployer.zip.asc
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-deployer.zip.sha512
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-fulldocs.tar.gz   
(with props)
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-fulldocs.tar.gz.asc
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-fulldocs.tar.gz.sha512
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-windows-x64.zip   
(with props)
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-windows-x64.zip.asc
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-windows-x64.zip.sha512
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-windows-x86.zip   
(with props)
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-windows-x86.zip.asc
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18-windows-x86.zip.sha512
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18.exe   (with props)
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18.exe.asc
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18.exe.sha512
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18.tar.gz   (with props)
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18.tar.gz.asc
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18.tar.gz.sha512
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18.zip   (with props)
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18.zip.asc
dev/tomcat/tomcat-9/v9.0.18/bin/apache-tomcat-9.0.18.zip.sha512
dev/tomcat/tomcat-9/v9.0.18/bin/embed/
dev/tomcat/tomcat-9/v9.0.18/bin/embed/apache-tomcat-9.0.18-embed.tar.gz   
(with props)
dev/tomcat/tomcat-9/v9.0.18/bin/embed/apache-tomcat-9.0.18-embed.tar.gz.asc

dev/tomcat/tomcat-9/v9.0.18/bin/embed/apache-tomcat-9.0.18-embed.tar.gz.sha512
dev/tomcat/tomcat-9/v9.0.18/bin/embed/apache-tomcat-9.0.18-embed.zip   
(with props)
dev/tomcat/tomcat-9/v9.0.18/bin/embed/apache-tomcat-9.0.18-embed.zip.asc
dev/tomcat/tomcat-9/v9.0.18/bin/embed/apache-tomcat-9.0.18-embed.zip.sha512
dev/tomcat/tomcat-9/v9.0.18/src/
dev/tomcat/tomcat-9/v9.0.18/src/apache-tomcat-9.0.18-src.tar.gz   (with 
props)
dev/tomcat/tomcat-9/v9.0.18/src/apache-tomcat-9.0.18-src.tar.gz.asc
dev/tomcat/tomcat-9/v9.0.18/src/apache-tomcat-9.0.18-src.tar.gz.sha512
dev/tomcat/tomcat-9/v9.0.18/src/apache-tomcat-9.0.18-src.zip   (with props)
dev/tomcat/tomcat-9/v9.0.18/src/apache-tomcat-9.0.18-src.zip.asc
dev/tomcat/tomcat-9/v9.0.18/src/apache-tomcat-9.0.18-src.zip.sha512

Added: dev/tomcat/tomcat-9/v9.0.18/KEYS
==
--- dev/tomcat/tomcat-9/v9.0.18/KEYS (added)
+++ dev/tomcat/tomcat-9/v9.0.18/KEYS Wed Apr 10 13:13:30 2019
@@ -0,0 +1,676 @@
+This file contains the PGP&GPG keys of various Apache developers.
+Please don't use them for email unless you have to. Their main
+purpose is code signing.
+
+Apache users: pgp < KEYS
+Apache developers:
+(pgpk -ll  && pgpk -xa ) >> this file.
+  or
+(gpg --fingerprint --list-sigs 
+ && gpg --armor --export ) >> this file.
+
+Apache developers: please ensure that your key is also available via the
+PGP keyservers (such as pgpkeys.mit.edu).
+
+
+Type Bits/KeyIDDate   User ID
+pub  2048/F22C4FED 2001/07/02 Andy Armstrong 
+
+-BEGIN PGP PUBLIC KEY BLOCK-
+Version: PGPfreeware 7.0.3 for non-commercial use 
+
+mQGiBDtAWuURBADZ0KUEyUkSUiTA09e7tvEbX25STsjxrR+DNTainCls+XlkVOij
+gBv216lqge9tIsS0L6hCP4OQbFf/64qVtJssX4QXdyiZGb5wpmcj0Mz602Ew8r+N
+I0S5NvmogoYWW7BlP4r61jNxO5zrr03KaijM5r4ipJdLUxyOmM6P2jRPUwCg/5gm
+bpqiYl7pXX5FgDeB36tmD+UD/06iLqOnoiKO0vMbOk7URclhCObMNrHqxTxozMTS
+B9soYURbIeArei+plYo2n+1qB12ayybjhVu3uksXRdT9bEkyxMfslvLbIpDAG8Cz
+gNftTbKx/MVS7cQU0II8BKo2Akr+1FZah+sD4ovK8SfkMXUQUbTeefTntsAQKyyU
+9M9tA/9on9tBiHFl0qVJht6N4GiJ2G689v7rS2giLgKjetjiCduxBXEgvUSuyQID
+nF9ATrpXjITwsRlGKFmpZiFm5oCeCXihIVH0u6q066xNW2AXkLVoJ1l1Rs2Z0lsb
+0cq3xEAcwAmYLKQvCtgDV8CYgWKVmPi+49rSuQn7Lo9l02OUbLQgQW5keSBBcm1z
+dHJvbmcgPGFuZHlAdGFnaXNoLmNvbT6JAFgEEBECABgFAjtAWuUICwMJCAcCAQoC
+GQEFGwMACgkQajrT9PIsT+1plgCfXAovWnVL3MjrTfcGlFSKw7GHCSYAoJkz
+x+r2ANe8/0e+u5ZcYtSaSry+uQINBDtAWuUQCAD2Qle3CH8IF3KiutapQvMF6PlT
+ETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0OplK3

[tomcat] branch master updated: Increment version for next development cycle

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
 new 0c21aac  Increment version for next development cycle
0c21aac is described below

commit 0c21aacbe7d1aac545f89b7a5a99a982771fcb80
Author: Mark Thomas 
AuthorDate: Wed Apr 10 14:34:45 2019 +0100

Increment version for next development cycle
---
 build.properties.default | 2 +-
 res/maven/mvn.properties.default | 2 +-
 webapps/docs/changelog.xml   | 4 +++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index ae29d14..b4227b5 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -25,7 +25,7 @@
 # - Version Control Flags -
 version.major=9
 version.minor=0
-version.build=18
+version.build=19
 version.patch=0
 version.suffix=-dev
 
diff --git a/res/maven/mvn.properties.default b/res/maven/mvn.properties.default
index 5ed984b..6d26fbc 100644
--- a/res/maven/mvn.properties.default
+++ b/res/maven/mvn.properties.default
@@ -39,7 +39,7 @@ 
maven.asf.release.repo.url=https://repository.apache.org/service/local/staging/d
 maven.asf.release.repo.repositoryId=apache.releases.https
 
 # Release version info
-maven.asf.release.deploy.version=9.0.18
+maven.asf.release.deploy.version=9.0.19
 
 #Where do we load the libraries from
 tomcat.lib.path=../../output/build/lib
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ccf6455..40c4f86 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -44,7 +44,9 @@
   They eventually become mixed with the numbered issues (i.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
+
+
   
 
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[VOTE] Release Apache Tomcat 9.0.18

2019-04-10 Thread Mark Thomas 
The proposed Apache Tomcat 9.0.18 release is now available for voting.

The major changes compared to the 9.0.17 release are:

- Fix for CVE-2019-0232 a RCE vulnerability on Windows

- Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
  now supported if used with a ECJ version with support for those  Java
  versions

- Various NIO2 stability improvements

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://ci.apache.org/projects/tomcat/tomcat9/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.18/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1207/
The tag is:
https://github.com/apache/tomcat/tree/9.0.18
0862607e5da91a7c476a6350288d8d8a9380f556

The proposed 9.0.18 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 9.0.18


Due to the security fix contained in this release, the voting period may
be shortened once sufficient votes are cast to enable a faster release.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 01/01: Tag 8.5.40

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to tag 8.5.40
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 5ec070352b283535946327b44228b610a27a76c5
Author: Mark Thomas 
AuthorDate: Wed Apr 10 15:26:13 2019 +0100

Tag 8.5.40
---
 build.properties.default   | 2 +-
 webapps/docs/changelog.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index 30593a2..8ac088c 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -27,7 +27,7 @@ version.major=8
 version.minor=5
 version.build=40
 version.patch=0
-version.suffix=-dev
+version.suffix=
 
 # - Build control flags -
 # Note enabling validation uses Checkstyle which is LGPL licensed
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8b9483b..3773852 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -44,7 +44,7 @@
   They eventually become mixed with the numbered issues. (I.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
   
 
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] tag 8.5.40 created (now 5ec0703)

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to tag 8.5.40
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


  at 5ec0703  (commit)
This tag includes the following new commits:

 new 5ec0703  Tag 8.5.40

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch master updated: Add vectoring for NIO

2019-04-10 Thread remm 
This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
 new d58aa08  Add vectoring for NIO
d58aa08 is described below

commit d58aa0849f6eda19720af61082f8b12254e841bb
Author: remm 
AuthorDate: Wed Apr 10 16:28:13 2019 +0200

