[Bug 66191] New: compile taglibs that are not (yet) included in jsp file
https://bz.apache.org/bugzilla/show_bug.cgi?id=66191 Bug ID: 66191 Summary: compile taglibs that are not (yet) included in jsp file Product: Tomcat 10 Version: unspecified Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Jasper Assignee: dev@tomcat.apache.org Reporter: andreas.sta...@rmcon-int.de Target Milestone: -- ## Issue Description We are using jetty-jspc-maven-plugin (which uses Jasper JspC) to compile jsp and tag files in our build. We have some Maven projects that contain only taglibs (tld files) but no jsp files. Sadly, these taglibs are not compiled when the project is compiled. It seems the jsp compiler does a top to bottom approach, starting with jsp files and including everything in the compilation that is reachable from these. Because our taglib project does not contain a jsp file, nothing is compiled. When including tag files explicitly ( **/*.tag, **/*.jsp, **/*.jspx ) then these are still considered as jsp files and it results in an error: [<%@ tag] directive can only be used in a tag file ## Desired Solution Include an option compileUnusedTaglibs (name is only a suggestion). It should search for tld files and compile everything that is reachable from these. ## Motivation At the moment, our taglib is only compiled as part of a later project. Sadly, project dependencies are not enforced because of this. Example: - TaglibProject is Referenced by WebAppProject. - TaglibProject uses Java classes from WebAppProject prematurely in tag files - TaglibProject tag files are not compiled yet. Thus no error. - WebAppProject is compiled. The prematurely used Java files are not present. Thus no error. It works. But it would be better for our project structure, if it would not be possible to use classes from later projects prematurely in tag files or earlier projects. taglib compilation would enforce this. You can find here a small example project to reproduce the issue: https://github.com/achimmihca/multi.module.webapp.demo ## Additional Notes I was redirected here from the jetty-jspc-maven-plugin team: https://github.com/eclipse/jetty.project/issues/8316 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66191] compile taglibs that are not (yet) included in jsp file
https://bz.apache.org/bugzilla/show_bug.cgi?id=66191 andreas.sta...@rmcon-int.de changed: What|Removed |Added OS||All --- Comment #1 from andreas.sta...@rmcon-int.de --- > The prematurely used Java files are not present. Thus no error. Should be "The prematurely used Java files are NOW present. Thus no error." -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated (b5ec61e01e -> 5cb0cffdbe)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from b5ec61e01e Fix typo add 942f01d938 Duplicate accept checks are not required in unix domain socket mode add 5cb0cffdbe Add a changelog entry for #532 No new revisions were added by this update. Summary of changes: java/org/apache/tomcat/util/net/AprEndpoint.java | 4 ++-- java/org/apache/tomcat/util/net/NioEndpoint.java | 4 ++-- webapps/docs/changelog.xml | 8 3 files changed, 12 insertions(+), 4 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated (c8fce99bd7 -> 72ef65020d)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from c8fce99bd7 Fix typo new af0334e74a Duplicate accept checks are not required in unix domain socket mode new 72ef65020d Add a changelog entry for #532 The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: java/org/apache/tomcat/util/net/NioEndpoint.java | 4 ++-- webapps/docs/changelog.xml | 8 2 files changed, 10 insertions(+), 2 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Duplicate accept checks are not required in unix domain socket mode
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit af0334e74aa920332bc5d92187db97b6094ff49a
Author: lihan
AuthorDate: Mon Jul 18 12:52:11 2022 +0800
Duplicate accept checks are not required in unix domain socket mode
---
java/org/apache/tomcat/util/net/NioEndpoint.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java
b/java/org/apache/tomcat/util/net/NioEndpoint.java
index ae8d64e6cd..596feb4b9f 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -519,8 +519,8 @@ public class NioEndpoint extends
AbstractJsseEndpoint
protected SocketChannel serverSocketAccept() throws Exception {
SocketChannel result = serverSock.accept();
-// Bug does not affect Windows. Skip the check on that platform.
-if (!JrePlatform.IS_WINDOWS) {
+// Bug does not affect Windows platform and Unix Domain Socket. Skip
the check.
+if (!JrePlatform.IS_WINDOWS && getUnixDomainSocketPath() == null) {
SocketAddress currentRemoteAddress = result.getRemoteAddress();
long currentNanoTime = System.nanoTime();
if
(currentRemoteAddress.equals(previousAcceptedSocketRemoteAddress) &&
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Add a changelog entry for #532
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 72ef65020d3e19f3eb670fdc4f477a240c497bf0 Author: Mark Thomas AuthorDate: Mon Aug 1 11:41:29 2022 +0100 Add a changelog entry for #532 --- webapps/docs/changelog.xml | 8 1 file changed, 8 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 403b3ef4e7..21ae993bb4 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -105,6 +105,14 @@ issues do not "pop up" wrt. others). --> + + + +Avoid potential NPE by skipping duplicate accept check when using a Unix +Domain Socket. Based on 532 by Han Li. (markt) + + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on pull request #532: Don't perform protection checks in Unix Domain Socket mode
markt-asf commented on PR #532: URL: https://github.com/apache/tomcat/pull/532#issuecomment-1201031432 Merged manually. Thanks for the PR. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf closed pull request #532: Don't perform protection checks in Unix Domain Socket mode
markt-asf closed pull request #532: Don't perform protection checks in Unix Domain Socket mode URL: https://github.com/apache/tomcat/pull/532 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated (99080de72c -> cb85689a08)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from 99080de72c Add release date for 10.0.23 new 8b771c81e0 Duplicate accept checks are not required in unix domain socket mode new cb85689a08 Add a changelog entry for #532 The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: java/org/apache/tomcat/util/net/AprEndpoint.java | 4 ++-- java/org/apache/tomcat/util/net/NioEndpoint.java | 4 ++-- webapps/docs/changelog.xml | 8 3 files changed, 12 insertions(+), 4 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Add a changelog entry for #532
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit cb85689a080389595e658dd79cb768129820a275 Author: Mark Thomas AuthorDate: Mon Aug 1 11:41:29 2022 +0100 Add a changelog entry for #532 --- webapps/docs/changelog.xml | 8 1 file changed, 8 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index d55b9fbde0..592e1b3602 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -105,6 +105,14 @@ issues do not "pop up" wrt. others). --> + + + +Avoid potential NPE by skipping duplicate accept check when using a Unix +Domain Socket. Based on 532 by Han Li. (markt) + + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Duplicate accept checks are not required in unix domain socket mode
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 8b771c81e033eedde168bba1ab028ac850a1689e
Author: lihan
AuthorDate: Mon Jul 18 12:52:11 2022 +0800
Duplicate accept checks are not required in unix domain socket mode
---
java/org/apache/tomcat/util/net/AprEndpoint.java | 4 ++--
java/org/apache/tomcat/util/net/NioEndpoint.java | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java
b/java/org/apache/tomcat/util/net/AprEndpoint.java
index 5b7c457880..fa765f1ad3 100644
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -813,8 +813,8 @@ public class AprEndpoint extends
AbstractEndpoint implements SNICallB
// Do the duplicate accept check here rather than in
serverSocketaccept()
// so we can cache the results in the SocketWrapper
AprSocketWrapper wrapper = new AprSocketWrapper(socket, this);
-// Bug does not affect Windows. Skip the check on that platform.
-if (!JrePlatform.IS_WINDOWS) {
+// Bug does not affect Windows platform and Unix Domain Socket.
Skip the check.
+if (!JrePlatform.IS_WINDOWS && getUnixDomainSocketPath() == null) {
long currentNanoTime = System.nanoTime();
if (wrapper.getRemotePort() == previousAcceptedPort) {
if
(wrapper.getRemoteAddr().equals(previousAcceptedAddress)) {
diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java
b/java/org/apache/tomcat/util/net/NioEndpoint.java
index ddcdcd39ab..fbd860741f 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -519,8 +519,8 @@ public class NioEndpoint extends
AbstractJsseEndpoint
protected SocketChannel serverSocketAccept() throws Exception {
SocketChannel result = serverSock.accept();
-// Bug does not affect Windows. Skip the check on that platform.
-if (!JrePlatform.IS_WINDOWS) {
+// Bug does not affect Windows platform and Unix Domain Socket. Skip
the check.
