svn commit: r1887027 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs
Author: markt Date: Mon Mar 1 11:03:55 2021 New Revision: 1887027 URL: http://svn.apache.org/viewvc?rev=1887027&view=rev Log: Add details for CVE-2021-25122 and CVE-2021-25329 Modified: tomcat/site/trunk/docs/security-10.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-10.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-10.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-10.html?rev=1887027&r1=1887026&r2=1887027&view=diff == --- tomcat/site/trunk/docs/security-10.html (original) +++ tomcat/site/trunk/docs/security-10.html Mon Mar 1 11:03:55 2021 @@ -2,7 +2,7 @@ Apache Tomcat® - Apache Tomcat 10 vulnerabilitieshttp://tomcat.apache.org/";>Apache Tomcat®https://www.apache.org/foundation/contributing.html"; target="_blank" class="pull-left">https://www.apache.org/images/SupportApache-small.png"; class="support-asf" alt="Support Apache">http://www.apache.org/"; target="_blank" class="pull-left">https://www.google.com/search"; method="get">GOhttps://www.apache.org/events/current-event.html";>https://www.apache.org/events/current-event-234x60.png"; alt="Next ASF event"> Save the date! Apache TomcatHomeTaglibsMaven PluginDownloadWhich version?https://tomcat.apache.org/download-10.cgi";>Tomcat 10https://tomcat.apache.org/download-90.cgi";>Tomcat 9https://tomcat.apache.org/download-80.cgi";>Tomcat 8https://tomcat.apache.org/download-70.cgi";>Tomcat 7https://tomcat.apache.org/download-migration.cgi";>Tomcat Migration Tool for Jakarta EEhttps://tomcat.apache.org/download-connectors.cgi";>Tomcat Connectorshttps://tomcat.apache.org/download-native.cgi";>Tomcat Nativehttps://tomcat.apache.org/download-taglibs.cgi";>Taglibshttps://archive.apache.org/dist/tomcat/";>A rchivesDocumentationTomcat 10.0Tomcat 9.0Tomcat 8.5Tomcat 7.0Tomcat ConnectorsTomcat Nativehttps://cwiki.apache.org/confluence/display/TOMCAT";>WikiMigration GuidePresentationshttps://cwiki.apache.org/confluence/x/Bi8lBg";>SpecificationsProblems?Security ReportsFind helphttps://cwiki.apache.org/confluence/display/TOMCAT/FAQ";>FAQMailing ListsBug Databas eIRCGet InvolvedOverviewSource codeBuildbothttps://cwiki.apache.org/confluence/x/vIPzBQ";>TranslationsToolsMediahttps://twitter.com/theapachetomcat";>Twitterhttps://www.youtube.com/c/ApacheTomcatOfficial";>YouTubehttps://blogs.apache.org/tomcat/";>BlogMiscWho We Arehttps://www.redbubble.com/people/comdev/works/30885254-apache-tomcat";>SwagHeritagehttp://www.apache.org";>Apache HomeResourcesContactLegal< /li>https://www.apache.org/foundation/contributing.html";>Support Apachehttps://www.apache.org/foundation/sponsorship.html";>Sponsorshiphttp://www.apache.org/foundation/thanks.html";>Thankshttp://www.apache.org/licenses/";>LicenseContentTable of Contents -Apache Tomcat 10.x vulnerabilitiesFixed in Apache Tomcat 10.0.0-M10Fixed in Apache Tomcat 10.0.0-M8Fixed in Apache Tomcat 10.0.0-M7Fixed in Apache Tomcat 10.0.0-M6Fixed in Apache Tomcat 10.0.0-M5 +Apache Tomcat 10.x vulnerabilitiesFixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10Fixed in Apache Tomcat 10.0.0-M8Fixed in Apache Tomcat 10.0.0-M7Fixed in Apache Tomcat 10.0.0-M6Fixed in Apache Tomcat 10.0.0-M5 Apache Tomcat 10.x vulnerabilities This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 10.x. Each vulnerability is given a @@ -39,6 +39,49 @@ Tomcat Security Team. Thank you. + 2 February 2021 Fixed in Apache Tomcat 10.0.2 + +Note: The issues below were fixed in Apache Tomcat 10.0.1 but the + release vote for the 10.0.1 release candidate did not pass. Therefore, + although users must download 10.0.2 to obtain a version that includes a + fix for these issues, version 10.0.1 is not included in the list of + affected versions. + +Low: Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484"; rel="nofollow">CVE-2020-9484 was incomplete + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25329"; rel="nofollow">CVE-2021-25329 + +The fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484"; rel="nofollow">CVE-2020-9484 was incomplete. When using a +highly unlikely configuration edge case, the Tomcat instance was still +vulnerable to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484"; rel="nofollow">CVE-2020-9484. Note that both the previously +published prerequisites for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484"; rel="nofollow">CVE-2020-9484 and the previously +published non-upgrade mitigations for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484";
[SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up