Add vectoring for NIO

This is done by adding the ScatteringByteChannel and
GatheringByteChannel in the main NioChannel. The read SSL code is the
most complex portion and is based on the latest version of the NIO2
channel.
---
 java/org/apache/tomcat/util/net/NioChannel.java|  28 +++-
 .../apache/tomcat/util/net/SecureNioChannel.java   | 146 -
 webapps/docs/changelog.xml |   7 +
 3 files changed, 176 insertions(+), 5 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/NioChannel.java 
b/java/org/apache/tomcat/util/net/NioChannel.java
index 34a70f5..4bc865c 100644
--- a/java/org/apache/tomcat/util/net/NioChannel.java
+++ b/java/org/apache/tomcat/util/net/NioChannel.java
@@ -19,6 +19,8 @@ package org.apache.tomcat.util.net;
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.ByteChannel;
+import java.nio.channels.GatheringByteChannel;
+import java.nio.channels.ScatteringByteChannel;
 import java.nio.channels.SelectionKey;
 import java.nio.channels.Selector;
 import java.nio.channels.SocketChannel;
@@ -33,7 +35,7 @@ import org.apache.tomcat.util.res.StringManager;
  *
  * @version 1.0
  */
-public class NioChannel implements ByteChannel {
+public class NioChannel implements ByteChannel, ScatteringByteChannel, 
GatheringByteChannel {
 
 protected static final StringManager sm = 
StringManager.getManager(NioChannel.class);
 
@@ -134,6 +136,18 @@ public class NioChannel implements ByteChannel {
 return sc.write(src);
 }
 
+@Override
+public long write(ByteBuffer[] srcs) throws IOException {
+return write(srcs, 0, srcs.length);
+}
+
+@Override
+public long write(ByteBuffer[] srcs, int offset, int length)
+throws IOException {
+checkInterruptStatus();
+return sc.write(srcs, offset, length);
+}
+
 /**
  * Reads a sequence of bytes from this channel into the given buffer.
  *
@@ -147,6 +161,17 @@ public class NioChannel implements ByteChannel {
 return sc.read(dst);
 }
 
+@Override
+public long read(ByteBuffer[] dsts) throws IOException {
+return read(dsts, 0, dsts.length);
+}
+
+@Override
+public long read(ByteBuffer[] dsts, int offset, int length)
+throws IOException {
+return sc.read(dsts, offset, length);
+}
+
 public Object getAttachment() {
 Poller pol = getPoller();
 Selector sel = pol!=null?pol.getSelector():null;
@@ -241,4 +266,5 @@ public class NioChannel implements ByteChannel {
 protected ApplicationBufferHandler getAppReadBufHandler() {
 return appReadBufHandler;
 }
+
 }
diff --git a/java/org/apache/tomcat/util/net/SecureNioChannel.java 
b/java/org/apache/tomcat/util/net/SecureNioChannel.java
index 33bd110..37bcc1f 100644
--- a/java/org/apache/tomcat/util/net/SecureNioChannel.java
+++ b/java/org/apache/tomcat/util/net/SecureNioChannel.java
@@ -43,7 +43,7 @@ import org.apache.tomcat.util.res.StringManager;
 /**
  * Implementation of a secure socket channel
  */
-public class SecureNioChannel extends NioChannel  {
+public class SecureNioChannel extends NioChannel {
 
 private static final Log log = LogFactory.getLog(SecureNioChannel.class);
 private static final StringManager sm = 
StringManager.getManager(SecureNioChannel.class);
@@ -611,9 +611,8 @@ public class SecureNioChannel extends NioChannel  {
 // This is the normal case for this code
 
getBufHandler().expand(sslEngine.getSession().getApplicationBufferSize());
 dst = getBufHandler().getReadBuffer();
-} else if (dst == getAppReadBufHandler().getByteBuffer()) {
-getAppReadBufHandler()
-
.expand(sslEngine.getSession().getApplicationBufferSize());
+} else if (getAppReadBufHandler() != null && dst == 
getAppReadBufHandler().getByteBuffer()) {
+
getAppReadBufHandler().expand(sslEngine.getSession().getApplicationBufferSize());
 dst = getAppReadBufHandler().getByteBuffer();
 } else {
 // Can't expand the buffer as there is no way to signal
@@ -630,6 +629,111 @@ public class SecureNioChannel extends NioChannel  {
 return read;
 }
 
+@Override
+public long read(ByteBuffer[] dsts, int offset, int length)
+throws IOException {
+//are we in the middle of clos

[tomcat] branch 8.5.x updated: Increment version number for next development cycle

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new d71b285  Increment version number for next development cycle
d71b285 is described below

commit d71b285d5b0efde3543d9416b35c20dfe3fbcc40
Author: Mark Thomas 
AuthorDate: Wed Apr 10 15:44:33 2019 +0100

Increment version number for next development cycle
---
 build.properties.default | 2 +-
 res/maven/mvn.properties.default | 2 +-
 webapps/docs/changelog.xml   | 4 +++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index 30593a2..416eaf8 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -25,7 +25,7 @@
 # - Version Control Flags -
 version.major=8
 version.minor=5
-version.build=40
+version.build=41
 version.patch=0
 version.suffix=-dev
 
diff --git a/res/maven/mvn.properties.default b/res/maven/mvn.properties.default
index e858e8b..150ea1c 100644
--- a/res/maven/mvn.properties.default
+++ b/res/maven/mvn.properties.default
@@ -39,7 +39,7 @@ 
maven.asf.release.repo.url=https://repository.apache.org/service/local/staging/d
 maven.asf.release.repo.repositoryId=apache.releases.https
 
 # Release version info
-maven.asf.release.deploy.version=8.5.40
+maven.asf.release.deploy.version=8.5.41
 
 #Where do we load the libraries from
 tomcat.lib.path=../../output/build/lib
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8b9483b..1ca23c4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -44,7 +44,9 @@
   They eventually become mixed with the numbered issues. (I.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
+
+
   
 
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r33547 - in /dev/tomcat/tomcat-8/v8.5.40: ./ bin/ bin/embed/ bin/extras/ src/

2019-04-10 Thread markt 
Author: markt
Date: Wed Apr 10 14:57:10 2019
New Revision: 33547

Log:
Upload 8.5.40 for voting

Added:
dev/tomcat/tomcat-8/v8.5.40/
dev/tomcat/tomcat-8/v8.5.40/KEYS
dev/tomcat/tomcat-8/v8.5.40/README.html
dev/tomcat/tomcat-8/v8.5.40/RELEASE-NOTES
dev/tomcat/tomcat-8/v8.5.40/bin/
dev/tomcat/tomcat-8/v8.5.40/bin/README.html
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-deployer.tar.gz   
(with props)
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-deployer.tar.gz.asc
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-deployer.tar.gz.sha512
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-deployer.zip   (with 
props)
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-deployer.zip.asc
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-deployer.zip.sha512
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-fulldocs.tar.gz   
(with props)
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-fulldocs.tar.gz.asc
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-fulldocs.tar.gz.sha512
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-windows-x64.zip   
(with props)
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-windows-x64.zip.asc
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-windows-x64.zip.sha512
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-windows-x86.zip   
(with props)
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-windows-x86.zip.asc
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40-windows-x86.zip.sha512
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40.exe   (with props)
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40.exe.asc
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40.exe.sha512
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40.tar.gz   (with props)
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40.tar.gz.asc
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40.tar.gz.sha512
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40.zip   (with props)
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40.zip.asc
dev/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40.zip.sha512
dev/tomcat/tomcat-8/v8.5.40/bin/embed/
dev/tomcat/tomcat-8/v8.5.40/bin/embed/apache-tomcat-8.5.40-embed.tar.gz   
(with props)
dev/tomcat/tomcat-8/v8.5.40/bin/embed/apache-tomcat-8.5.40-embed.tar.gz.asc

dev/tomcat/tomcat-8/v8.5.40/bin/embed/apache-tomcat-8.5.40-embed.tar.gz.sha512
dev/tomcat/tomcat-8/v8.5.40/bin/embed/apache-tomcat-8.5.40-embed.zip   
(with props)
dev/tomcat/tomcat-8/v8.5.40/bin/embed/apache-tomcat-8.5.40-embed.zip.asc
dev/tomcat/tomcat-8/v8.5.40/bin/embed/apache-tomcat-8.5.40-embed.zip.sha512
dev/tomcat/tomcat-8/v8.5.40/bin/extras/
dev/tomcat/tomcat-8/v8.5.40/bin/extras/catalina-jmx-remote.jar   (with 
props)
dev/tomcat/tomcat-8/v8.5.40/bin/extras/catalina-jmx-remote.jar.asc
dev/tomcat/tomcat-8/v8.5.40/bin/extras/catalina-jmx-remote.jar.sha512
dev/tomcat/tomcat-8/v8.5.40/bin/extras/catalina-ws.jar   (with props)
dev/tomcat/tomcat-8/v8.5.40/bin/extras/catalina-ws.jar.asc
dev/tomcat/tomcat-8/v8.5.40/bin/extras/catalina-ws.jar.sha512
dev/tomcat/tomcat-8/v8.5.40/src/
dev/tomcat/tomcat-8/v8.5.40/src/apache-tomcat-8.5.40-src.tar.gz   (with 
props)
dev/tomcat/tomcat-8/v8.5.40/src/apache-tomcat-8.5.40-src.tar.gz.asc
dev/tomcat/tomcat-8/v8.5.40/src/apache-tomcat-8.5.40-src.tar.gz.sha512
dev/tomcat/tomcat-8/v8.5.40/src/apache-tomcat-8.5.40-src.zip   (with props)
dev/tomcat/tomcat-8/v8.5.40/src/apache-tomcat-8.5.40-src.zip.asc
dev/tomcat/tomcat-8/v8.5.40/src/apache-tomcat-8.5.40-src.zip.sha512