+if (!JrePlatform.IS_WINDOWS && getUnixDomainSocketPath() == null) {
SocketAddress currentRemoteAddress = result.getRemoteAddress();
long currentNanoTime = System.nanoTime();
if
(currentRemoteAddress.equals(previousAcceptedSocketRemoteAddress) &&
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on pull request #532: Don't perform protection checks in Unix Domain Socket mode
markt-asf commented on PR #532: URL: https://github.com/apache/tomcat/pull/532#issuecomment-1201033825 Note that 8.5.x is not affected by this issue. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Skip JNI tests when testing with Tomcat Native 2.x.x and later
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 375a9d7aa3 Skip JNI tests when testing with Tomcat Native 2.x.x and
later
375a9d7aa3 is described below
commit 375a9d7aa377e9a70c86dcea8ef60aa4b15c9203
Author: Mark Thomas
AuthorDate: Mon Aug 1 11:58:24 2022 +0100
Skip JNI tests when testing with Tomcat Native 2.x.x and later
---
test/org/apache/tomcat/jni/AbstractJniTest.java | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/test/org/apache/tomcat/jni/AbstractJniTest.java
b/test/org/apache/tomcat/jni/AbstractJniTest.java
index 84ed1ac29d..3d1b8d74f1 100644
--- a/test/org/apache/tomcat/jni/AbstractJniTest.java
+++ b/test/org/apache/tomcat/jni/AbstractJniTest.java
@@ -32,7 +32,11 @@ public abstract class AbstractJniTest {
} catch (LibraryNotFoundError lnfe) {
nativeLibraryPresent = false;
}
-Assume.assumeTrue("APR Library not found", nativeLibraryPresent);
+Assume.assumeTrue("Tomcat Native Library not found",
nativeLibraryPresent);
+if (nativeLibraryPresent) {
+Assume.assumeTrue("Tomcat Native Library version 2.x.x or later
found which does not support these tests",
+Library.TCN_MAJOR_VERSION < 2);
+}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Skip JNI tests when testing with Tomcat Native 2.x.x and later
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new b9a261824e Skip JNI tests when testing with Tomcat Native 2.x.x and
later
b9a261824e is described below
commit b9a261824ead0434bde8cce0a911f99bc00c1730
Author: Mark Thomas
AuthorDate: Mon Aug 1 11:58:24 2022 +0100
Skip JNI tests when testing with Tomcat Native 2.x.x and later
---
test/org/apache/tomcat/jni/AbstractJniTest.java | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/test/org/apache/tomcat/jni/AbstractJniTest.java
b/test/org/apache/tomcat/jni/AbstractJniTest.java
index 84ed1ac29d..3d1b8d74f1 100644
--- a/test/org/apache/tomcat/jni/AbstractJniTest.java
+++ b/test/org/apache/tomcat/jni/AbstractJniTest.java
@@ -32,7 +32,11 @@ public abstract class AbstractJniTest {
} catch (LibraryNotFoundError lnfe) {
nativeLibraryPresent = false;
}
-Assume.assumeTrue("APR Library not found", nativeLibraryPresent);
+Assume.assumeTrue("Tomcat Native Library not found",
nativeLibraryPresent);
+if (nativeLibraryPresent) {
+Assume.assumeTrue("Tomcat Native Library version 2.x.x or later
found which does not support these tests",
+Library.TCN_MAJOR_VERSION < 2);
+}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated (72ef65020d -> 1233f5f3c2)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from 72ef65020d Add a changelog entry for #532 new 5c6171bb21 Fix indent new 1233f5f3c2 Add test empty parameter - allowed by RFC 9110 The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: test/org/apache/tomcat/util/http/parser/TestMediaType.java | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Fix indent
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 5c6171bb2186f0d43c78ffec6610908e83a81a82
Author: Mark Thomas
AuthorDate: Mon Aug 1 12:20:33 2022 +0100
Fix indent
---
test/org/apache/tomcat/util/http/parser/TestMediaType.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
index 35a1d74523..9a577687e3 100644
--- a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
+++ b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
@@ -302,7 +302,7 @@ public class TestMediaType {
sb.append(lws);
return sb.toString();
}
-}
+}
@Test
public void testCase() throws Exception {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Add test empty parameter - allowed by RFC 9110
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 1233f5f3c2282ba50a3b4fd30cdd26416b24e12d
Author: Mark Thomas
AuthorDate: Mon Aug 1 12:31:01 2022 +0100
Add test empty parameter - allowed by RFC 9110
Tomcat already allowed this so no functional change.
---
test/org/apache/tomcat/util/http/parser/TestMediaType.java | 10 ++
1 file changed, 10 insertions(+)
diff --git a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
index 9a577687e3..c17d6cd589 100644
--- a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
+++ b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
@@ -314,4 +314,14 @@ public class TestMediaType {
Assert.assertEquals("2", m.getParameterValue("B"));
Assert.assertEquals("2", m.getParameterValue("b"));
}
+
+@Test
+public void TestEmptyParameter() throws Exception {
+// RFC 9110
+StringReader sr = new StringReader("type/sub-type;;a=1;;b=2;;");
+MediaType m = MediaType.parseMediaType(sr);
+
+Assert.assertEquals("1", m.getParameterValue("a"));
+Assert.assertEquals("2", m.getParameterValue("b"));
+}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Add test empty parameter - allowed by RFC 9110
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit da3437d1a4c7955beb4cb7d9393d704f5c37a3af
Author: Mark Thomas
AuthorDate: Mon Aug 1 12:31:01 2022 +0100
Add test empty parameter - allowed by RFC 9110
Tomcat already allowed this so no functional change.
---
test/org/apache/tomcat/util/http/parser/TestMediaType.java | 10 ++
1 file changed, 10 insertions(+)
diff --git a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
index 9a577687e3..c17d6cd589 100644
--- a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
+++ b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
@@ -314,4 +314,14 @@ public class TestMediaType {
Assert.assertEquals("2", m.getParameterValue("B"));
Assert.assertEquals("2", m.getParameterValue("b"));
}
+
+@Test
+public void TestEmptyParameter() throws Exception {
+// RFC 9110
+StringReader sr = new StringReader("type/sub-type;;a=1;;b=2;;");
+MediaType m = MediaType.parseMediaType(sr);
+
+Assert.assertEquals("1", m.getParameterValue("a"));
+Assert.assertEquals("2", m.getParameterValue("b"));
+}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated (375a9d7aa3 -> da3437d1a4)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from 375a9d7aa3 Skip JNI tests when testing with Tomcat Native 2.x.x and later new f05681ce9e Fix indent new da3437d1a4 Add test empty parameter - allowed by RFC 9110 The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: test/org/apache/tomcat/util/http/parser/TestMediaType.java | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Fix indent
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit f05681ce9ed6d7f2148ea56cec71871282a45348
Author: Mark Thomas
AuthorDate: Mon Aug 1 12:20:33 2022 +0100
Fix indent
---
test/org/apache/tomcat/util/http/parser/TestMediaType.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
index 35a1d74523..9a577687e3 100644
--- a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
+++ b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
@@ -302,7 +302,7 @@ public class TestMediaType {
sb.append(lws);
return sb.toString();
}
-}
+}
@Test
public void testCase() throws Exception {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Fix indent
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit d40cb3edbc9922afd3febcd68dcec65d0fcc249d
Author: Mark Thomas
AuthorDate: Mon Aug 1 12:20:33 2022 +0100
Fix indent
---
test/org/apache/tomcat/util/http/parser/TestMediaType.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
index 35a1d74523..9a577687e3 100644
--- a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
+++ b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
@@ -302,7 +302,7 @@ public class TestMediaType {
sb.append(lws);
return sb.toString();
}
-}
+}
@Test
public void testCase() throws Exception {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated (b9a261824e -> 2c9d5c5aa7)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from b9a261824e Skip JNI tests when testing with Tomcat Native 2.x.x and later new d40cb3edbc Fix indent new 2c9d5c5aa7 Add test empty parameter - allowed by RFC 9110 The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: test/org/apache/tomcat/util/http/parser/TestMediaType.java | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Add test empty parameter - allowed by RFC 9110
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 2c9d5c5aa7320331f773cb96bede3bb425c9
Author: Mark Thomas
AuthorDate: Mon Aug 1 12:31:01 2022 +0100
Add test empty parameter - allowed by RFC 9110
Tomcat already allowed this so no functional change.
---
test/org/apache/tomcat/util/http/parser/TestMediaType.java | 10 ++
1 file changed, 10 insertions(+)
diff --git a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
index 9a577687e3..c17d6cd589 100644
--- a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
+++ b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
@@ -314,4 +314,14 @@ public class TestMediaType {
Assert.assertEquals("2", m.getParameterValue("B"));
Assert.assertEquals("2", m.getParameterValue("b"));
}
+
+@Test
+public void TestEmptyParameter() throws Exception {
+// RFC 9110
+StringReader sr = new StringReader("type/sub-type;;a=1;;b=2;;");
+MediaType m = MediaType.parseMediaType(sr);
+
+Assert.assertEquals("1", m.getParameterValue("a"));
+Assert.assertEquals("2", m.getParameterValue("b"));
+}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Add test empty parameter - allowed by RFC 9110
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit fb71303800c32102fc9fe7c66b73ca7529e88166
Author: Mark Thomas
AuthorDate: Mon Aug 1 12:31:01 2022 +0100
Add test empty parameter - allowed by RFC 9110
Tomcat already allowed this so no functional change.
---
test/org/apache/tomcat/util/http/parser/TestMediaType.java | 10 ++
1 file changed, 10 insertions(+)
diff --git a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
index 5f46bb2969..0b84eef2a1 100644
--- a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
+++ b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
@@ -306,4 +306,14 @@ public class TestMediaType {
Assert.assertEquals("2", m.getParameterValue("B"));
Assert.assertEquals("2", m.getParameterValue("b"));
}
+
+@Test
+public void TestEmptyParameter() throws Exception {
+// RFC 9110
+StringReader sr = new StringReader("type/sub-type;;a=1;;b=2;;");
+MediaType m = MediaType.parseMediaType(sr);
+
+Assert.assertEquals("1", m.getParameterValue("a"));
+Assert.assertEquals("2", m.getParameterValue("b"));
+}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated (010f0eba58 -> fb71303800)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from 010f0eba58 Fix corruption spotted when preparing 10.0.x release new 0d94835b59 Fix indent new fb71303800 Add test empty parameter - allowed by RFC 9110 The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: test/org/apache/tomcat/util/http/parser/TestMediaType.java | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Fix indent
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 0d94835b59e3d2e6b938d36ecbdd749c63694fda
Author: Mark Thomas
AuthorDate: Mon Aug 1 12:20:33 2022 +0100
Fix indent
---
test/org/apache/tomcat/util/http/parser/TestMediaType.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
index 31391f23aa..5f46bb2969 100644
--- a/test/org/apache/tomcat/util/http/parser/TestMediaType.java
+++ b/test/org/apache/tomcat/util/http/parser/TestMediaType.java
@@ -294,7 +294,7 @@ public class TestMediaType {
sb.append(lws);
return sb.toString();
}
-}
+}
@Test
public void testCase() throws Exception {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Do we want to increase the default value of maxHttpHeaderSize?