CVE-2021-25122 h2c request mix-up Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Description: When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.2 or later - Upgrade to Apache Tomcat 9.0.43 or later - Upgrade to Apache Tomcat 8.5.63 or later Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass. Credit: This issue was identified by the Apache Tomcat Security Team. History: 2021-03-01 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html [4] https://tomcat.apache.org/security-7.html OpenPGP_signature Description: OpenPGP digital signature
[SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)
CVE-2021-25329 Incomplete fix for CVE-2020-9484 (RCE via session persistence) Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Apache Tomcat 7.0.0 to 7.0.107 Description: The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 also apply to this issue. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.2 or later - Upgrade to Apache Tomcat 9.0.43 or later - Upgrade to Apache Tomcat 8.5.63 or later - Upgrade to Apache Tomcat 7.0.108 or later - the the previously published non-upgrade mitigations for CVE-2020-9484 also apply to this issue Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass. Credit: This issue was identified by Trung Pham of Viettel Cyber Security. History: 2021-03-01 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html [4] https://tomcat.apache.org/security-7.html OpenPGP_signature Description: OpenPGP digital signature
[Bug 64762] CoyoteInputStream getInputStream() read (wait after premature end and the rest comes)
https://bz.apache.org/bugzilla/show_bug.cgi?id=64762 Matafagafo changed: What|Removed |Added CC||matafag...@yahoo.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated (f0c1c8f -> ae9117e)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git. from f0c1c8f Improvements to Chinese translations. Provided by shawn. add ae9117e Fix BZ 64938 Clarify expected behaviour of setCharacterEncoding(null) No new revisions were added by this update. Summary of changes: .../apache/catalina/connector/OutputBuffer.java| 6 + java/org/apache/catalina/connector/Response.java | 40 ++- java/org/apache/coyote/Response.java | 9 +- .../apache/catalina/connector/TestResponse.java| 343 + test/org/apache/tomcat/unittest/TesterContext.java | 23 +- webapps/docs/changelog.xml | 7 + 6 files changed, 408 insertions(+), 20 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Fix formatting
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 8fffdf2 Fix formatting
8fffdf2 is described below
commit 8fffdf2b825653e8f1acb8f419a913ee77625655
Author: Mark Thomas
AuthorDate: Mon Mar 1 14:02:36 2021 +
Fix formatting
---
java/org/apache/coyote/Response.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/coyote/Response.java
b/java/org/apache/coyote/Response.java
index 114587f..7147ce1 100644
--- a/java/org/apache/coyote/Response.java
+++ b/java/org/apache/coyote/Response.java
@@ -468,7 +468,8 @@ public final class Response {
if (locale == null) {
this.locale = null;
this.contentLanguage = null;
-return;}
+return;
+}
// Save the locale for use by getLocale()
this.locale = locale;
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated (ae9117e -> a72e130)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git. from ae9117e Fix BZ 64938 Clarify expected behaviour of setCharacterEncoding(null) add a72e130 Fix formatting No new revisions were added by this update. Summary of changes: java/org/apache/coyote/Response.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Align more closely with 9.0.x to simplify back-ports
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 0320f99 Align more closely with 9.0.x to simplify back-ports
0320f99 is described below
commit 0320f996c01ab8d3522106950a551e31c836ee8f
Author: Mark Thomas
AuthorDate: Mon Mar 1 14:19:50 2021 +
Align more closely with 9.0.x to simplify back-ports
---
java/org/apache/catalina/connector/OutputBuffer.java | 4 +---
java/org/apache/catalina/connector/Response.java | 7 +++
java/org/apache/coyote/Response.java | 12 ++--
3 files changed, 10 insertions(+), 13 deletions(-)
diff --git a/java/org/apache/catalina/connector/OutputBuffer.java
b/java/org/apache/catalina/connector/OutputBuffer.java
index df5db81..14c9452 100644
--- a/java/org/apache/catalina/connector/OutputBuffer.java
+++ b/java/org/apache/catalina/connector/OutputBuffer.java
@@ -134,7 +134,6 @@ public class OutputBuffer extends Writer {
// --- Constructors
-
/**
* Default constructor. Allocate the buffer with the default buffer size.