Added: dev/tomcat/tomcat-8/v8.5.40/KEYS
==
--- dev/tomcat/tomcat-8/v8.5.40/KEYS (added)
+++ dev/tomcat/tomcat-8/v8.5.40/KEYS Wed Apr 10 14:57:10 2019
@@ -0,0 +1,616 @@
+This file contains the PGP&GPG keys of various Apache developers.
+Please don't use them for email unless you have to. Their main
+purpose is code signing.
+
+Apache users: pgp < KEYS
+Apache developers:
+(pgpk -ll  && pgpk -xa ) >> this file.
+  or
+(gpg --fingerprint --list-sigs 
+ && gpg --armor --export ) >> this file.
+
+Apache developers: please ensure that your key is also available via the
+PGP keyservers (such as pgpkeys.mit.edu).
+
+
+Type Bits/KeyIDDate   User ID
+pub  2048/F22C4FED 2001/07/02 Andy Armstrong 
+
+-BEGIN PGP PUBLIC KEY BLOCK-
+Version: PGPfreeware 7.0.3 for non-commercial use 
+
+mQGiBDtAWuURBADZ0KUEyUkSUiTA09e7tvEbX25STsjxrR+DNTainCls+XlkVOij
+gBv216lqge9tIsS0L6hCP4OQbFf/64qVtJssX4QXdyiZGb5wpmcj0Mz602Ew8r+N
+I0S5NvmogoYWW7BlP4r61jNxO5zrr03KaijM5r4ipJdLUxyOmM6P2jRPUwCg/5gm
+bpqiYl7pXX5FgDeB36tmD+UD/06iLqOnoiKO0vMbOk7URclhCObMNrHqxTxozMTS
+B9soYURbIeArei+plYo2n+1qB12ayybjhVu3uksXRdT9bEkyxMfslvLbIpDAG8Cz
+gNftTbKx/MVS7cQU0II8BKo2Akr

[VOTE] Release Apache Tomcat 8.5.40

2019-04-10 Thread Mark Thomas 
The proposed Apache Tomcat 8.5.40 release is now available for voting.

The major changes compared to the 8.5.39 release are:

- Fix for CVE-2019-0232 a RCE vulnerability on Windows

- Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
  now supported if used with a ECJ version with support for those  Java
  versions

- Various NIO2 stability improvements


Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://ci.apache.org/projects/tomcat/tomcat85/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.40/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1208/

The tag is:
https://github.com/apache/tomcat/tree/8.5.40
5ec070352b283535946327b44228b610a27a76c5


The proposed 8.5.40 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.40


Due to the security fix contained in this release, the voting period may
be shortened once sufficient votes are cast to enable a faster release.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.18

2019-04-10 Thread Mark Thomas 
On 10/04/2019 14:44, Mark Thomas wrote:
> The proposed 9.0.18 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 9.0.18

Unit tests pass for NIO, NIO2 and APR/Native on Windows, Linux and MacOS
with Tomcat-Native 1.2.21

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.40

2019-04-10 Thread Mark Thomas 
On 10/04/2019 15:58, Mark Thomas wrote:
> The proposed 8.5.40 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.40

Unit tests pass for NIO, NIO2 and APR/Native on Windows, Linux and MacOS
with Tomcat-Native 1.2.21

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63333] New: JAASRealm needs to override isAvailable method to prevent LockOutRealm to lock the user in case JAAS login modules are unavailable

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6

Bug ID: 6
   Summary: JAASRealm needs to override isAvailable method to
prevent LockOutRealm to lock the user in case JAAS
login modules are unavailable
   Product: Tomcat 8
   Version: 8.5.x-trunk
  Hardware: PC
Status: NEW
  Severity: normal
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: jchobanto...@yahoo.com
  Target Milestone: 

JAASRealm needs to override isAvailable method to prevent LockOutRealm to lock
the user in case JAAS login modules are unavailable

If JAAS login module fails to authenticate because of network communication
issues it could throw RuntimeException (unstead of checked LoginException) in
that case and if the configuration of JAAS is invalid

In following method:
protected Principal authenticate(String username, CallbackHandler
callbackHandler)

where 
ExceptionUtils.handleThrowable(e); is invoked set the available flag to false
so that it indicates that JAASRealm is not available to authenticate the user
instead of LockOutRealm to think that the user is not authenticated because of
Principal is null.

In CombinedRealm it's isAvailable() method will check if the realm
!realm.isAvailable() and will not lock the user out

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63334] New: LockOutRealm will continue to invoke inner user realms even when the user is lockout

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334

Bug ID: 63334
   Summary: LockOutRealm will continue to invoke inner user realms
even when the user is lockout
   Product: Tomcat 8
   Version: 8.5.x-trunk
  Hardware: PC
Status: NEW
  Severity: normal
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: jchobanto...@yahoo.com
  Target Milestone: 

In case the user is lockout there is no need to invoke inner realms as the
result will always be unauthenticated user

In LockOutRealm modify each authenticate method to first check if the user is
locked out - if so then return the user is locked out without invoking inner
realms

So from this:
@Override
public Principal authenticate(String username, String clientDigest,
String nonce, String nc, String cnonce, String qop,
String realmName, String md5a2) {

Principal authenticatedUser = super.authenticate(username,
clientDigest, nonce, nc, cnonce,
qop, realmName, md5a2);
return filterLockedAccounts(username, authenticatedUser);
}

To this:

@Override
public Principal authenticate(String username, String clientDigest,
String nonce, String nc, String cnonce, String qop,
String realmName, String md5a2) {
if (isLocked(username)) {
// If the user is currently locked, authentication will always fail
log.warn(sm.getString("lockOutRealm.authLockedUser", username));
return null;
}
Principal authenticatedUser = super.authenticate(username,
clientDigest, nonce, nc, cnonce,
qop, realmName, md5a2);
return filterLockedAccounts(username, authenticatedUser);
}

And that logic applied to all authenticate methods. This will prevent hitting
backend user realms in case the user is locked out because of invalid
username/password been used multiple times and the user got locked out - this
will act as denial of service attack prevention as well as most likely someone
could be trying to brute force guess user password and it will get each time
the user is locked out but the back end will be hit again and again no matter
that the result will be unauthenticated user

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63335] New: OneLineFormatter will append new space so that the exception stacktrace is shifted but it will not do that for all lines

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63335

Bug ID: 63335
   Summary: OneLineFormatter will append new space so that the
exception stacktrace is shifted but it will not do
that for all lines
   Product: Tomcat 8
   Version: 8.5.x-trunk
  Hardware: PC
Status: NEW
  Severity: normal
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: jchobanto...@yahoo.com
  Target Milestone: 

OneLineFormatter will print log message and if there is exception it will
prepend the exception stacktrace with a space but the issue is that a stack
trace will look like this:
Sample Logging Message
Exception in thread "main" java.lang.NullPointerException
at com.example.myproject.Book.getTitle(Book.java:16)
at com.example.myproject.Author.getBookTitles(Author.java:25)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)

So now all lines after the message are having a space in front and we could
tell that the log message spawns multiple lines because the log message start
with a space
The issue is when there is a cause to the exception then the stacktrace will
look like this:
Sample Logging Message
Exception in thread "main" java.lang.NullPointerException
at com.example.myproject.Book.getTitle(Book.java:16)
at com.example.myproject.Author.getBookTitles(Author.java:25)
at com.example.myproject.Bootstrap.main(Bootstrap.java:14)
Caused by: java.lang.NullPointerException
at com.example.myproject.Book.getId(Book.java:22)
at com.example.myproject.Author.getBookIds(Author.java:36)
... 1 more

So the "Caused by" will not be shifted with one space to the right
More over if the message or the exception itself have new line in their string
message then we will end up with more than one line so the OneLineFormatter as
a name is misleading at best