Hi all, RFC 9110 recommends supporting URIs of at least 8000 octets in size. Currently, all versions of Tomcat limit the request line and headers to 8192 octets by default. The current limit is, technically, in compliance with RFC 9110 but with a ~8000 octet URI there isn't much room left for any HTTP headers. Given the recommendation of RFC 9110 do we want to increase this default? I am currently leaning towards leaving the default as is unless we have any evidence that the majority of users are finding they need to increase it. Thoughts? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Update documentation since RFC 9110 now allows partial PUT
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new d2d497f2c5 Update documentation since RFC 9110 now allows partial PUT d2d497f2c5 is described below commit d2d497f2c59c70a4cdb06b73969e457d8aef3c96 Author: Mark Thomas AuthorDate: Mon Aug 1 13:32:47 2022 +0100 Update documentation since RFC 9110 now allows partial PUT --- conf/web.xml | 6 -- webapps/docs/default-servlet.xml | 5 +++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/conf/web.xml b/conf/web.xml index 1efffd59ba..f621077f33 100644 --- a/conf/web.xml +++ b/conf/web.xml @@ -112,8 +112,10 @@ - - + + + + default diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml index 18bb8bafd0..5b9ba7af29 100644 --- a/webapps/docs/default-servlet.xml +++ b/webapps/docs/default-servlet.xml @@ -207,8 +207,9 @@ Tomcat. Should the server treat an HTTP PUT request with a Range header as a -partial PUT? Note that RFC 7233 clarified that Range headers are only -valid for GET requests. [true] +partial PUT? Note that while RFC 7233 clarified that Range headers only +valid for GET requests, RFC 9110 (which obsoletes RFC 7233) now allows +partial puts. [true] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Update documentation since RFC 9110 now allows partial PUT
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new ec5c642a7f Update documentation since RFC 9110 now allows partial PUT ec5c642a7f is described below commit ec5c642a7f069c90a8f72cc49fb0e84ea7013205 Author: Mark Thomas AuthorDate: Mon Aug 1 13:32:47 2022 +0100 Update documentation since RFC 9110 now allows partial PUT --- conf/web.xml | 6 -- webapps/docs/default-servlet.xml | 5 +++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/conf/web.xml b/conf/web.xml index f009e9f293..df7927df58 100644 --- a/conf/web.xml +++ b/conf/web.xml @@ -112,8 +112,10 @@ - - + + + + default diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml index 18bb8bafd0..5b9ba7af29 100644 --- a/webapps/docs/default-servlet.xml +++ b/webapps/docs/default-servlet.xml @@ -207,8 +207,9 @@ Tomcat. Should the server treat an HTTP PUT request with a Range header as a -partial PUT? Note that RFC 7233 clarified that Range headers are only -valid for GET requests. [true] +partial PUT? Note that while RFC 7233 clarified that Range headers only +valid for GET requests, RFC 9110 (which obsoletes RFC 7233) now allows +partial puts. [true] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Update documentation since RFC 9110 now allows partial PUT
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new fa764fbd08 Update documentation since RFC 9110 now allows partial PUT fa764fbd08 is described below commit fa764fbd0806430ea14ac2eeaec1bbeff708ecbb Author: Mark Thomas AuthorDate: Mon Aug 1 13:32:47 2022 +0100 Update documentation since RFC 9110 now allows partial PUT --- conf/web.xml | 6 -- webapps/docs/default-servlet.xml | 5 +++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/conf/web.xml b/conf/web.xml index 9d82319ba9..d0d4f3150e 100644 --- a/conf/web.xml +++ b/conf/web.xml @@ -107,8 +107,10 @@ - - + + + + default diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml index 18bb8bafd0..5b9ba7af29 100644 --- a/webapps/docs/default-servlet.xml +++ b/webapps/docs/default-servlet.xml @@ -207,8 +207,9 @@ Tomcat. Should the server treat an HTTP PUT request with a Range header as a -partial PUT? Note that RFC 7233 clarified that Range headers are only -valid for GET requests. [true] +partial PUT? Note that while RFC 7233 clarified that Range headers only +valid for GET requests, RFC 9110 (which obsoletes RFC 7233) now allows +partial puts. [true] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Update documentation since RFC 9110 now allows partial PUT
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 0f64ae81b4 Update documentation since RFC 9110 now allows partial PUT 0f64ae81b4 is described below commit 0f64ae81b41dd099f035251133f97663a560517f Author: Mark Thomas AuthorDate: Mon Aug 1 13:32:47 2022 +0100 Update documentation since RFC 9110 now allows partial PUT --- conf/web.xml | 6 -- webapps/docs/default-servlet.xml | 6 ++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/conf/web.xml b/conf/web.xml index 4392dcd99e..f08832b820 100644 --- a/conf/web.xml +++ b/conf/web.xml @@ -107,8 +107,10 @@ - - + + + + default diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml index b21ec66aab..b7054e34d9 100644 --- a/webapps/docs/default-servlet.xml +++ b/webapps/docs/default-servlet.xml @@ -194,6 +194,12 @@ directory listings are disabled and debugging is turned off. Should the server list all directories before all files. [false] + +Should the server treat an HTTP PUT request with a Range header as a +partial PUT? Note that while RFC 7233 clarified that Range headers only +valid for GET requests, RFC 9110 (which obsoletes RFC 7233) now allows +partial puts. [true] + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Do we want to increase the default value of maxHttpHeaderSize?
> 2022年8月1日 20:11,Mark Thomas 写道: > > Hi all, > > RFC 9110 recommends supporting URIs of at least 8000 octets in size. > > Currently, all versions of Tomcat limit the request line and headers to 8192 > octets by default. > > The current limit is, technically, in compliance with RFC 9110 but with a > ~8000 octet URI there isn't much room left for any HTTP headers. Given the > recommendation of RFC 9110 do we want to increase this default? > > I am currently leaning towards leaving the default as is unless we have any > evidence that the majority of users are finding they need to increase it. +1 Other than that, I think for the vast majority of users enough to use, if not to meet their needs, they can fully customize the maxHttpHeaderSize. Han > > Thoughts? > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Do we want to increase the default value of maxHttpHeaderSize?
Doubling might be convenient. Let's say a URI is between 4000 and 8000. There is a good chance there could be a Referer header of equal size too. Which can easily push you over the 8192 default. (and that doesn't even include the ever increasing explosion in cookie size) -Tim On Mon, Aug 1, 2022 at 8:11 AM Mark Thomas wrote: > Hi all, > > RFC 9110 recommends supporting URIs of at least 8000 octets in size. > > Currently, all versions of Tomcat limit the request line and headers to > 8192 octets by default. > > The current limit is, technically, in compliance with RFC 9110 but with > a ~8000 octet URI there isn't much room left for any HTTP headers. Given > the recommendation of RFC 9110 do we want to increase this default? > > I am currently leaning towards leaving the default as is unless we have > any evidence that the majority of users are finding they need to > increase it. > > Thoughts? >
[tomcat] branch main updated: Improve handling of HTTP TRACE requests
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 9eb6e2a4ad Improve handling of HTTP TRACE requests
9eb6e2a4ad is described below
commit 9eb6e2a4ad89fdbfa3b22680f03dcd7080811152
Author: Mark Thomas
AuthorDate: Mon Aug 1 17:15:08 2022 +0100
Improve handling of HTTP TRACE requests
---
java/jakarta/servlet/http/HttpServlet.java | 17 +
test/jakarta/servlet/http/TestHttpServlet.java | 52 ++
webapps/docs/changelog.xml | 8
3 files changed, 69 insertions(+), 8 deletions(-)
diff --git a/java/jakarta/servlet/http/HttpServlet.java
b/java/jakarta/servlet/http/HttpServlet.java
index 8df75d69b4..ce85988633 100644
--- a/java/jakarta/servlet/http/HttpServlet.java
+++ b/java/jakarta/servlet/http/HttpServlet.java
@@ -622,9 +622,7 @@ public abstract class HttpServlet extends GenericServlet {
* @exception ServletException if the request for the
* TRACE cannot be handled
*/
-protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
-throws ServletException, IOException
-{
+protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
int responseLength;
@@ -632,12 +630,15 @@ public abstract class HttpServlet extends GenericServlet {
StringBuilder buffer =
new StringBuilder("TRACE
").append(req.getRequestURI()).append(" ").append(req.getProtocol());
-Enumeration reqHeaderEnum = req.getHeaderNames();
+Enumeration reqHeaderNames = req.getHeaderNames();
-while( reqHeaderEnum.hasMoreElements() ) {
-String headerName = reqHeaderEnum.nextElement();
-buffer.append(CRLF).append(headerName).append(": ")
-.append(req.getHeader(headerName));
+while (reqHeaderNames.hasMoreElements()) {
+String headerName = reqHeaderNames.nextElement();
+Enumeration headerValues = req.getHeaders(headerName);
+while (headerValues.hasMoreElements()) {
+String headerValue = headerValues.nextElement();
+buffer.append(CRLF).append(headerName).append(":
").append(headerValue);
+}
}
buffer.append(CRLF);
diff --git a/test/jakarta/servlet/http/TestHttpServlet.java
b/test/jakarta/servlet/http/TestHttpServlet.java
index a9b11cef6f..3697960245 100644
--- a/test/jakarta/servlet/http/TestHttpServlet.java
+++ b/test/jakarta/servlet/http/TestHttpServlet.java
@@ -40,6 +40,7 @@ import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.startup.TomcatBaseTest;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.collections.CaseInsensitiveKeyMap;