*/
@@ -146,7 +145,7 @@ public class OutputBuffer extends Writer {
/**
- * Alternate constructor which allows specifying the initial buffer size.
+ * Create the buffer with the specified initial size.
*
* @param size Buffer size to use
*/
@@ -161,7 +160,6 @@ public class OutputBuffer extends Writer {
// - Properties
-
/**
* Associated Coyote response.
*
diff --git a/java/org/apache/catalina/connector/Response.java
b/java/org/apache/catalina/connector/Response.java
index d22cfea..860cca9 100644
--- a/java/org/apache/catalina/connector/Response.java
+++ b/java/org/apache/catalina/connector/Response.java
@@ -248,7 +248,7 @@ public class Response implements HttpServletResponse {
writer.clear();
writer = null;
}
-} else {
+} else if (writer != null) {
writer.recycle();
}
@@ -1583,9 +1583,8 @@ public class Response implements HttpServletResponse {
if (!file.startsWith(contextPath)) {
return false;
}
-String tok = ";" +
-SessionConfig.getSessionUriParamName(request.getContext())
+
-"=" + session.getIdInternal();
+String tok = ";" +
SessionConfig.getSessionUriParamName(request.getContext()) + "=" +
+session.getIdInternal();
if( file.indexOf(tok, contextPath.length()) >= 0 ) {
return false;
}
diff --git a/java/org/apache/coyote/Response.java
b/java/org/apache/coyote/Response.java
index 1f965bb..be8eb00 100644
--- a/java/org/apache/coyote/Response.java
+++ b/java/org/apache/coyote/Response.java
@@ -437,7 +437,7 @@ public final class Response {
public void setLocale(Locale locale) {
if (locale == null) {
-return; // throw an exception?
+return;
}
// Save the locale for use by getLocale()
@@ -481,6 +481,11 @@ public final class Response {
}
+public Charset getCharset() {
+return charset;
+}
+
+
/**
* @return The name of the current encoding
*/
@@ -489,11 +494,6 @@ public final class Response {
}
-public Charset getCharset() {
-return charset;
-}
-
-
/**
* Sets the content type.
*
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64938] response.setCharacterEncoding(null) should clear previous charset
https://bz.apache.org/bugzilla/show_bug.cgi?id=64938 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #7 from Mark Thomas --- Fixed in: - 10.0.x for 10.0.3 onwards - 9.0.x for 9.0.44 onwards - 8.5.x for 8.5.64 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Update to BND 5.3.0
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 0d6a544 Update to BND 5.3.0
0d6a544 is described below
commit 0d6a5449cf9d3c26e09bf7123e9a5636c6177d48
Author: Mark Thomas
AuthorDate: Mon Mar 1 21:11:24 2021 +
Update to BND 5.3.0
This moves us off 5.3.0-SNAPSHOT
---
build.properties.default | 21 +++--
webapps/docs/changelog.xml | 3 +++
2 files changed, 10 insertions(+), 14 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index 6d4476b..83287ad 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -273,29 +273,22 @@
findbugs.loc=${base-maven.loc}/com/github/spotbugs/spotbugs/${findbugs.version}/
# - bnd, version 5.3.0 or later -
# - provides OSGI metadata for JARs -
-# *** Using SNAPSHOT *** Using SNAPSHOT *** Using SNAPSHOT ***
-# The specific version used for release builds will be archived at
-# https://home.apache.org/~markt/dev/deps/bnd-5.3.0-SNAPHOT/
-# *** Using SNAPSHOT *** Using SNAPSHOT *** Using SNAPSHOT ***
-bnd.version=5.3.0-SNAPSHOT
-
-# checksums for biz.aQute.bnd-5.2.0.jar
-# *** Disabled while we depend on SNAPSHOT JARs ***
-bnd.checksum.enabled=false
+bnd.version=5.3.0
+
+# checksums for biz.aQute.bnd-5.3.0.jar
+bnd.checksum.enabled=true
bnd.checksum.algorithm=MD5|SHA-1
-bnd.checksum.value=3254df4b94104002f79005ae54ec1dbb|1d69d0a5862133ac1f54555c9cd59011d79bbb86
+bnd.checksum.value=7cba73481ee6e72b182ba5c13801aafe|10ec0974db02f810e9345b218f4de4abe898ab04
bnd.home=${base.path}/bnd-${bnd.version}
bnd.jar=${bnd.home}/biz.aQute.bnd-${bnd.version}.jar