Also the configuration of the OneLineFormatter is limited - one could only
specify the format of the date and that's all - it is much better to use the
configuration of the java's SimpleFormatter and just extend it to support the
thread name as 8'th parameter
Here is such ExtendedSimpleFormatter class as example that will use
SimpleFormatter message log format pattern and replace newlines with newlines +
space in log messages so that we could implement log message continuation logic
in things like elasticseach's filebeat - knowing that if a new line starts with
space it is continuation of the previous line.
Here is the source of the ExtendedSimpleFormatter that you could use and it was
based on OneLineFormatter in parts:


package org.apache.juli;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.lang.management.ManagementFactory;
import java.lang.management.ThreadInfo;
import java.lang.management.ThreadMXBean;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.logging.Formatter;
import java.util.logging.LogManager;
import java.util.logging.LogRecord;

public class ExtendedSimpleFormatter extends Formatter {

private static final String format =
LogManager.getLogManager().getProperty(ExtendedSimpleFormatter.class.getName()
+ ".format");

private static final String SEARCH_NEW_LINE = "\n";
private static final String REPLACE_NEW_LINE = "\n ";
private static final String NEW_LINE_PREFIX = System.lineSeparator() + " ";

private final Date date = new Date();

private static final String UNKNOWN_THREAD_NAME = "Unknown thread with ID
";
private static final Object threadMxBeanLock = new Object();
private static volatile ThreadMXBean threadMxBean = null;
private static final int THREAD_NAME_CACHE_SIZE = 1;
private static ThreadLocal threadNameCache = new
ThreadLocal() {
@Override
protected ThreadNameCache initialValue() {
return new ThreadNameCache(THREAD_NAME_CACHE_SIZE);
}
};

public synchronized String format(LogRecord record) {
date.setTime(record.getMillis());
String source;
if (record.getSourceClassName() != null) {
source = record.getSourceClassName();
if (record.getSourceMethodName() != null) {
   source += "." + record.getSourceMethodName();
}
} else {
source = record.getLoggerName();
}
String message = formatMessage(record);
if (message == null) {
message = "";
}

//replace newline with NEW_LINE_REPLACEMENT in order to distinguish
regular log messages from message continuation
message = replace(message, SEARCH_NEW_LINE, REPLACE_NEW_LINE);

String throwable = "";
if (record.getThrown() != null) {
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
record.getThrown().printStac

[Bug 63336] New: Currently there is no way to know in form error page that the user was not authenticated because it was locked out

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336

Bug ID: 63336
   Summary: Currently there is no way to know in form error page
that the user was not authenticated because it was
locked out
   Product: Tomcat 8
   Version: 8.5.x-trunk
  Hardware: PC
Status: NEW
  Severity: normal
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: jchobanto...@yahoo.com
  Target Milestone: 

If a user is locked out from LockOutRealm or if there are some specific
exceptions in backend user realms like user is locked in the backend, user is
required to change it's password first etc (see JAAS exception like
AccountExpiredException, AccountLockedException, AccountNotFoundException or
CredentialExpiredException - in case the password is valid but because it was
requested that the user should change it's password because forgot password has
been requested)

So we need some way to inform the user of the web app that the account has been
locked up in the login error page instead of just saying the username/password
is invalid as it is confusing and users are going to request forgot password
flow which will change their password and they are going to still not be able
to login if LockOutRealm has triggered lockout for 5 min.

What I'm suggesting is to provide custom configurable HttpServletRequest
attribute for example "login.error.message" of type String that describes why
the user was not able to login along with the exception itself so that we could
pass additional information into the exception itself in an attribute
"login.error.exception" (again configurable request attribute name in
server.xml as it is not standard - please do not use standard servlet error
message and error attributes as some frameworks will clear those attributes and
the login error page will not be able to get the correct message/exception)

Because LockOutRealm do not have the HttpServletRequest passed into the user
realms we need to have a Valve that will put the HttpServletRequest/Response
into thread local variable so that user realms/JAAS modules could obtain the
HttpServletRequest and inject the user attribute to be used by the login error
page

Note that currently basic authenticator will report 401 error but it will not
put into the body the reason why it was rejected so it could be a good thing to
refactor that as well and if request have the attribute to pull the value and
when sending 401 Http error from basic authentication to also put the error
message in the response body.

Here is an example that I'm using for LockOutRealm in order to report to the
user that the account is locked up and not that the username/password is
incorrect and having the user wonder what's wrong:

import java.security.Principal;
import java.security.cert.X509Certificate;

import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.servlet.http.HttpServletRequest;

import org.apache.catalina.realm.LockOutRealm;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;

public class ExtendedLockOutRealm extends LockOutRealm {

public static final String REQUEST_ATTRIBUTE_LOGIN_ERROR_MESSAGE =
"login.error.message"; 

public static final String REQUEST_ATTRIBUTE_LOCKOUT_MESSAGE =
ExtendedLockOutRealm.class.getName() + ".REQUEST_ATTRIBUTE_LOCKOUT_MESSAGE"; 
public static final String REQUEST_ATTRIBUTE_LOCKOUT_USERNAME =
ExtendedLockOutRealm.class.getName() + ".REQUEST_ATTRIBUTE_LOCKOUT_USERNAME"; 
public static final String REQUEST_ATTRIBUTE_LOCKOUT_TIME =
ExtendedLockOutRealm.class.getName() + ".REQUEST_ATTRIBUTE_LOCKOUT_TIME"; 

private static final Log log = LogFactory.getLog(LockOutRealm.class);

@Override
public Principal authenticate(String username, String clientDigest,
String nonce, String nc, String cnonce, String qop,
String realmName, String md5a2) {
if (isLocked(username)) {
processLockOutUser(username, null);
return null;
}
Principal principal = super.authenticate(username, clientDigest, nonce,
nc, cnonce, qop, realmName, md5a2);
processLockOutUser(username, principal);
return principal;
}

@Override
public Principal authenticate(String username, String credentials) {
if (isLocked(username)) {
processLockOutUser(username, null);
return null;
}
Principal principal = super.authenticate(username, credentials);
processLockOutUser(username, principal);
return principal;
}

@Override
public Principal authenticate(X509Certificate[] certs) {
String username = null;
if (certs != null && certs.length >0) {

[Bug 63334] LockOutRealm will continue to invoke inner user realms even when the user is lockout

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334

Mark Thomas  changed:

   What|Removed |Added

 OS||All
 Resolution|--- |WONTFIX
 Status|NEW |RESOLVED

--- Comment #1 from Mark Thomas  ---
The proposed change would expose the LockOut Realm to a timing attack enabling
a malicious user to determine if the Lockout Realm was in used its
configuration.

If repeated authentication requests trigger a DoS then that is a separate issue
that requires a separate (non-Tomcat) solution.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 7.0.x updated: Update RM

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/7.0.x by this push:
 new a7832e0  Update RM
a7832e0 is described below

commit a7832e035e0fcd5fedc04984b136cffb762ebf4f
Author: Mark Thomas 
AuthorDate: Wed Apr 10 17:35:05 2019 +0100

Update RM
---
 webapps/docs/changelog.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 77b0660..4a4c2d7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -58,7 +58,7 @@
   They eventually become mixed with the numbered issues. (I.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
   
 
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63336] Currently there is no way to know in form error page that the user was not authenticated because it was locked out

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336

Mark Thomas  changed:

   What|Removed |Added

 OS||All
 Resolution|--- |WONTFIX
 Status|NEW |RESOLVED

--- Comment #1 from Mark Thomas  ---
This has been discussed previously and will not be implemented in Tomcat since
informing an attacker that an account has been locked is a (minor) security
vulnerability.

Users are free to extend Tomcat to provide this functionality in their apps if
they wish.

Requests to modify Tomcat to make this sort of extension easier are likely to
be looked on favourably - especially if patches are provided.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63334] LockOutRealm will continue to invoke inner user realms even when the user is lockout

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334

--- Comment #2 from Mark Thomas  ---
Sorry about the typo

"... in use and its configuration."

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] tag 7.0.94 created (now 9ddb14a)

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to tag 7.0.94
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


  at 9ddb14a  (commit)
This tag includes the following new commits:

 new 9ddb14a  Tag 7.0.94

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 01/01: Tag 7.0.94

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to tag 7.0.94
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 9ddb14a0e76080feee34f3eca89e5413b93852f9
Author: Mark Thomas 
AuthorDate: Wed Apr 10 17:40:23 2019 +0100

Tag 7.0.94
---
 build.properties.default | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.properties.default b/build.properties.default
index f8782c3..f42d82e 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -27,7 +27,7 @@ version.major=7
 version.minor=0
 version.build=94
 version.patch=0
-version.suffix=-dev
+version.suffix=
 
 # - Build control flags -
 # Note enabling validation uses Checkstyle which is LGPL licensed


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63334] LockOutRealm will continue to invoke inner user realms even when the user is lockout

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334

--- Comment #3 from jchobanto...@yahoo.com ---
I’m sorry but the fix is not going to expose anything to the user - the end
user still is going to get unauthenticated but we are going to invoke our inner
realms like JAASRealm which is not needed at all
See how the filterLockedAccounts method works - it will invoke inner realm and
then it will check if the user is locked - if so it will return null to the
user as Principal - e.g unauthenticated - my suggestion is to just do another
upfront check if the user is locked to not invoke the inner user realms because
this will not change anything - the result will be unauthenticated and nothing
is exposed to the user that you have lovkout realm - the result is the same -
just don’t invoke inner realms unnecessary  when the result will be null

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63336] Currently there is no way to know in form error page that the user was not authenticated because it was locked out

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336

--- Comment #2 from jchobanto...@yahoo.com ---
Ok, forget about modifying the basic ream to report the error - the application
could have 401 error page and put that information itself - again the request
is to add http request attribute so that error page of the application could
expose that to the end user if they choose to - I’m not asking tomcat to report
the security issue as I’m well aware of the security concerns there but there
is a real business use case that all applications could benefit - I’m asking
for the support - it is still up to the application whether to expose this to
the end user or not as it is only set in request attribute that is not going to
be transmitted to the client unless the application do something about it

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63334] LockOutRealm will continue to invoke inner user realms even when the user is lockout

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334

--- Comment #4 from Mark Thomas  ---
Please read up on timing attacks.