+import org.apache.tomcat.util.net.TesterSupport.SimpleServlet;
public class TestHttpServlet extends TomcatBaseTest {
@@ -293,6 +294,57 @@ public class TestHttpServlet extends TomcatBaseTest {
}
+@Test
+public void testTrace() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+tomcat.getConnector().setAllowTrace(true);
+
+// No file system docBase required
+StandardContext ctx = (StandardContext) tomcat.addContext("", null);
+
+// Map the test Servlet
+Tomcat.addServlet(ctx, "servlet", new SimpleServlet());
+ctx.addServletMappingDecoded("/", "servlet");
+
+tomcat.start();
+
+TraceClient client = new TraceClient();
+client.setPort(getPort());
+client.setRequest(new String[] {
+"TRACE / HTTP/1.1" + SimpleHttpClient.CRLF +
+"Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
+"X-aaa: a1, a2" + SimpleHttpClient.CRLF +
+"X-aaa: a3" + SimpleHttpClient.CRLF +
+SimpleHttpClient.CRLF});
+client.setUseContentLength(true);
+
+client.connect();
+client.sendRequest();
+client.readResponse(true);
+
+String body = client.getResponseBody();
+
+System.out.println(body);
+
+Assert.assertTrue(client.getResponseLine(), client.isResponse200());
+// Far from perfect but good enough
+Assert.assertTrue(body.contains("a1"));
+Assert.assertTrue(body.contains("a2"));
+Assert.assertTrue(body.contains("a3"));
+
+client.disconnect();
+}
+
+
+private static final class TraceClient extends SimpleHttpClient {
+
+@Override
+public boolean isResponseBodyOK() {
+return true;
+}
+}
+
+
private class Client extends SimpleHttpClient {
public Client(String request, boolean isHttp09) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 21ae993b
[tomcat] branch 10.0.x updated: Improve handling of HTTP TRACE requests
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 436a497149 Improve handling of HTTP TRACE requests
436a497149 is described below
commit 436a4971492898617e66077f37a579247945b6bf
Author: Mark Thomas
AuthorDate: Mon Aug 1 17:15:08 2022 +0100
Improve handling of HTTP TRACE requests
---
java/jakarta/servlet/http/HttpServlet.java | 17 +
test/jakarta/servlet/http/TestHttpServlet.java | 52 ++
webapps/docs/changelog.xml | 8
3 files changed, 69 insertions(+), 8 deletions(-)
diff --git a/java/jakarta/servlet/http/HttpServlet.java
b/java/jakarta/servlet/http/HttpServlet.java
index ea9976cbfb..016ce4944d 100644
--- a/java/jakarta/servlet/http/HttpServlet.java
+++ b/java/jakarta/servlet/http/HttpServlet.java
@@ -600,9 +600,7 @@ public abstract class HttpServlet extends GenericServlet {
* @exception ServletException if the request for the
* TRACE cannot be handled
*/
-protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
-throws ServletException, IOException
-{
+protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
int responseLength;
@@ -610,12 +608,15 @@ public abstract class HttpServlet extends GenericServlet {
StringBuilder buffer =
new StringBuilder("TRACE
").append(req.getRequestURI()).append(" ").append(req.getProtocol());
-Enumeration reqHeaderEnum = req.getHeaderNames();
+Enumeration reqHeaderNames = req.getHeaderNames();
-while( reqHeaderEnum.hasMoreElements() ) {
-String headerName = reqHeaderEnum.nextElement();
-buffer.append(CRLF).append(headerName).append(": ")
-.append(req.getHeader(headerName));
+while (reqHeaderNames.hasMoreElements()) {
+String headerName = reqHeaderNames.nextElement();
+Enumeration headerValues = req.getHeaders(headerName);
+while (headerValues.hasMoreElements()) {
+String headerValue = headerValues.nextElement();
+buffer.append(CRLF).append(headerName).append(":
").append(headerValue);
+}
}
buffer.append(CRLF);
diff --git a/test/jakarta/servlet/http/TestHttpServlet.java
b/test/jakarta/servlet/http/TestHttpServlet.java
index a9b11cef6f..3697960245 100644
--- a/test/jakarta/servlet/http/TestHttpServlet.java
+++ b/test/jakarta/servlet/http/TestHttpServlet.java
@@ -40,6 +40,7 @@ import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.startup.TomcatBaseTest;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.collections.CaseInsensitiveKeyMap;
+import org.apache.tomcat.util.net.TesterSupport.SimpleServlet;
public class TestHttpServlet extends TomcatBaseTest {
@@ -293,6 +294,57 @@ public class TestHttpServlet extends TomcatBaseTest {
}
+@Test
+public void testTrace() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+tomcat.getConnector().setAllowTrace(true);
+
+// No file system docBase required
+StandardContext ctx = (StandardContext) tomcat.addContext("", null);
+
+// Map the test Servlet
+Tomcat.addServlet(ctx, "servlet", new SimpleServlet());
+ctx.addServletMappingDecoded("/", "servlet");
+
+tomcat.start();
+
+TraceClient client = new TraceClient();
+client.setPort(getPort());
+client.setRequest(new String[] {
+"TRACE / HTTP/1.1" + SimpleHttpClient.CRLF +
+"Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
+"X-aaa: a1, a2" + SimpleHttpClient.CRLF +
+"X-aaa: a3" + SimpleHttpClient.CRLF +
+SimpleHttpClient.CRLF});
+client.setUseContentLength(true);
+
+client.connect();
+client.sendRequest();
+client.readResponse(true);
+
+String body = client.getResponseBody();
+
+System.out.println(body);
+
+Assert.assertTrue(client.getResponseLine(), client.isResponse200());
+// Far from perfect but good enough
+Assert.assertTrue(body.contains("a1"));
+Assert.assertTrue(body.contains("a2"));
+Assert.assertTrue(body.contains("a3"));
+
+client.disconnect();
+}
+
+
+private static final class TraceClient extends SimpleHttpClient {
+
+@Override
+public boolean isResponseBodyOK() {
+return true;
+}
+}
+
+
private class Client extends SimpleHttpClient {
public Client(String request, boolean isHttp09) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 592e
[tomcat] branch 9.0.x updated: Improve handling of HTTP TRACE requests
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 233226573d Improve handling of HTTP TRACE requests
233226573d is described below
commit 233226573d33a1c44c6b35593d07f8334c85ab96
Author: Mark Thomas
AuthorDate: Mon Aug 1 17:15:08 2022 +0100
Improve handling of HTTP TRACE requests
---
java/javax/servlet/http/HttpServlet.java | 17 -
test/javax/servlet/http/TestHttpServlet.java | 52
webapps/docs/changelog.xml | 8 +
3 files changed, 69 insertions(+), 8 deletions(-)
diff --git a/java/javax/servlet/http/HttpServlet.java
b/java/javax/servlet/http/HttpServlet.java
index 2289b70cb2..99906002b6 100644
--- a/java/javax/servlet/http/HttpServlet.java
+++ b/java/javax/servlet/http/HttpServlet.java
@@ -587,9 +587,7 @@ public abstract class HttpServlet extends GenericServlet {
* @exception ServletException if the request for the
* TRACE cannot be handled
*/
-protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
-throws ServletException, IOException
-{
+protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
int responseLength;
@@ -597,12 +595,15 @@ public abstract class HttpServlet extends GenericServlet {
StringBuilder buffer =
new StringBuilder("TRACE
").append(req.getRequestURI()).append(" ").append(req.getProtocol());
-Enumeration reqHeaderEnum = req.getHeaderNames();
+Enumeration reqHeaderNames = req.getHeaderNames();
-while( reqHeaderEnum.hasMoreElements() ) {
-String headerName = reqHeaderEnum.nextElement();
-buffer.append(CRLF).append(headerName).append(": ")
-.append(req.getHeader(headerName));
+while (reqHeaderNames.hasMoreElements()) {
+String headerName = reqHeaderNames.nextElement();
+Enumeration headerValues = req.getHeaders(headerName);
+while (headerValues.hasMoreElements()) {
+String headerValue = headerValues.nextElement();
+buffer.append(CRLF).append(headerName).append(":
").append(headerValue);
+}
}
buffer.append(CRLF);
diff --git a/test/javax/servlet/http/TestHttpServlet.java
b/test/javax/servlet/http/TestHttpServlet.java
index fbea9e643f..39f3707800 100644
--- a/test/javax/servlet/http/TestHttpServlet.java
+++ b/test/javax/servlet/http/TestHttpServlet.java
@@ -40,6 +40,7 @@ import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.startup.TomcatBaseTest;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.collections.CaseInsensitiveKeyMap;
+import org.apache.tomcat.util.net.TesterSupport.SimpleServlet;
public class TestHttpServlet extends TomcatBaseTest {
@@ -293,6 +294,57 @@ public class TestHttpServlet extends TomcatBaseTest {
}
+@Test
+public void testTrace() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+tomcat.getConnector().setAllowTrace(true);
+
+// No file system docBase required
+StandardContext ctx = (StandardContext) tomcat.addContext("", null);
+
+// Map the test Servlet
+Tomcat.addServlet(ctx, "servlet", new SimpleServlet());
+ctx.addServletMappingDecoded("/", "servlet");
+
+tomcat.start();
+
+TraceClient client = new TraceClient();
+client.setPort(getPort());
+client.setRequest(new String[] {
+"TRACE / HTTP/1.1" + SimpleHttpClient.CRLF +
+"Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
+"X-aaa: a1, a2" + SimpleHttpClient.CRLF +
+"X-aaa: a3" + SimpleHttpClient.CRLF +
+SimpleHttpClient.CRLF});
+client.setUseContentLength(true);
+
+client.connect();
+client.sendRequest();
+client.readResponse(true);
+
+String body = client.getResponseBody();
+
+System.out.println(body);
+
+Assert.assertTrue(client.getResponseLine(), client.isResponse200());
+// Far from perfect but good enough
+Assert.assertTrue(body.contains("a1"));
+Assert.assertTrue(body.contains("a2"));
+Assert.assertTrue(body.contains("a3"));
+
+client.disconnect();
+}
+
+
+private static final class TraceClient extends SimpleHttpClient {
+
+@Override
+public boolean isResponseBodyOK() {
+return true;
+}
+}
+
+
private class Client extends SimpleHttpClient {
public Client(String request, boolean isHttp09) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8d27f39690..b4962dea2e 10
[tomcat] branch 8.5.x updated: Improve handling of HTTP TRACE requests