-# *** Temporary change to use the SNAPSHOT repository ***
-#
bnd.loc=${base-maven.loc}/biz/aQute/bnd/biz.aQute.bnd/${bnd.version}/biz.aQute.bnd-${bnd.version}.jar
-bnd.loc=https://bndtools.jfrog.io/bndtools/update-snapshot/biz/aQute/bnd/biz.aQute.bnd/${bnd.version}/biz.aQute.bnd-${bnd.version}.jar
+bnd.loc=${base-maven.loc}/biz/aQute/bnd/biz.aQute.bnd/${bnd.version}/biz.aQute.bnd-${bnd.version}.jar
# - OSGi annotations bundle, version 1.0.0 or later-
# - required to avoid Javadoc error when using bnd annotations -
osgi-annotations.version=1.0.0
-# checksums for biz.aQute.bnd-5.2.0.jar
+# checksums for OSGi annotations, version 1.0.0
osgi-annotations.checksum.enabled=true
osgi-annotations.checksum.algorithm=MD5|SHA-1
osgi-annotations.checksum.value=153054f987534244f95a399539b11375|b6e802bceba0682353466abf8fadbbd662b2f7f8
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c3bee58..64eefbb 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -219,6 +219,9 @@
Improvements to Chinese translations. Provided by shawn. (mark)
+
+Update to bnd 5.3.0. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Update to BND 5.3.0
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new dd9ef1f Update to BND 5.3.0
dd9ef1f is described below
commit dd9ef1f11a050518e3739c712f0c4694497d747d
Author: Mark Thomas
AuthorDate: Mon Mar 1 21:11:24 2021 +
Update to BND 5.3.0
This moves us off 5.3.0-SNAPSHOT
---
build.properties.default | 21 +++--
webapps/docs/changelog.xml | 3 +++
2 files changed, 10 insertions(+), 14 deletions(-)
diff --git a/build.properties.default b/build.properties.default
index 5e89a79..eb2b27e 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -273,29 +273,22 @@
findbugs.loc=${base-maven.loc}/com/github/spotbugs/spotbugs/${findbugs.version}/
# - bnd, version 5.3.0 or later -
# - provides OSGI metadata for JARs -
-# *** Using SNAPSHOT *** Using SNAPSHOT *** Using SNAPSHOT ***
-# The specific version used for release builds will be archived at
-# https://home.apache.org/~markt/dev/deps/bnd-5.3.0-SNAPHOT/
-# *** Using SNAPSHOT *** Using SNAPSHOT *** Using SNAPSHOT ***
-bnd.version=5.3.0-SNAPSHOT
-
-# checksums for biz.aQute.bnd-5.2.0.jar
-# *** Disabled while we depend on SNAPSHOT JARs ***
-bnd.checksum.enabled=false
+bnd.version=5.3.0
+
+# checksums for biz.aQute.bnd-5.3.0.jar
+bnd.checksum.enabled=true
bnd.checksum.algorithm=MD5|SHA-1
-bnd.checksum.value=3254df4b94104002f79005ae54ec1dbb|1d69d0a5862133ac1f54555c9cd59011d79bbb86
+bnd.checksum.value=7cba73481ee6e72b182ba5c13801aafe|10ec0974db02f810e9345b218f4de4abe898ab04
bnd.home=${base.path}/bnd-${bnd.version}
bnd.jar=${bnd.home}/biz.aQute.bnd-${bnd.version}.jar
-# *** Temporary change to use the SNAPSHOT repository ***
-#
bnd.loc=${base-maven.loc}/biz/aQute/bnd/biz.aQute.bnd/${bnd.version}/biz.aQute.bnd-${bnd.version}.jar
-bnd.loc=https://bndtools.jfrog.io/bndtools/update-snapshot/biz/aQute/bnd/biz.aQute.bnd/${bnd.version}/biz.aQute.bnd-${bnd.version}.jar
+bnd.loc=${base-maven.loc}/biz/aQute/bnd/biz.aQute.bnd/${bnd.version}/biz.aQute.bnd-${bnd.version}.jar
# - OSGi annotations bundle, version 1.0.0 or later-
# - required to avoid Javadoc error when using bnd annotations -
osgi-annotations.version=1.0.0
-# checksums for biz.aQute.bnd-5.2.0.jar
+# checksums for OSGi annotations, version 1.0.0
osgi-annotations.checksum.enabled=true
osgi-annotations.checksum.algorithm=MD5|SHA-1
osgi-annotations.checksum.value=153054f987534244f95a399539b11375|b6e802bceba0682353466abf8fadbbd662b2f7f8
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 577cabe..d4f756f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -200,6 +200,9 @@
Improvements to Chinese translations. Provided by shawn. (mark)
+