A Map lookup following by a return will be noticeably faster than the
authentication process.

Your proposed change would enable an attacker to determine:
- if an account was locked
- how many failed attempts it takes lock an account
- how long the lock out period was

Exposing that information is considered a (minor) security vulnerability.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 7.0.x updated: Increment version for next development cycle

2019-04-10 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/7.0.x by this push:
 new ca838df  Increment version for next development cycle
ca838df is described below

commit ca838df659aec99fdb78f37e4788d7776832c559
Author: Mark Thomas 
AuthorDate: Wed Apr 10 18:13:58 2019 +0100

Increment version for next development cycle
---
 build.properties.default | 2 +-
 res/maven/mvn.properties.default | 2 +-
 webapps/docs/changelog.xml   | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index f8782c3..afa85a4 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -25,7 +25,7 @@
 # - Version Control Flags -
 version.major=7
 version.minor=0
-version.build=94
+version.build=95
 version.patch=0
 version.suffix=-dev
 
diff --git a/res/maven/mvn.properties.default b/res/maven/mvn.properties.default
index e07c139..3250b7a 100644
--- a/res/maven/mvn.properties.default
+++ b/res/maven/mvn.properties.default
@@ -35,7 +35,7 @@ 
maven.asf.release.repo.url=https://repository.apache.org/service/local/staging/d
 maven.asf.release.repo.repositoryId=apache.releases
 
 # Release version info
-maven.asf.release.deploy.version=7.0.94
+maven.asf.release.deploy.version=7.0.95
 
 #Where do we load the libraries from
 tomcat.lib.path=../../output/build/lib
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 4a4c2d7..bb7e4fc 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -58,6 +58,8 @@
   They eventually become mixed with the numbered issues. (I.e., numbered
   issues do not "pop up" wrt. others).
 -->
+
+
 
   
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r33551 [1/2] - in /dev/tomcat/tomcat-7/v7.0.94: ./ bin/ bin/embed/ bin/extras/ src/

2019-04-10 Thread markt 
Author: markt
Date: Wed Apr 10 17:15:53 2019
New Revision: 33551

Log:
Upload 7.0.94 for voting

Added:
dev/tomcat/tomcat-7/v7.0.94/
dev/tomcat/tomcat-7/v7.0.94/KEYS
dev/tomcat/tomcat-7/v7.0.94/README.html
dev/tomcat/tomcat-7/v7.0.94/RELEASE-NOTES
dev/tomcat/tomcat-7/v7.0.94/bin/
dev/tomcat/tomcat-7/v7.0.94/bin/README.html
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-deployer.tar.gz   
(with props)
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-deployer.tar.gz.asc
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-deployer.tar.gz.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-deployer.zip   (with 
props)
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-deployer.zip.asc
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-deployer.zip.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-fulldocs.tar.gz   
(with props)
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-fulldocs.tar.gz.asc
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-fulldocs.tar.gz.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-windows-x64.zip   
(with props)
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-windows-x64.zip.asc
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-windows-x64.zip.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-windows-x86.zip   
(with props)
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-windows-x86.zip.asc
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94-windows-x86.zip.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94.exe   (with props)
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94.exe.asc
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94.exe.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94.tar.gz   (with props)
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94.tar.gz.asc
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94.tar.gz.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94.zip   (with props)
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94.zip.asc
dev/tomcat/tomcat-7/v7.0.94/bin/apache-tomcat-7.0.94.zip.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/embed/
dev/tomcat/tomcat-7/v7.0.94/bin/embed/apache-tomcat-7.0.94-embed.tar.gz   
(with props)
dev/tomcat/tomcat-7/v7.0.94/bin/embed/apache-tomcat-7.0.94-embed.tar.gz.asc

dev/tomcat/tomcat-7/v7.0.94/bin/embed/apache-tomcat-7.0.94-embed.tar.gz.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/embed/apache-tomcat-7.0.94-embed.zip   
(with props)
dev/tomcat/tomcat-7/v7.0.94/bin/embed/apache-tomcat-7.0.94-embed.zip.asc
dev/tomcat/tomcat-7/v7.0.94/bin/embed/apache-tomcat-7.0.94-embed.zip.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/extras/
dev/tomcat/tomcat-7/v7.0.94/bin/extras/catalina-jmx-remote.jar   (with 
props)
dev/tomcat/tomcat-7/v7.0.94/bin/extras/catalina-jmx-remote.jar.asc
dev/tomcat/tomcat-7/v7.0.94/bin/extras/catalina-jmx-remote.jar.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/extras/catalina-ws.jar   (with props)
dev/tomcat/tomcat-7/v7.0.94/bin/extras/catalina-ws.jar.asc
dev/tomcat/tomcat-7/v7.0.94/bin/extras/catalina-ws.jar.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli-adapters.jar   (with 
props)
dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli-adapters.jar.asc
dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli-adapters.jar.sha512
dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli.jar   (with props)
dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli.jar.asc
dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli.jar.sha512
dev/tomcat/tomcat-7/v7.0.94/src/
dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.tar.gz   (with 
props)
dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.tar.gz.asc
dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.tar.gz.sha512
dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.zip   (with props)
dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.zip.asc
dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.zip.sha512

Added: dev/tomcat/tomcat-7/v7.0.94/KEYS
==
--- dev/tomcat/tomcat-7/v7.0.94/KEYS (added)
+++ dev/tomcat/tomcat-7/v7.0.94/KEYS Wed Apr 10 17:15:53 2019
@@ -0,0 +1,650 @@
+This file contains the PGP&GPG keys of various Apache developers.
+Please don't use them for email unless you have to. Their main
+purpose is code signing.
+
+Apache users: pgp < KEYS
+Apache developers:
+(pgpk -ll  && pgpk -xa ) >> this file.
+  or
+(gpg --fingerprint --list-sigs 
+ && gpg --armor --export ) >> this file.
+
+Apache developers: please ensure that your key is also available via the
+PGP keyservers (such as pgpkeys.mit.edu).
+
+
+Type Bits/KeyIDDate   User ID
+pub  2048/F22C4FED 2001/07/02 Andy Armstrong 
+
+-BEGIN PGP PUBLIC KEY BLOCK

svn commit: r33551 [2/2] - in /dev/tomcat/tomcat-7/v7.0.94: ./ bin/ bin/embed/ bin/extras/ src/

2019-04-10 Thread markt 
Added: dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli-adapters.jar.sha512
==
--- dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli-adapters.jar.sha512 
(added)
+++ dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli-adapters.jar.sha512 Wed 
Apr 10 17:15:53 2019
@@ -0,0 +1 @@
+0d8c01851ea08cd87495c5fa9a20836489bad18e2efb1207d36b583c69d6b411a91836dfc823e7807e6061b26746bc779e5eb9a9862e0fb4b02c1df860285fb5
 *tomcat-juli-adapters.jar
\ No newline at end of file

Added: dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli.jar
==
Binary file - no diff available.