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 7524b3142e Improve handling of HTTP TRACE requests
7524b3142e is described below
commit 7524b3142e61b769de75fa4812f8aa1d7087612f
Author: Mark Thomas
AuthorDate: Mon Aug 1 17:15:08 2022 +0100
Improve handling of HTTP TRACE requests
---
java/javax/servlet/http/HttpServlet.java | 17 -
test/javax/servlet/http/TestHttpServlet.java | 52
webapps/docs/changelog.xml | 8 +
3 files changed, 69 insertions(+), 8 deletions(-)
diff --git a/java/javax/servlet/http/HttpServlet.java
b/java/javax/servlet/http/HttpServlet.java
index 2289b70cb2..99906002b6 100644
--- a/java/javax/servlet/http/HttpServlet.java
+++ b/java/javax/servlet/http/HttpServlet.java
@@ -587,9 +587,7 @@ public abstract class HttpServlet extends GenericServlet {
* @exception ServletException if the request for the
* TRACE cannot be handled
*/
-protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
-throws ServletException, IOException
-{
+protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
int responseLength;
@@ -597,12 +595,15 @@ public abstract class HttpServlet extends GenericServlet {
StringBuilder buffer =
new StringBuilder("TRACE
").append(req.getRequestURI()).append(" ").append(req.getProtocol());
-Enumeration reqHeaderEnum = req.getHeaderNames();
+Enumeration reqHeaderNames = req.getHeaderNames();
-while( reqHeaderEnum.hasMoreElements() ) {
-String headerName = reqHeaderEnum.nextElement();
-buffer.append(CRLF).append(headerName).append(": ")
-.append(req.getHeader(headerName));
+while (reqHeaderNames.hasMoreElements()) {
+String headerName = reqHeaderNames.nextElement();
+Enumeration headerValues = req.getHeaders(headerName);
+while (headerValues.hasMoreElements()) {
+String headerValue = headerValues.nextElement();
+buffer.append(CRLF).append(headerName).append(":
").append(headerValue);
+}
}
buffer.append(CRLF);
diff --git a/test/javax/servlet/http/TestHttpServlet.java
b/test/javax/servlet/http/TestHttpServlet.java
index fbea9e643f..39f3707800 100644
--- a/test/javax/servlet/http/TestHttpServlet.java
+++ b/test/javax/servlet/http/TestHttpServlet.java
@@ -40,6 +40,7 @@ import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.startup.TomcatBaseTest;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.collections.CaseInsensitiveKeyMap;
+import org.apache.tomcat.util.net.TesterSupport.SimpleServlet;
public class TestHttpServlet extends TomcatBaseTest {
@@ -293,6 +294,57 @@ public class TestHttpServlet extends TomcatBaseTest {
}
+@Test
+public void testTrace() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+tomcat.getConnector().setAllowTrace(true);
+
+// No file system docBase required
+StandardContext ctx = (StandardContext) tomcat.addContext("", null);
+
+// Map the test Servlet
+Tomcat.addServlet(ctx, "servlet", new SimpleServlet());
+ctx.addServletMappingDecoded("/", "servlet");
+
+tomcat.start();
+
+TraceClient client = new TraceClient();
+client.setPort(getPort());
+client.setRequest(new String[] {
+"TRACE / HTTP/1.1" + SimpleHttpClient.CRLF +
+"Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
+"X-aaa: a1, a2" + SimpleHttpClient.CRLF +
+"X-aaa: a3" + SimpleHttpClient.CRLF +
+SimpleHttpClient.CRLF});
+client.setUseContentLength(true);
+
+client.connect();
+client.sendRequest();
+client.readResponse(true);
+
+String body = client.getResponseBody();
+
+System.out.println(body);
+
+Assert.assertTrue(client.getResponseLine(), client.isResponse200());
+// Far from perfect but good enough
+Assert.assertTrue(body.contains("a1"));
+Assert.assertTrue(body.contains("a2"));
+Assert.assertTrue(body.contains("a3"));
+
+client.disconnect();
+}
+
+
+private static final class TraceClient extends SimpleHttpClient {
+
+@Override
+public boolean isResponseBodyOK() {
+return true;
+}
+}
+
+
private class Client extends SimpleHttpClient {
public Client(String request, boolean isHttp09) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 50e066e9ae..2483ac823f 10
[tomcat] branch main updated: Do not include sensitive headers in responses to HTTP TRACE requests
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 7c8a605bf8 Do not include sensitive headers in responses to HTTP TRACE
requests
7c8a605bf8 is described below
commit 7c8a605bf86585ae7687a99ef473227007cd8f5e
Author: Mark Thomas
AuthorDate: Mon Aug 1 17:36:18 2022 +0100
Do not include sensitive headers in responses to HTTP TRACE requests
This is a requirement of RFC 7231, 4.3.8
---
java/jakarta/servlet/http/HttpServlet.java | 22 ++
test/jakarta/servlet/http/TestHttpServlet.java | 8
webapps/docs/changelog.xml | 4
3 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/java/jakarta/servlet/http/HttpServlet.java
b/java/jakarta/servlet/http/HttpServlet.java
index ce85988633..16007586ed 100644
--- a/java/jakarta/servlet/http/HttpServlet.java
+++ b/java/jakarta/servlet/http/HttpServlet.java
@@ -25,7 +25,10 @@ import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.text.MessageFormat;
import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Locale;
import java.util.ResourceBundle;
+import java.util.Set;
import jakarta.servlet.AsyncEvent;
import jakarta.servlet.AsyncListener;
@@ -95,6 +98,8 @@ public abstract class HttpServlet extends GenericServlet {
private static final String LSTRING_FILE =
"jakarta.servlet.http.LocalStrings";
private static final ResourceBundle lStrings =
ResourceBundle.getBundle(LSTRING_FILE);
+private static final Set SENSITIVE_HTTP_HEADERS = new HashSet<>();
+
/**
* @deprecated May be removed in a future release
*
@@ -116,6 +121,12 @@ public abstract class HttpServlet extends GenericServlet {
*/
private volatile boolean cachedUseLegacyDoHead;
+static {
+SENSITIVE_HTTP_HEADERS.add("cookie");
+SENSITIVE_HTTP_HEADERS.add("www-authenticate");
+}
+
+
/**
* Does nothing, because this is an abstract class.
*/
@@ -634,10 +645,13 @@ public abstract class HttpServlet extends GenericServlet {
while (reqHeaderNames.hasMoreElements()) {
String headerName = reqHeaderNames.nextElement();
-Enumeration headerValues = req.getHeaders(headerName);
-while (headerValues.hasMoreElements()) {
-String headerValue = headerValues.nextElement();
-buffer.append(CRLF).append(headerName).append(":
").append(headerValue);
+// RFC 7231, 4.3.8 - skip 'sensitive' headers
+if
(!SENSITIVE_HTTP_HEADERS.contains(headerName.toLowerCase(Locale.ENGLISH))) {
+Enumeration headerValues = req.getHeaders(headerName);
+while (headerValues.hasMoreElements()) {
+String headerValue = headerValues.nextElement();
+buffer.append(CRLF).append(headerName).append(":
").append(headerValue);
+}
}
}
diff --git a/test/jakarta/servlet/http/TestHttpServlet.java
b/test/jakarta/servlet/http/TestHttpServlet.java
index 3697960245..44174e009a 100644
--- a/test/jakarta/servlet/http/TestHttpServlet.java
+++ b/test/jakarta/servlet/http/TestHttpServlet.java
@@ -20,6 +20,7 @@ import java.io.IOException;
import java.io.PrintWriter;
import java.util.HashMap;
import java.util.List;
+import java.util.Locale;
import java.util.Map;
import jakarta.servlet.AsyncContext;
@@ -315,6 +316,8 @@ public class TestHttpServlet extends TomcatBaseTest {
"Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
"X-aaa: a1, a2" + SimpleHttpClient.CRLF +
"X-aaa: a3" + SimpleHttpClient.CRLF +
+"Cookie: c1-v1" + SimpleHttpClient.CRLF +
+"WWW-Authenticate: not-a-real-credential" +
SimpleHttpClient.CRLF +
SimpleHttpClient.CRLF});
client.setUseContentLength(true);
@@ -328,9 +331,14 @@ public class TestHttpServlet extends TomcatBaseTest {
Assert.assertTrue(client.getResponseLine(), client.isResponse200());
// Far from perfect but good enough
+body = body.toLowerCase(Locale.ENGLISH);
Assert.assertTrue(body.contains("a1"));
Assert.assertTrue(body.contains("a2"));
Assert.assertTrue(body.contains("a3"));
+// Sensitive headers (cookies, WWW-Authenticate) must not be reflected
+// (since RFC 7231)
+Assert.assertFalse(body.contains("cookie"));
+Assert.assertFalse(body.contains("www-authenticate"));
client.disconnect();
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2c856cc4d3..d414f93bad 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -111,6 +111,10 @@
Correct handl
[tomcat] branch 10.0.x updated: Do not include sensitive headers in responses to HTTP TRACE requests
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 76cc9fe48f Do not include sensitive headers in responses to HTTP TRACE
requests
76cc9fe48f is described below
commit 76cc9fe48f3f3ef0da7a71345fac5ec786a00204
Author: Mark Thomas
AuthorDate: Mon Aug 1 17:36:18 2022 +0100
Do not include sensitive headers in responses to HTTP TRACE requests
This is a requirement of RFC 7231, 4.3.8
---
java/jakarta/servlet/http/HttpServlet.java | 22 ++
test/jakarta/servlet/http/TestHttpServlet.java | 8
webapps/docs/changelog.xml | 4
3 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/java/jakarta/servlet/http/HttpServlet.java
b/java/jakarta/servlet/http/HttpServlet.java
index 016ce4944d..a2d8d51cca 100644
--- a/java/jakarta/servlet/http/HttpServlet.java
+++ b/java/jakarta/servlet/http/HttpServlet.java
@@ -25,7 +25,10 @@ import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.text.MessageFormat;
import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Locale;
import java.util.ResourceBundle;
+import java.util.Set;
import jakarta.servlet.AsyncEvent;
import jakarta.servlet.AsyncListener;
@@ -94,6 +97,8 @@ public abstract class HttpServlet extends GenericServlet {
private static final String LSTRING_FILE =
"jakarta.servlet.http.LocalStrings";
private static final ResourceBundle lStrings =
ResourceBundle.getBundle(LSTRING_FILE);
+private static final Set SENSITIVE_HTTP_HEADERS = new HashSet<>();
+
private final transient Object cachedAllowHeaderValueLock = new Object();
/**
* Cached value of the HTTP {@code Allow} header for this servlet.