+Update to bnd 5.3.0. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix BZ 64938 Clarify expected behaviour of setCharacterEncoding(null)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 12ac01b Fix BZ 64938 Clarify expected behaviour of
setCharacterEncoding(null)
12ac01b is described below
commit 12ac01b99599404809772f263a26d554e3ccba75
Author: Mark Thomas
AuthorDate: Tue Feb 23 12:49:59 2021 +
Fix BZ 64938 Clarify expected behaviour of setCharacterEncoding(null)
Also covers setContentType(null) and setLocale(null)
https://bz.apache.org/bugzilla/show_bug.cgi?id=64938
---
.../apache/catalina/connector/OutputBuffer.java| 5 +
java/org/apache/catalina/connector/Response.java | 42 ++-
java/org/apache/coyote/Response.java | 6 +-
.../apache/catalina/connector/TestResponse.java| 345 +
test/org/apache/tomcat/unittest/TesterContext.java | 23 +-
webapps/docs/changelog.xml | 7 +
6 files changed, 409 insertions(+), 19 deletions(-)
diff --git a/java/org/apache/catalina/connector/OutputBuffer.java
b/java/org/apache/catalina/connector/OutputBuffer.java
index 14c9452..958a506 100644
--- a/java/org/apache/catalina/connector/OutputBuffer.java
+++ b/java/org/apache/catalina/connector/OutputBuffer.java
@@ -591,6 +591,11 @@ public class OutputBuffer extends Writer {
}
if (charset == null) {
+if (coyoteResponse.getCharacterEncoding() != null) {
+// setCharacterEncoding() was called with an invalid character
set
+// Trigger an UnsupportedEncodingException
+charset =
B2CConverter.getCharset(coyoteResponse.getCharacterEncoding());
+}
if (enc == null) {
charset = org.apache.coyote.Constants.DEFAULT_BODY_CHARSET;
} else {
diff --git a/java/org/apache/catalina/connector/Response.java
b/java/org/apache/catalina/connector/Response.java
index 860cca9..0d59924 100644
--- a/java/org/apache/catalina/connector/Response.java
+++ b/java/org/apache/catalina/connector/Response.java
@@ -752,6 +752,12 @@ public class Response implements HttpServletResponse {
if (type == null) {
getCoyoteResponse().setContentType(null);
+try {
+getCoyoteResponse().setCharacterEncoding(null);
+} catch (IllegalArgumentException e) {
+// Can never happen when calling with null
+}
+isCharacterEncodingSet = false;
return;
}
@@ -811,7 +817,11 @@ public class Response implements HttpServletResponse {
log.warn(sm.getString("coyoteResponse.encoding.invalid", charset),
e);
return;
}
-isCharacterEncodingSet = true;
+if (charset == null) {
+isCharacterEncodingSet = false;
+} else {
+isCharacterEncodingSet = true;
+}
}
@@ -845,16 +855,24 @@ public class Response implements HttpServletResponse {
return;
}
-// In some error handling scenarios, the context is unknown
-// (e.g. a 404 when a ROOT context is not present)
-Context context = getContext();
-if (context != null) {
-String charset = context.getCharset(locale);
-if (charset != null) {
-try {
-getCoyoteResponse().setCharacterEncoding(charset);
-} catch (IllegalArgumentException e) {
-log.warn(sm.getString("coyoteResponse.encoding.invalid",
charset), e);
+if (locale == null) {
+try {
+getCoyoteResponse().setCharacterEncoding(null);
+} catch (IllegalArgumentException e) {
+// Impossible when calling with null
+}
+} else {
+// In some error handling scenarios, the context is unknown
+// (e.g. a 404 when a ROOT context is not present)
+Context context = getContext();
+if (context != null) {
+String charset = context.getCharset(locale);
+if (charset != null) {
+try {
+getCoyoteResponse().setCharacterEncoding(charset);
+} catch (IllegalArgumentException e) {
+
log.warn(sm.getString("coyoteResponse.encoding.invalid", charset), e);
+}
}
}
}
@@ -1583,7 +1601,7 @@ public class Response implements HttpServletResponse {
if (!file.startsWith(contextPath)) {
return false;
}
-String tok = ";" +
SessionConfig.getSessionUriParamName(request.getContext()) + "=" +
+String tok = ";" +
SessionConfig.getSessionUriParamName(request.getContext()) + "=" +
session.getIdIntern