Propchange: dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli.jar
--
svn:mime-type = application/octet-stream

Added: dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli.jar.asc
==
--- dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli.jar.asc (added)
+++ dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli.jar.asc Wed Apr 10 
17:15:53 2019
@@ -0,0 +1,16 @@
+-BEGIN PGP SIGNATURE-
+
+iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAlyuIGAACgkQEMAcWi9g
+WecWRxAArHa1a37+SMxgO3P1AyloqY6u+8N9p2PnRTWypKfIOHq/AzPVf4RiXXCc
+CuOpfc7blnzgWoL2ugSbQ50K+rUFC2N13mE7gH0gfmjR9aF1LNQpnrXPqSwpfsmu
+P1gtFqc2OV0/UN3Q2how+5XBJl/ab/0NH4wvD9AbJvwQEBpAWoFL0d/gQRhvR5HJ
+eKhOFEjePVUXgOMt0AVJ9/SAmOQU7fVIRhn4JQQi+ApVTN5rHEuPbGe4K9pAkRjx
+upEKhFf8lZLOuu0La6bVqtRXoyaJoHd3B/ujOXK5Z3/J/82GzdfjmsFGAaf/umlx
+JIhueDsSyFZt3Jrfa8FHCphft8i4ecdCOPP2SGV5wVSlxE0Rai/g57oCGJ0VFgOu
+i9xpKsRYkKFO7vgnEsBMIGIN1p0q7NNKoCz3Mc0SSjwhjuNoZbvXKLEpWWthhi9p
+pwTykinHQ8Va+fryS3EHAJFmMY3r50jrgIu28UrvbXfoOTz4YPYzpE7JrbT8PkUy
+6/qdDlXn/vWKEYyVSrgDJFtOrCnaQ4ACgZbdgHkXKXnjirlnlgYAAUhCy7FX8YMo
+ae4bxR9C4slItpuECHnXpob/83UCwjcAWTwcGsFslCv0NddfRbEl734bgAwFrtrz
+XKg0SDHsVcYBKkOaK7eKkJMZRskRBJJvHr+/u38SEY3pzwTlcvg=
+=lO+7
+-END PGP SIGNATURE-

Added: dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli.jar.sha512
==
--- dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli.jar.sha512 (added)
+++ dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli.jar.sha512 Wed Apr 10 
17:15:53 2019
@@ -0,0 +1 @@
+733b6f4a32568f38e78f5b1f1486d7053f891a3613a2cde01af8f2b6f1263dc7654cfd5c0f460e34ea889d1363e4f293cc6d54d46b5fdd52f90756d16c912de4
 *tomcat-juli.jar
\ No newline at end of file

Added: dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.tar.gz
==
Binary file - no diff available.

Propchange: dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.tar.gz
--
svn:mime-type = application/octet-stream

Added: dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.tar.gz.asc
==
--- dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.tar.gz.asc (added)
+++ dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.tar.gz.asc Wed Apr 
10 17:15:53 2019
@@ -0,0 +1,16 @@
+-BEGIN PGP SIGNATURE-
+
+iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAlyuIOwACgkQEMAcWi9g
+Wec+CRAAskD/1EbwgKs1jk+DLvN8A1aHLdUGFEezZuOM2Zox6/3DTDQ7MZ/i7b/P
+zQ9XyKz5OXj/KI9Ke9XfzNuYuaQkQQy7VtCwBQKCLxXbmt2zI9jhfZZ1ETWQJ7aL
+xZepJs2f8aM9+R3Hx97/e06csp4eG8rZ+HF6DImdvTgzw7EZ+qO87GZfsbB7hfVI
+qPWrGcfmeo4Fmn2XH5HTaLUa1YkvfLupbx4kKUozvSKONXJr9gKjWb+XEO473HFN
+IlvybxZ82Vqens322us7WdMcQPDWKd9KxwT41CZNY6OgqFnLTdDS0sEB4m+35wzN
+HT/F3HyeeN2vBs0Q0ZNi1WW76UYlokx0JP2qq8oNgooBADsL72fAyoW9bczvO4/h
+jbNZdu8O/4hyuYTEXrXovsHvG0Rx9dEMaBQG+QLIj/Z7ANFUTZ4w0O0ecMbpZ4X2
+D0sqjj9sUfvOhGi6664vJrPAfcE0LkywR1LnPx6jlGlBxt+TiWgXkDqcSN8jZzaS
+ZDO1+9sAri/pDvNxmUZ3KK43eJOwHZ/VnRlyRIskgLNnEjlWJKEv5Xw8Lq3zwTkA
+jTwGe91Emg+C8qG1JlEk+4fhurEcnbNQ9f3xkQFyOTxRqHihdAYuErWxARTyJU0w
+0gnkcWee6fe6wLr7gYqKLLONzvTEUvwneOIu+16KiVOwxS8K2oI=
+=eaTW
+-END PGP SIGNATURE-

Added: dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.tar.gz.sha512
==
--- dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.tar.gz.sha512 
(added)
+++ dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.tar.gz.sha512 Wed 
Apr 10 17:15:53 2019
@@ -0,0 +1 @@
+5e8d2fab7145af5677170299bec0ae5ea5fd20b7a539738678a420581f9b53a95a6fbb1caffb54c7222d97edfe8ff34ce6dbb7ba62adb1a61f2bfa6b15c43139
 *apache-tomcat-7.0.94-src.tar.gz
\ No newline at end of file

Added: dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.zip
==
Binary file - no diff available.

Propchange: dev/tomcat/tomcat-7/v7.0.94/src/apache-tomcat-7.0.94-src.zip
--

[VOTE] Release Apache Tomcat 7.0.94

2019-04-10 Thread Mark Thomas 
The proposed Apache Tomcat 7.0.94 release is now available for voting.

The major changes compared to the 7.0.93 release are:

- Fix for CVE-2019-0232 a RCE vulnerability on Windows

- Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
  now supported if used with a ECJ version with support for those  Java
  versions

- Update Tomcat's packaged-renamed copy of Apache Commons DBCP to the
  latest DBCP 1.4.x and Pool 1.6.x source (as of 2019-03-15) to pick up
  various bug fixes

Along with lots of other bug fixes and improvements.


For full details, see the changelog:
https://ci.apache.org/projects/tomcat/tomcat7/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-7/v7.0.94/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1209/
The tag is:
https://github.com/apache/tomcat/tree/7.0.94
9ddb14a0e76080feee34f3eca89e5413b93852f9

The proposed 7.0.94 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 7.0.94 Stable

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 7.0.94

2019-04-10 Thread Mark Thomas 
On 10/04/2019 18:22, Mark Thomas wrote:
> The proposed 7.0.94 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 7.0.94 Stable

Unit tests pass for BIO, NIO and APR/Native on Windows, Linux and MacOS
with Tomcat-Native 1.2.21

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Tagging 9.0.18

2019-04-10 Thread Mark Thomas 
On 09/04/2019 19:08, Violeta Georgieva wrote:
> На вт, 9.04.2019 г. в 20:45 ч. Mark Thomas  написа:
>>
>> Hi all,
>>
>> I'm a bit behind again this month - mainly because I was at the http
>> workshop last week (very useful - a write-up is on the way). I've been
>> through the open bugs and resolved those that don't require more
>> research / 3rd party releases etc. so I am close to tagging.
>>
>> I want to run the unit tests as a final check before I tag. Depending on
>> how things go I intend to tag either later today or early tomorrow.
>>
>> I'll also tag 8.5.x and possibly 7.0.x as well.
> 
> I can help with 7.0.x if you want?

Thanks. In the end I ended up taking longer over various bits so I just
rolled the release myself.

If you are able to test the release and vote on it that would be great.

Thanks,

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63336] Currently there is no way to know in form error page that the user was not authenticated because it was locked out

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336

--- Comment #3 from Mark Thomas  ---
See this thread in the archives:
http://tomcat.markmail.org/thread/4garqvcph2ci3j5m

The isLocked() method of the Realm was made public and exposed via JMX to
support this sort of custom feature. unlock() is also available.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63334] LockOutRealm will continue to invoke inner user realms even when the user is lockout

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334

--- Comment #5 from jchobanto...@yahoo.com ---
Thank you for clarifying your point that attacker could determine there is a
lockout realm installed based on the speed of the request/response, although
this is questionable as if you are dealing with security systems that are in
the backend accessed using network each response could vary from few millisec
to a sec or more - so it will be hard to know if the lockout is in place or
not.

Let me put it this way - the fact that you could know there is lockout realm do
not give you advantage at all - and I think it would be just the opposite as if
you know there is lockout realm you will not try to break the system as it will
take insane amount of time for you - it just telling you that the
authentication won't be performed at all - either you provide invalid or valid
username/password it won't matter - and let's be frank here - an attacker (if
any better) will know and assume there is some lockout in place but the lockout
is there to prevent you from bombarding the server and slow you down - the
purpose is not whether or not the attacker knows about it - even Apple and
their iPhones will tell you that the phone is lockout and you should try in
couple of minutes after that - it will not tell you that the password is
invalid yet again as this only achieve confusion in your users

Back at why hitting backend security systems when you determine to lockout the
user is bad choice - some of the backend systems are actually charging you real
money for the amount of security requests made to those systems - if you are
going to block the user upfront why do I want ever to make a request to those
systems ?

If your concern is about timing and the attacker to know there is lock
mechanism in place - just put a timer and get how long it will take a regular
request to complete - then when the user is lock out do a Thread.wait () to
simulate backend processing so that the user won't suspect a different behavior
- but again even if the end user knows there is lockout, how many tries and for
how long - what you are going to do ? Although I admit that people look at this
as small security concern because you know how things at the backends works it
doesn't mean that you know how to circumvent that - and as I said a real
attacker would expect lockout even if not reported

At least put a property on LockOutRealm whether or not it should hit the inner
realms in case of lockout so that we could configure this in server.xml and not
for us to provide a new class in order to achieve that.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63333] JAASRealm needs to override isAvailable method to prevent LockOutRealm to lock the user in case JAAS login modules are unavailable

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6

Mark Thomas  changed:

   What|Removed |Added

 OS||All

--- Comment #1 from Mark Thomas  ---
Care to provide a patch (in diff -u format) or a pull request?