@@ -101,6 +106,12 @@ public abstract class HttpServlet extends GenericServlet {
private volatile String cachedAllowHeaderValue = null;
+static {
+SENSITIVE_HTTP_HEADERS.add("cookie");
+SENSITIVE_HTTP_HEADERS.add("www-authenticate");
+}
+
+
/**
* Does nothing, because this is an abstract class.
*/
@@ -612,10 +623,13 @@ public abstract class HttpServlet extends GenericServlet {
while (reqHeaderNames.hasMoreElements()) {
String headerName = reqHeaderNames.nextElement();
-Enumeration headerValues = req.getHeaders(headerName);
-while (headerValues.hasMoreElements()) {
-String headerValue = headerValues.nextElement();
-buffer.append(CRLF).append(headerName).append(":
").append(headerValue);
+// RFC 7231, 4.3.8 - skip 'sensitive' headers
+if
(!SENSITIVE_HTTP_HEADERS.contains(headerName.toLowerCase(Locale.ENGLISH))) {
+Enumeration headerValues = req.getHeaders(headerName);
+while (headerValues.hasMoreElements()) {
+String headerValue = headerValues.nextElement();
+buffer.append(CRLF).append(headerName).append(":
").append(headerValue);
+}
}
}
diff --git a/test/jakarta/servlet/http/TestHttpServlet.java
b/test/jakarta/servlet/http/TestHttpServlet.java
index 3697960245..44174e009a 100644
--- a/test/jakarta/servlet/http/TestHttpServlet.java
+++ b/test/jakarta/servlet/http/TestHttpServlet.java
@@ -20,6 +20,7 @@ import java.io.IOException;
import java.io.PrintWriter;
import java.util.HashMap;
import java.util.List;
+import java.util.Locale;
import java.util.Map;
import jakarta.servlet.AsyncContext;
@@ -315,6 +316,8 @@ public class TestHttpServlet extends TomcatBaseTest {
"Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
"X-aaa: a1, a2" + SimpleHttpClient.CRLF +
"X-aaa: a3" + SimpleHttpClient.CRLF +
+"Cookie: c1-v1" + SimpleHttpClient.CRLF +
+"WWW-Authenticate: not-a-real-credential" +
SimpleHttpClient.CRLF +
SimpleHttpClient.CRLF});
client.setUseContentLength(true);
@@ -328,9 +331,14 @@ public class TestHttpServlet extends TomcatBaseTest {
Assert.assertTrue(client.getResponseLine(), client.isResponse200());
// Far from perfect but good enough
+body = body.toLowerCase(Locale.ENGLISH);
Assert.assertTrue(body.contains("a1"));
Assert.assertTrue(body.contains("a2"));
Assert.assertTrue(body.contains("a3"));
+// Sensitive headers (cookies, WWW-Authenticate) must not be reflected
+// (since RFC 7231)
+Assert.assertFalse(body.contains("cookie"));
+Assert.assertFalse(body.contains("www-authenticate"));
client.disconnect();
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8dac471661..2193f3d738 100644
--- a/webapps/doc
[tomcat] branch 9.0.x updated: Do not include sensitive headers in responses to HTTP TRACE requests
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 2e447ae82e Do not include sensitive headers in responses to HTTP TRACE
requests
2e447ae82e is described below
commit 2e447ae82eccaa8ea5a52de57e0b2be8cd0a148e
Author: Mark Thomas
AuthorDate: Mon Aug 1 17:36:18 2022 +0100
Do not include sensitive headers in responses to HTTP TRACE requests
This is a requirement of RFC 7231, 4.3.8
---
java/javax/servlet/http/HttpServlet.java | 22 ++
test/javax/servlet/http/TestHttpServlet.java | 8
webapps/docs/changelog.xml | 4
3 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/java/javax/servlet/http/HttpServlet.java
b/java/javax/servlet/http/HttpServlet.java
index 99906002b6..3ee5fa6abe 100644
--- a/java/javax/servlet/http/HttpServlet.java
+++ b/java/javax/servlet/http/HttpServlet.java
@@ -25,7 +25,10 @@ import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.text.MessageFormat;
import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Locale;
import java.util.ResourceBundle;
+import java.util.Set;
import javax.servlet.AsyncEvent;
import javax.servlet.AsyncListener;
@@ -93,6 +96,14 @@ public abstract class HttpServlet extends GenericServlet {
private static final String LSTRING_FILE =
"javax.servlet.http.LocalStrings";
private static final ResourceBundle lStrings =
ResourceBundle.getBundle(LSTRING_FILE);
+private static final Set SENSITIVE_HTTP_HEADERS = new HashSet<>();
+
+
+static {
+SENSITIVE_HTTP_HEADERS.add("cookie");
+SENSITIVE_HTTP_HEADERS.add("www-authenticate");
+}
+
/**
* Does nothing, because this is an abstract class.