It looks like there are multiple places where available should be set to false
and you'll also need to identify where it should be set to true.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63336] Currently there is no way to know in form error page that the user was not authenticated because it was locked out

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336

--- Comment #4 from jchobanto...@yahoo.com ---
Thank you for pointing out that isLocked() and unlock() methods are public - I
already know that. Even with this information I need to provide custom
LockOutRealm in order to see the real reason why my form error page is been
displayed

And again I know I could provide Valves, extensions etc to fix that and I
already did that for my application but I thought someone else could benefit
from this as well 

As you are the one that provide LockOutRealm you could just add some extra
information (either using request.setAttribute()) or some other ways so that in
web application's form error page (jsp or whatever) you could be able to tell
the user if there is a lockout or not if you choose to do so.

I'm not aware how from we application error login page I could obtain the realm
in order to ask isLocked() and the error page do not get the login user id to
pass it to - even if this was possible it will make web application not
portable across different app servers and we don't want that - we want to have
a way to get this information preferably using the request attribute - then if
the attribute is not standard (as there is no such thing in the servlet spec)
we could use servlet init parameters to pass what is the name of the request
attribute to look for and then our web applications will be more portable

The issue is that right now unless I supply tomcat specific classes and
configuration I can't develop application to tell me that

And also just an example - amazon cognito also is using lockout if you have too
many error login attempts and it will tell you that straight up - so a failed
login could result because cognito also is in lockout - so I need to query
JAASRealm somehow to see what is the condition there - too much things to check
- it would be better if everyone participate - LockOutRealm, JAASRealm, JAAS
modules to tell you why something happens - not to mention that you might want
to have some ability in the error login page to log the reason why something
happens in one place (probably some audit framework - not just a log message
from LockOutRealm) - as there a many places why something happens -
LockOutRealm, JAASRealm, modules, ldap realm etc it is better whoever report
the error to put it in some standard place for us to consume

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.18

2019-04-10 Thread Rémy Maucherat 
On Wed, Apr 10, 2019 at 3:44 PM Mark Thomas  wrote:

> The proposed 9.0.18 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 9.0.18
>
> Rémy

[Bug 63331] Tomcat crash, Problematic Frame: org.apache.tomcat.util.log.SystemLogHandler.println

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63331

--- Comment #2 from Christopher Schultz  ---
Or bad hardware.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch master updated: Add asynchronous IO API for NIO

2019-04-10 Thread remm 
This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
 new bc714fd  Add asynchronous IO API for NIO
bc714fd is described below

commit bc714fd2e3fca74d8931533770b6ee064b67287f
Author: remm 
AuthorDate: Wed Apr 10 21:37:48 2019 +0200

Add asynchronous IO API for NIO

This uses the concepts from the NIO2 implementation. The HTTP/2 and
Websockets async IO code will automatically use it, with the same
behavior as when using NIO2.
As it seems to work just fine so far and with the next build being far
off, I am enabling it by default to get some testing.
---
 .../apache/tomcat/util/net/AbstractEndpoint.java   |   8 +
 java/org/apache/tomcat/util/net/AprEndpoint.java   |   4 +
 java/org/apache/tomcat/util/net/Nio2Endpoint.java  |   3 +-
 java/org/apache/tomcat/util/net/NioEndpoint.java   | 493 +
 webapps/docs/changelog.xml |   6 +
 webapps/docs/config/http.xml   |  10 +
 6 files changed, 443 insertions(+), 81 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java 
b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 0b8b683..682012c 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -741,6 +741,14 @@ public abstract class AbstractEndpoint {
 public boolean getDaemon() { return daemon; }
 
 
+/**
+ * Expose async IO capability.
+ */
+private boolean useAsyncIO = true;
+public void setUseAsyncIO(boolean useAsyncIO) { this.useAsyncIO = 
useAsyncIO; }
+public boolean getUseAsyncIO() { return useAsyncIO; }
+
+
 protected abstract boolean getDeferAccept();
 
 
diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java 
b/java/org/apache/tomcat/util/net/AprEndpoint.java
index b9f15d0..bfb5c55 100644
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -129,6 +129,10 @@ public class AprEndpoint extends 
AbstractEndpoint implements SNICallB
 public boolean getDeferAccept() { return deferAccept; }
 
 
+@Override
+public boolean getUseAsyncIO() { return false; }
+
+
 private boolean ipv6v6only = false;
 public void setIpv6v6only(boolean ipv6v6only) { this.ipv6v6only = 
ipv6v6only; }
 public boolean getIpv6v6only() { return ipv6v6only; }
diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java 
b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
index fd31ac1..370934d 100644
--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
@@ -91,6 +91,7 @@ public class Nio2Endpoint extends 
AbstractJsseEndpoint
 serverSock = null;
 }
 
-
 // -- Protected Methods
 
 public NioSelectorPool getSelectorPool() {
@@ -382,7 +384,7 @@ public class NioEndpoint extends 
AbstractJsseEndpoint
 protected boolean setSocketOptions(SocketChannel socket) {
 // Process the connection
 try {
-//disable blocking, APR style, we are gonna be polling it
+// Disable blocking, polling will be used
 socket.configureBlocking(false);
 Socket sock = socket.socket();
 socketProperties.setProperties(sock);
@@ -533,7 +535,7 @@ public class NioEndpoint extends 
AbstractJsseEndpoint
 } else {
 final NioSocketWrapper socketWrapper = 
(NioSocketWrapper) key.attachment();
 if (socketWrapper != null) {
-//we are registering the key to start with, reset 
the fairness counter.
+// We are registering the key to start with, reset 
the fairness counter.
 int ops = key.interestOps() | interestOps;
 socketWrapper.interestOps(ops);
 key.interestOps(ops);
@@ -566,7 +568,8 @@ public class NioEndpoint extends 
AbstractJsseEndpoint
 new SynchronizedQueue<>();
 
 private volatile boolean close = false;
-private long nextExpiration = 0;//optimize expiration handling
+// Optimize expiration handling
+private long nextExpiration = 0;
 
 private AtomicLong wakeupCounter = new AtomicLong(0);
 
@@ -578,7 +581,7 @@ public class NioEndpoint extends 
AbstractJsseEndpoint
 
 public int getKeyCount() { return keyCount; }
 
-public Selector getSelector() { return selector;}
+public Selector getSelector() { return selector; }
 
 /**
  * Destroy the poller.
@@ -593,7 +596,9 @@ public class NioEndpoint extends 
AbstractJsseEndpoint
 
 private void addEvent(PollerEvent event) {

[GitHub] [tomcat] rmaucher commented on issue #153: Add async API for NIO

2019-04-10 Thread GitBox 
rmaucher commented on issue #153: Add async API for NIO
URL: https://github.com/apache/tomcat/pull/153#issuecomment-481834218
 
 
   Since I got no objections, I merged the code.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] rmaucher closed pull request #153: Add async API for NIO

2019-04-10 Thread GitBox 
rmaucher closed pull request #153: Add async API for NIO
URL: https://github.com/apache/tomcat/pull/153
 
 
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] jchobantonov opened a new pull request #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
jchobantonov opened a new pull request #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157
 
 
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63333] JAASRealm needs to override isAvailable method to prevent LockOutRealm to lock the user in case JAAS login modules are unavailable

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6

--- Comment #2 from jchobanto...@yahoo.com ---
Pull request: https://github.com/apache/tomcat/pull/157

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63334] LockOutRealm will continue to invoke inner user realms even when the user is lockout

2019-04-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334

--- Comment #6 from Christopher Schultz  ---
Realms aren't difficult to write, including a simple realm like the
LockOutRealm.

Feel free to implement your own Realm which meets your requirements. If you'd
like, you can propose a patch, but I don't think anyone here wants to spent the
time to scratch this particular itch.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 7.0.94

2019-04-10 Thread Igal Sapir 

On 4/10/2019 10:22 AM, Mark Thomas wrote:

The proposed 7.0.94 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 7.0.94 Stable


Unit tests pass for BIO, NIO, and APR on Ubuntu 18.04 with Java 
1.6u45/1.7u80 and TC-Native-1.2.21


Igal



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] ChristopherSchultz commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
ChristopherSchultz commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481842267
 
 
   No explanation?
   
   -1


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
michael-o commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481843426
 
 
   I agree with @ChristopherSchultz .


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] jchobantonov commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
jchobantonov commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481845121
 
 
   the explanation of the reason is here 
   https://bz.apache.org/bugzilla/show_bug.cgi?id=6


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.18

2019-04-10 Thread Igal Sapir 

On 4/10/2019 6:44 AM, Mark Thomas wrote:

The proposed 9.0.18 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 9.0.18


Unit tests pass for NIO, NIO2, and APR on Ubuntu 18.04 with Java 1.8u202 
and TC-Native 1.2.21


Igal



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] ChristopherSchultz commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
ChristopherSchultz commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481847793
 
 
   But an explanation should be included with all PRs. What if BZ is deleted? 
(It shouldn't be, but there's no reason to make people walk all over the 
internet to find information that could easily be summarized in a single 
sentence.)


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] ChristopherSchultz commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
ChristopherSchultz commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481848050
 
 
   Code comments would be helpful, here, too.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] jchobantonov commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
jchobantonov commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481849557
 
 
   Code comments are exactly the same as what tomcat source code have for 
DataSourceRealm, not sure what else do you need as a comment there.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] isapir commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
isapir commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481850076
 
 
   I think that it'd be cleaner/more readable if `invocationSuccess` is 
initialized with `false` value and only set to `true` upon success, or at least 
after the first block that calls `LoginContext()` succeeds, instead of 
repeating it in lines 414, 423, 428, 433, and 437.
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] ChristopherSchultz commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
ChristopherSchultz commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481850427
 
 
   The low-quality of the existing code and/or documentation is not an excuse 
for maintaining that level of quality.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] ChristopherSchultz commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
ChristopherSchultz commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481850875
 
 
   > I think that it'd be cleaner/more readable if `invocationSuccess` is 
initialized with `false` value and only set to `true` upon success, or at least 
after the first block that calls `LoginContext()` succeeds, instead of 
repeating it in lines 414, 423, 428, 433, and 437.
   
   The availability of the JAAS service might go up and down, so you can't just 
set it once and forget about it, of course. To reduce the number of changed 
lines and opportunities for mistakes, there could be a local flag for success 
which is copied to the global flag after each transaction.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] jchobantonov commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
jchobantonov commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481851585
 
 
   > I think that it'd be cleaner/more readable if `invocationSuccess` is 
initialized with `false` value and only set to `true` upon success, or at least 
after the first block that calls `LoginContext()` succeeds, instead of 
repeating it in lines 414, 423, 428, 433, and 437.
   
   It is initialized to true as what we have in DataSourceRealm already - not 
sure why we need to initialize it to false - initialize to true means that it 
is available and when we detect it is not then we change that to be not 
available


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] jchobantonov commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
jchobantonov commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481852195
 
 
   > The low-quality of the existing code and/or documentation is not an excuse 
for maintaining that level of quality.
   
   Ok, let me know what you think we should put as a comment additionally that 
is so greatly missed and it is not obvious enough for you or someone else and I 
will add it


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] isapir commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
isapir commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481853982
 
 
   > To reduce the number of changed lines and opportunities for mistakes, 
there could be a local flag for success which is copied to the global flag 
after each transaction.
   
   But these lines are all in the same transaction, no?
   
   > initialize to true means that it is available and when we detect it is not 
then we change that to be not available
   
   OK, but why not set `invocationSuccess = true;` at line 405, for example, 
instead of repeating it in each catch block?  The only difference I see in 
these blocks is the log message (with the exception of that last block of 
course, which sets the flag to `false`). 
https://github.com/apache/tomcat/blob/39f55d8c6f5658a8ea730ebbf8cc1680194c5a48/java/org/apache/catalina/realm/JAASRealm.java#L405


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] jchobantonov commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
jchobantonov commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481860226
 
 
   > But these lines are all in the same transaction, no?
   
   Yes they are - there is no need to use local variable as well - it is the 
same - if you forget to set invocationSuccess variable to correct value you 
could forget to set the local variable as well
   
   > OK, but why not set `invocationSuccess = true;` at line 405, for example, 
instead of repeating it in each catch block? The only difference I see in these 
blocks is the log message (with the exception of that last block of course, 
which sets the flag to `false`).
   
   because if you to have another thread trying to access the LockOutRealm and 
you put the 'invocationSuccess = true' on line 405 you could just change the 
failed invocation e.g. invocationSuccess from false to true on line 405 to only 
put the variable back to false when the next attempt fails again


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] isapir commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
isapir commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481861275
 
 
   > Ok, let me know what you think we should put as a comment additionally 
that is so greatly missed and it is not obvious enough for you or someone else 
and I will add it
   
   > because if you to have another thread trying to access the LockOutRealm 
and you put the 'invocationSuccess = true' on line 405 you could just change 
the failed invocation e.g. invocationSuccess from false to true on line 405 to 
only put the variable back to false when the next attempt fails again
   
   Well then, here's an excellent opportunity for a comment so that someone 
wouldn't edit it later without taking this into account.
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] jchobantonov commented on issue #157: https://bz.apache.org/bugzilla/show_bug.cgi?id=63333

2019-04-10 Thread GitBox 
jchobantonov commented on issue #157: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481872313
 
 
   @isapir @ChristopherSchultz  I have added more comments hope this helps


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Tagging 9.0.18

2019-04-10 Thread Rainer Jung 

Am 09.04.2019 um 19:45 schrieb Mark Thomas:

Hi all,

I'm a bit behind again this month - mainly because I was at the http
workshop last week (very useful - a write-up is on the way).


I'm very keen on reading your notes. On the httpd dev list Bill 
mentioned three links to notes taken by Daniel Stenberg (curl etc.):


https://daniel.haxx.se/blog/2019/04/02/the-http-workshop-2019-begins/

https://daniel.haxx.se/blog/2019/04/04/more-amsterdamned-workshop/

https://daniel.haxx.se/blog/2019/04/04/workshop-season-4-finale/

Regards,

Rainer


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.40

2019-04-10 Thread Igal Sapir 

On 4/10/2019 7:58 AM, Mark Thomas wrote:

The proposed 8.5.40 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 8.5.40


Unit tests pass for NIO, NIO2, and APR on Windows 10 with Java 1.8u181 
and TC-Native 1.2.21 and Ubuntu 18.04 with Java 1.8u202 and TC-Native 1.2.21


Igal



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.18

2019-04-10 Thread Keiichi Fujino 
2019年4月10日(水) 22:44 Mark Thomas :

> The proposed Apache Tomcat 9.0.18 release is now available for voting.
>
> The major changes compared to the 9.0.17 release are:
>
> - Fix for CVE-2019-0232 a RCE vulnerability on Windows
>
> - Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
>   now supported if used with a ECJ version with support for those  Java
>   versions
>
> - Various NIO2 stability improvements
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://ci.apache.org/projects/tomcat/tomcat9/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.18/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1207/
> The tag is:
> https://github.com/apache/tomcat/tree/9.0.18
> 0862607e5da91a7c476a6350288d8d8a9380f556
>
> The proposed 9.0.18 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 9.0.18
>
>
+1
Tested on simple hand-made app.(enable session replication).



> Due to the security fix contained in this release, the voting period may
> be shortened once sufficient votes are cast to enable a faster release.
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

-- 
Keiichi.Fujino

Re: [VOTE] Release Apache Tomcat 8.5.40

2019-04-10 Thread Keiichi Fujino 
2019年4月10日(水) 23:58 Mark Thomas :

> The proposed Apache Tomcat 8.5.40 release is now available for voting.
>
> The major changes compared to the 8.5.39 release are:
>
> - Fix for CVE-2019-0232 a RCE vulnerability on Windows
>
> - Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
>   now supported if used with a ECJ version with support for those  Java
>   versions
>
> - Various NIO2 stability improvements
>
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://ci.apache.org/projects/tomcat/tomcat85/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.40/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1208/
>
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.40
> 5ec070352b283535946327b44228b610a27a76c5
>
>
> The proposed 8.5.40 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.40
>

+1
Tested on simple hand-made app.(enable session replication).


> Due to the security fix contained in this release, the voting period may
> be shortened once sufficient votes are cast to enable a faster release.
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

-- 
Keiichi.Fujino

Re: [VOTE] Release Apache Tomcat 7.0.94

2019-04-10 Thread Keiichi Fujino 
2019年4月11日(木) 2:22 Mark Thomas :

> The proposed Apache Tomcat 7.0.94 release is now available for voting.
>
> The major changes compared to the 7.0.93 release are:
>
> - Fix for CVE-2019-0232 a RCE vulnerability on Windows
>
> - Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
>   now supported if used with a ECJ version with support for those  Java
>   versions
>
> - Update Tomcat's packaged-renamed copy of Apache Commons DBCP to the
>   latest DBCP 1.4.x and Pool 1.6.x source (as of 2019-03-15) to pick up
>   various bug fixes
>
> Along with lots of other bug fixes and improvements.
>
>
> For full details, see the changelog:
> https://ci.apache.org/projects/tomcat/tomcat7/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-7/v7.0.94/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1209/
> The tag is:
> https://github.com/apache/tomcat/tree/7.0.94
> 9ddb14a0e76080feee34f3eca89e5413b93852f9
>
> The proposed 7.0.94 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 7.0.94 Stable
>

+1
Tested on simple hand-made app.(enable session replication).


> Mark
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

-- 
Keiichi.Fujino