@@ -599,10 +610,13 @@ public abstract class HttpServlet extends GenericServlet {
while (reqHeaderNames.hasMoreElements()) {
String headerName = reqHeaderNames.nextElement();
-Enumeration headerValues = req.getHeaders(headerName);
-while (headerValues.hasMoreElements()) {
-String headerValue = headerValues.nextElement();
-buffer.append(CRLF).append(headerName).append(":
").append(headerValue);
+// RFC 7231, 4.3.8 - skip 'sensitive' headers
+if
(!SENSITIVE_HTTP_HEADERS.contains(headerName.toLowerCase(Locale.ENGLISH))) {
+Enumeration headerValues = req.getHeaders(headerName);
+while (headerValues.hasMoreElements()) {
+String headerValue = headerValues.nextElement();
+buffer.append(CRLF).append(headerName).append(":
").append(headerValue);
+}
}
}
diff --git a/test/javax/servlet/http/TestHttpServlet.java
b/test/javax/servlet/http/TestHttpServlet.java
index 39f3707800..4e683b0a15 100644
--- a/test/javax/servlet/http/TestHttpServlet.java
+++ b/test/javax/servlet/http/TestHttpServlet.java
@@ -20,6 +20,7 @@ import java.io.IOException;
import java.io.PrintWriter;
import java.util.HashMap;
import java.util.List;
+import java.util.Locale;
import java.util.Map;
import javax.servlet.AsyncContext;
@@ -315,6 +316,8 @@ public class TestHttpServlet extends TomcatBaseTest {
"Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
"X-aaa: a1, a2" + SimpleHttpClient.CRLF +
"X-aaa: a3" + SimpleHttpClient.CRLF +
+"Cookie: c1-v1" + SimpleHttpClient.CRLF +
+"WWW-Authenticate: not-a-real-credential" +
SimpleHttpClient.CRLF +
SimpleHttpClient.CRLF});
client.setUseContentLength(true);
@@ -328,9 +331,14 @@ public class TestHttpServlet extends TomcatBaseTest {
Assert.assertTrue(client.getResponseLine(), client.isResponse200());
// Far from perfect but good enough
+body = body.toLowerCase(Locale.ENGLISH);
Assert.assertTrue(body.contains("a1"));
Assert.assertTrue(body.contains("a2"));
Assert.assertTrue(body.contains("a3"));
+// Sensitive headers (cookies, WWW-Authenticate) must not be reflected
+// (since RFC 7231)
+Assert.assertFalse(body.contains("cookie"));
+Assert.assertFalse(body.contains("www-authenticate"));
client.disconnect();
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b4962dea2e..7e428939e8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -111,6 +111,10 @@
Correct handling of HTTP TRACE requests where there are multiple
instances of an HTTP header with the same name. (markt)
+
+Implement the requirements of RFC 7231 and do not include sensitive
+headers in responses to HTTP TR
[tomcat] branch main updated: Update docs for TRACE changes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 9d2cebf6f3 Update docs for TRACE changes 9d2cebf6f3 is described below commit 9d2cebf6f32b28e70a39456b0f45525df7a0a7ae Author: Mark Thomas AuthorDate: Mon Aug 1 17:42:52 2022 +0100 Update docs for TRACE changes --- webapps/docs/config/ajp.xml | 6 +- webapps/docs/config/http.xml | 6 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index 6850854a1a..9b8962af9d 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -89,7 +89,11 @@ A boolean value which can be used to enable or disable the TRACE - HTTP method. If not specified, this attribute is set to false. + HTTP method. If not specified, this attribute is set to false. As per RFC + 7231 section 4.3.8, cookie and www-authenticate headers will be excluded + from the response to the TRACE request. If you wish to include these, you + can implement the doTrace() method for the target Servlet and + gain full control over the reponse. diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index 890bf7dcef..ee7e92da7a 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -85,7 +85,11 @@ A boolean value which can be used to enable or disable the TRACE - HTTP method. If not specified, this attribute is set to false. + HTTP method. If not specified, this attribute is set to false. As per RFC + 7231 section 4.3.8, cookie and www-authenticate headers will be excluded + from the response to the TRACE request. If you wish to include these, you + can implement the doTrace() method for the target Servlet and + gain full control over the reponse. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Update docs for TRACE changes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new 43226e3de5 Update docs for TRACE changes 43226e3de5 is described below commit 43226e3de5e0a61847cdbcc05fa37ce69f6989e4 Author: Mark Thomas AuthorDate: Mon Aug 1 17:42:52 2022 +0100 Update docs for TRACE changes --- webapps/docs/config/ajp.xml | 6 +- webapps/docs/config/http.xml | 6 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index c59c7bd14f..1a3cccdeaa 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -92,7 +92,11 @@ A boolean value which can be used to enable or disable the TRACE - HTTP method. If not specified, this attribute is set to false. + HTTP method. If not specified, this attribute is set to false. As per RFC + 7231 section 4.3.8, cookie and www-authenticate headers will be excluded + from the response to the TRACE request. If you wish to include these, you + can implement the doTrace() method for the target Servlet and + gain full control over the reponse. diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index 65f251f9db..6c716bfe99 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -88,7 +88,11 @@ A boolean value which can be used to enable or disable the TRACE - HTTP method. If not specified, this attribute is set to false. + HTTP method. If not specified, this attribute is set to false. As per RFC + 7231 section 4.3.8, cookie and www-authenticate headers will be excluded + from the response to the TRACE request. If you wish to include these, you + can implement the doTrace() method for the target Servlet and + gain full control over the reponse. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Update docs for TRACE changes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 896c506530 Update docs for TRACE changes 896c506530 is described below commit 896c506530bb4c1a3331cdce40df334461b11545 Author: Mark Thomas AuthorDate: Mon Aug 1 17:42:52 2022 +0100 Update docs for TRACE changes --- webapps/docs/config/ajp.xml | 6 +- webapps/docs/config/http.xml | 6 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index be5cd0fc9c..121d1de101 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -83,7 +83,11 @@ A boolean value which can be used to enable or disable the TRACE - HTTP method. If not specified, this attribute is set to false. + HTTP method. If not specified, this attribute is set to false. As per RFC + 7231 section 4.3.8, cookie and www-authenticate headers will be excluded + from the response to the TRACE request. If you wish to include these, you + can implement the doTrace() method for the target Servlet and + gain full control over the reponse. diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index 2942b8a245..d12f22639a 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -79,7 +79,11 @@ A boolean value which can be used to enable or disable the TRACE - HTTP method. If not specified, this attribute is set to false. + HTTP method. If not specified, this attribute is set to false. As per RFC + 7231 section 4.3.8, cookie and www-authenticate headers will be excluded + from the response to the TRACE request. If you wish to include these, you + can implement the doTrace() method for the target Servlet and + gain full control over the reponse. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch main updated: Do not include sensitive headers in responses to HTTP TRACE requests
Mark,
On 8/1/22 12:36, ma...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 7c8a605bf8 Do not include sensitive headers in responses to HTTP
TRACE requests
7c8a605bf8 is described below
commit 7c8a605bf86585ae7687a99ef473227007cd8f5e
Author: Mark Thomas
AuthorDate: Mon Aug 1 17:36:18 2022 +0100
Do not include sensitive headers in responses to HTTP TRACE requests
This is a requirement of RFC 7231, 4.3.8
---
java/jakarta/servlet/http/HttpServlet.java | 22 ++
test/jakarta/servlet/http/TestHttpServlet.java | 8
webapps/docs/changelog.xml | 4
3 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/java/jakarta/servlet/http/HttpServlet.java
b/java/jakarta/servlet/http/HttpServlet.java
index ce85988633..16007586ed 100644
--- a/java/jakarta/servlet/http/HttpServlet.java
+++ b/java/jakarta/servlet/http/HttpServlet.java
@@ -25,7 +25,10 @@ import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.text.MessageFormat;
import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Locale;
import java.util.ResourceBundle;
+import java.util.Set;
import jakarta.servlet.AsyncEvent;
import jakarta.servlet.AsyncListener;
@@ -95,6 +98,8 @@ public abstract class HttpServlet extends GenericServlet {
private static final String LSTRING_FILE =
"jakarta.servlet.http.LocalStrings";
private static final ResourceBundle lStrings =
ResourceBundle.getBundle(LSTRING_FILE);
+private static final Set SENSITIVE_HTTP_HEADERS = new HashSet<>();
+
/**
* @deprecated May be removed in a future release
*
@@ -116,6 +121,12 @@ public abstract class HttpServlet extends GenericServlet {
*/
private volatile boolean cachedUseLegacyDoHead;
+static {
+SENSITIVE_HTTP_HEADERS.add("cookie");
+SENSITIVE_HTTP_HEADERS.add("www-authenticate");
How about "Authorization"?
Is there a standard way for HTTP TRACE to reply to the client saying "oh
and btw I removed the Cookie and Authentication headers you sent, so
they aren't there but you did send them"?
-chris
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch main updated: Do not include sensitive headers in responses to HTTP TRACE requests
On 01/08/2022 18:03, Christopher Schultz wrote:
private volatile boolean cachedUseLegacyDoHead;
+ static {
+ SENSITIVE_HTTP_HEADERS.add("cookie");
+ SENSITIVE_HTTP_HEADERS.add("www-authenticate");
How about "Authorization"?
That makes more sense than WWW-Authenticate which is the challenge
rather than the response. I'll get that fixed.
Is there a standard way for HTTP TRACE to reply to the client saying "oh
and btw I removed the Cookie and Authentication headers you sent, so
they aren't there but you did send them"?
Unfortunately not.
Mark
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Filter "Authorization" rather than "WWW-Authenticate"
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new ac4c0515ef Filter "Authorization" rather than "WWW-Authenticate"
ac4c0515ef is described below
commit ac4c0515efed1cf1a6015fef6c28f95e52938474
Author: Mark Thomas
AuthorDate: Mon Aug 1 19:45:08 2022 +0100
Filter "Authorization" rather than "WWW-Authenticate"
---
java/jakarta/servlet/http/HttpServlet.java | 2 +-
test/jakarta/servlet/http/TestHttpServlet.java | 4 ++--
webapps/docs/config/ajp.xml| 6 +++---
webapps/docs/config/http.xml | 6 +++---
4 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/java/jakarta/servlet/http/HttpServlet.java
b/java/jakarta/servlet/http/HttpServlet.java
index 16007586ed..cf384b85fb 100644
--- a/java/jakarta/servlet/http/HttpServlet.java
+++ b/java/jakarta/servlet/http/HttpServlet.java
@@ -123,7 +123,7 @@ public abstract class HttpServlet extends GenericServlet {
static {
SENSITIVE_HTTP_HEADERS.add("cookie");
-SENSITIVE_HTTP_HEADERS.add("www-authenticate");
+SENSITIVE_HTTP_HEADERS.add("authorization");
}
diff --git a/test/jakarta/servlet/http/TestHttpServlet.java
b/test/jakarta/servlet/http/TestHttpServlet.java
index 44174e009a..e12bcd54be 100644
--- a/test/jakarta/servlet/http/TestHttpServlet.java
+++ b/test/jakarta/servlet/http/TestHttpServlet.java
@@ -317,7 +317,7 @@ public class TestHttpServlet extends TomcatBaseTest {
"X-aaa: a1, a2" + SimpleHttpClient.CRLF +
"X-aaa: a3" + SimpleHttpClient.CRLF +
"Cookie: c1-v1" + SimpleHttpClient.CRLF +
-"WWW-Authenticate: not-a-real-credential" +
SimpleHttpClient.CRLF +
+"Authorization: not-a-real-credential" + SimpleHttpClient.CRLF
+
SimpleHttpClient.CRLF});
client.setUseContentLength(true);
@@ -338,7 +338,7 @@ public class TestHttpServlet extends TomcatBaseTest {
// Sensitive headers (cookies, WWW-Authenticate) must not be reflected
// (since RFC 7231)
Assert.assertFalse(body.contains("cookie"));
-Assert.assertFalse(body.contains("www-authenticate"));
+Assert.assertFalse(body.contains("authorization"));
client.disconnect();
}
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 9b8962af9d..7f132a0ad8 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -90,9 +90,9 @@
A boolean value which can be used to enable or disable the TRACE
HTTP method. If not specified, this attribute is set to false. As per RFC
- 7231 section 4.3.8, cookie and www-authenticate headers will be excluded
- from the response to the TRACE request. If you wish to include these, you
- can implement the doTrace() method for the target Servlet
and
+ 7231 section 4.3.8, cookie and authorization headers will be excluded
from
+ the response to the TRACE request. If you wish to include these, you can
+ implement the doTrace() method for the target Servlet and
gain full control over the reponse.
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index ee7e92da7a..06afa4b09c 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -86,9 +86,9 @@
A boolean value which can be used to enable or disable the TRACE
HTTP method. If not specified, this attribute is set to false. As per RFC
- 7231 section 4.3.8, cookie and www-authenticate headers will be excluded
- from the response to the TRACE request. If you wish to include these, you
- can implement the doTrace() method for the target Servlet
and
+ 7231 section 4.3.8, cookie and authorization headers will be excluded
from
+ the response to the TRACE request. If you wish to include these, you can
+ implement the doTrace() method for the target Servlet and
gain full control over the reponse.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Filter "Authorization" rather than "WWW-Authenticate"
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 11dcab795a Filter "Authorization" rather than "WWW-Authenticate"
11dcab795a is described below
commit 11dcab795affc031d99839e8109fd2dc49187c63
Author: Mark Thomas
AuthorDate: Mon Aug 1 19:45:08 2022 +0100
Filter "Authorization" rather than "WWW-Authenticate"
---
java/jakarta/servlet/http/HttpServlet.java | 2 +-
test/jakarta/servlet/http/TestHttpServlet.java | 4 ++--
webapps/docs/config/ajp.xml| 6 +++---
webapps/docs/config/http.xml | 6 +++---
4 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/java/jakarta/servlet/http/HttpServlet.java
b/java/jakarta/servlet/http/HttpServlet.java
index a2d8d51cca..5af390bba7 100644
--- a/java/jakarta/servlet/http/HttpServlet.java
+++ b/java/jakarta/servlet/http/HttpServlet.java
@@ -108,7 +108,7 @@ public abstract class HttpServlet extends GenericServlet {
static {
SENSITIVE_HTTP_HEADERS.add("cookie");
-SENSITIVE_HTTP_HEADERS.add("www-authenticate");
+SENSITIVE_HTTP_HEADERS.add("authorization");
}
diff --git a/test/jakarta/servlet/http/TestHttpServlet.java
b/test/jakarta/servlet/http/TestHttpServlet.java
index 44174e009a..e12bcd54be 100644
--- a/test/jakarta/servlet/http/TestHttpServlet.java
+++ b/test/jakarta/servlet/http/TestHttpServlet.java
@@ -317,7 +317,7 @@ public class TestHttpServlet extends TomcatBaseTest {
"X-aaa: a1, a2" + SimpleHttpClient.CRLF +
"X-aaa: a3" + SimpleHttpClient.CRLF +
"Cookie: c1-v1" + SimpleHttpClient.CRLF +
-"WWW-Authenticate: not-a-real-credential" +
SimpleHttpClient.CRLF +
+"Authorization: not-a-real-credential" + SimpleHttpClient.CRLF
+
SimpleHttpClient.CRLF});
client.setUseContentLength(true);
@@ -338,7 +338,7 @@ public class TestHttpServlet extends TomcatBaseTest {
// Sensitive headers (cookies, WWW-Authenticate) must not be reflected
// (since RFC 7231)
Assert.assertFalse(body.contains("cookie"));
-Assert.assertFalse(body.contains("www-authenticate"));
+Assert.assertFalse(body.contains("authorization"));
client.disconnect();
}
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 1a3cccdeaa..0fe0864d2f 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -93,9 +93,9 @@
A boolean value which can be used to enable or disable the TRACE
HTTP method. If not specified, this attribute is set to false. As per RFC
- 7231 section 4.3.8, cookie and www-authenticate headers will be excluded
- from the response to the TRACE request. If you wish to include these, you
- can implement the doTrace() method for the target Servlet
and
+ 7231 section 4.3.8, cookie and authorization headers will be excluded
from
+ the response to the TRACE request. If you wish to include these, you can
+ implement the doTrace() method for the target Servlet and
gain full control over the reponse.
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 6c716bfe99..6427c85bac 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -89,9 +89,9 @@
A boolean value which can be used to enable or disable the TRACE
HTTP method. If not specified, this attribute is set to false. As per RFC
- 7231 section 4.3.8, cookie and www-authenticate headers will be excluded
- from the response to the TRACE request. If you wish to include these, you
- can implement the doTrace() method for the target Servlet
and
+ 7231 section 4.3.8, cookie and authorization headers will be excluded
from
+ the response to the TRACE request. If you wish to include these, you can
+ implement the doTrace() method for the target Servlet and
gain full control over the reponse.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Filter "Authorization" rather than "WWW-Authenticate"
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new c762775da0 Filter "Authorization" rather than "WWW-Authenticate"
c762775da0 is described below
commit c762775da0b3872b1d924f8e3cd4ed3feb1b8130
Author: Mark Thomas
AuthorDate: Mon Aug 1 19:45:08 2022 +0100
Filter "Authorization" rather than "WWW-Authenticate"
---
java/javax/servlet/http/HttpServlet.java | 2 +-
test/javax/servlet/http/TestHttpServlet.java | 4 ++--
webapps/docs/config/ajp.xml | 6 +++---
webapps/docs/config/http.xml | 6 +++---
4 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/java/javax/servlet/http/HttpServlet.java
b/java/javax/servlet/http/HttpServlet.java
index 3ee5fa6abe..38d10b7958 100644
--- a/java/javax/servlet/http/HttpServlet.java
+++ b/java/javax/servlet/http/HttpServlet.java
@@ -101,7 +101,7 @@ public abstract class HttpServlet extends GenericServlet {
static {
SENSITIVE_HTTP_HEADERS.add("cookie");
-SENSITIVE_HTTP_HEADERS.add("www-authenticate");
+SENSITIVE_HTTP_HEADERS.add("authorization");
}
diff --git a/test/javax/servlet/http/TestHttpServlet.java
b/test/javax/servlet/http/TestHttpServlet.java
index 4e683b0a15..3770f8f71a 100644
--- a/test/javax/servlet/http/TestHttpServlet.java
+++ b/test/javax/servlet/http/TestHttpServlet.java
@@ -317,7 +317,7 @@ public class TestHttpServlet extends TomcatBaseTest {
"X-aaa: a1, a2" + SimpleHttpClient.CRLF +
"X-aaa: a3" + SimpleHttpClient.CRLF +
"Cookie: c1-v1" + SimpleHttpClient.CRLF +
-"WWW-Authenticate: not-a-real-credential" +
SimpleHttpClient.CRLF +
+"Authorization: not-a-real-credential" + SimpleHttpClient.CRLF
+
SimpleHttpClient.CRLF});
client.setUseContentLength(true);
@@ -338,7 +338,7 @@ public class TestHttpServlet extends TomcatBaseTest {
// Sensitive headers (cookies, WWW-Authenticate) must not be reflected
// (since RFC 7231)
Assert.assertFalse(body.contains("cookie"));
-Assert.assertFalse(body.contains("www-authenticate"));
+Assert.assertFalse(body.contains("authorization"));
client.disconnect();
}
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 121d1de101..88a1a7b882 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -84,9 +84,9 @@
A boolean value which can be used to enable or disable the TRACE
HTTP method. If not specified, this attribute is set to false. As per RFC
- 7231 section 4.3.8, cookie and www-authenticate headers will be excluded
- from the response to the TRACE request. If you wish to include these, you
- can implement the doTrace() method for the target Servlet
and
+ 7231 section 4.3.8, cookie and authorization headers will be excluded
from
+ the response to the TRACE request. If you wish to include these, you can
+ implement the doTrace() method for the target Servlet and
gain full control over the reponse.
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index d12f22639a..710cbbd9dd 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -80,9 +80,9 @@
A boolean value which can be used to enable or disable the TRACE
HTTP method. If not specified, this attribute is set to false. As per RFC
- 7231 section 4.3.8, cookie and www-authenticate headers will be excluded
- from the response to the TRACE request. If you wish to include these, you
- can implement the doTrace() method for the target Servlet
and
+ 7231 section 4.3.8, cookie and authorization headers will be excluded
from
+ the response to the TRACE request. If you wish to include these, you can
+ implement the doTrace() method for the target Servlet and
gain full control over the reponse.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66194] New: When using http2 and maxHeaderSize is exceeded, nothing is logged
https://bz.apache.org/bugzilla/show_bug.cgi?id=66194
Bug ID: 66194
Summary: When using http2 and maxHeaderSize is exceeded,
nothing is logged
Product: Tomcat 9
Version: 9.0.63
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: damien.hol...@unimarket.com
Target Milestone: -
We are using http2 and we have some requests with many cookies and this results
in us exceeding the maxHeaderSize limit. This has taken a very long time to
track down as tomcat does not log anything under these conditions - prior to
http2 I'm pretty sure this situation was logged (at least once).
The code in question is:
if (hpackDecoder.isHeaderSizeExceeded(headerReadBuffer.position())) {
StreamException headerException = new
StreamException(sm.getString(
"http2Parser.headerLimitSize", connectionId,
Integer.valueOf(streamId)),
Http2Error.ENHANCE_YOUR_CALM, streamId);
hpackDecoder.getHeaderEmitter().setHeaderException(headerException);
}
Note: it is logged if I turn on debug logging but we can't do that in
production.
o.a.coyote.http2.Http2UpgradeHandler : Connection [1], Stream [1], Error
[ENHANCE_YOUR_CALM], Message [Connection [1], Stream [1], Total header size too
big], RST (closing stream)
Could this be logged as a warning, so we can at least detect this situation in
production?
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
