Re: BZ 66294 - optionally disable some SecurityManager checks
On 09/11/2022 00:25, Christopher Schultz wrote: Mark, On 11/8/22 12:36, Mark Thomas wrote: On 08/11/2022 16:47, Christopher Schultz wrote: Mark, On 11/7/22 16:53, Mark Thomas wrote: On 07/11/2022 21:08, Christopher Schultz wrote: Mark, On 11/7/22 11:24, Mark Thomas wrote: Hi, BZ 66294 [1] highlights the performance impact in Tomcat of some additional SecurityManager checks that were added to avoid AccessControlException when using the EL API JAR outside of Tomcat. Details of the performance impact are in the bug report. I think we have a few options here. 1. Assume Tomcat 11 will remove the SecurityManager. No nothing for now and advise the reporter to move to Tomcat 11 when available. 2. Do nothing. 3. Disable this check by default and an option (it will have to be a system property) to enable it. 4. Something else. Thoughts? I am currently leaning towards 3 given that the performance impact is noticeable and that the check isn't required in normal usage. I thought we only wrapped stuff in doPrivileged() when a SecurityManager was installed. Re-re-reading the bug report, it's clear that the reporter IS running under SM. If the reporter is running under SM and the code does not fail, doesn't that mean that the check isn't actually providing any benefit? The thread must already be running in a privileged context if making that call does not throw an exception at runtime. Can we just remove it entirely? Maybe I'm missing something... When used in Tomcat that code is always called from within another doPrivileged() call further up the stack and all the stack frames inbetween are for Tomcat provided code so the security checks pass. Hence you can skip this doPrivileged() if running in Tomcat. When used outside of Tomcat (EL is completely stand-alone) that isn't the case and you need to use doPrivileged() to avoid the exceptions. Gotcha. And I suppose it's not really possible to detect if we are already running as a privileged operation? (Similar to how the JVM knows that obtaining a lock a thread already has is very quick.) It might be. But the challenge is detecting if we are running under the right privileged operation. What we really need is "Are we on a Tomcat request processing thread?". In older Tomcat versions we have ContainerThreadMarker but it is unused and I don't really like referring to that - even via reflection - in the API classes. There is precedence but I still don't like it. If there is a neater way of doing this, I'm likely to be all for it as most solutions are likely to be better (in my view) than another system property. ThreadLocal? Or is that too fragile? That is essentially how ContainerThreadMarker worked. I just don't like a) having to refer to a Tomcat class in the API classes and b) having to do it via reflection in case it isn't present. I thought about using the ELContext somehow but it is only available on a few of the code paths that call Util.getContextClassLoader() and not on the one that is the cause of the performance hot spot. I can think of various reflection based hacks that could work but nothing I like better than the system property - despite me not liking that very much. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch main updated: Fix BZ 66294. Make use of privileged block optional. Performance hotspot
On 09/11/2022 00:28, Christopher Schultz wrote: Mark, On 11/8/22 12:41, Mark Thomas wrote: On 08/11/2022 16:52, Christopher Schultz wrote: Mark, Wouldn't it be "safer" to have this doPrivileged be an "opt-out" permission rather than an "opt-in" permission? Good question. Nobody is going to know that they need to enable this options in order to get "proper protection". Until they see the exception. It will be an ugly permission error, and they'll assume their SecurityManager hasn't been configured properly. If we could throw an error saying "you should enable this system property if you need to use Tomcat EL in this way" than it would be nice. But we can't. :/ I think we might be able to do that. I'll test it. This change is not exactly backward-compatible. It may break people who are otherwise happily using the Tomcat EL package by requiring them to add a system property to get it to work. I think the doPrivileged should be present /by default/ and the preference should be opt-out if only to maintain backward-compatibility. Evidently, only one user on the planet needs to disable this privilege re-acquisition. No test case was every provided for BZ 62080. I suspect it was a theoretical issue rather than one observed in real code. The performance issue is an issue for everyone using a SecurityManager. Another factor I considered is that the SecurityManager is deprecated and support for it is likely to be removed in Jakarta EE 11. I went for disabled by default because I thought that was the best solution for the majority - possible all - users. I think we should mention this in the "Notable Changes" section of the UG. Makes sense. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Avoid invalid JSON in JSONErrorReportValve output
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 6a0ac6a438 Avoid invalid JSON in JSONErrorReportValve output
6a0ac6a438 is described below
commit 6a0ac6a438cbbb66b6e9c5223842f53bf0cb50aa
Author: Mark Thomas
AuthorDate: Wed Nov 9 12:39:15 2022 +
Avoid invalid JSON in JSONErrorReportValve output
---
.../catalina/valves/JsonErrorReportValve.java | 7 +-
java/org/apache/tomcat/util/json/JSONFilter.java | 61
.../apache/tomcat/util/json/TestJSONFilter.java| 82 ++
webapps/docs/changelog.xml | 5 ++
4 files changed, 152 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/valves/JsonErrorReportValve.java
b/java/org/apache/catalina/valves/JsonErrorReportValve.java
index a9bb895585..1e7719fb51 100644
--- a/java/org/apache/catalina/valves/JsonErrorReportValve.java
+++ b/java/org/apache/catalina/valves/JsonErrorReportValve.java
@@ -24,6 +24,7 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.coyote.ActionCode;
import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.json.JSONFilter;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -82,9 +83,9 @@ public class JsonErrorReportValve extends ErrorReportValve {
}
}
String jsonReport = "{\n" +
-" \"type\": \"" + type + "\",\n" +
-" \"message\": \"" + message + "\",\n" +
-" \"description\": \"" + description + "\"\n" +
+" \"type\": \"" + JSONFilter.escape(type) +
"\",\n" +
+" \"message\": \"" + JSONFilter.escape(message) +
"\",\n" +
+" \"description\": \"" +
JSONFilter.escape(description) + "\"\n" +
"}";
try {
try {
diff --git a/java/org/apache/tomcat/util/json/JSONFilter.java
b/java/org/apache/tomcat/util/json/JSONFilter.java
new file mode 100644
index 00..cb255dc41b
--- /dev/null
+++ b/java/org/apache/tomcat/util/json/JSONFilter.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.json;
+
+/**
+ * Provides escaping of values so they can be included in a JSON document.
+ * Escaping is based on the definition of JSON found in
+ * https://www.rfc-editor.org/rfc/rfc8259.html";>RFC 8259.
+ */
+public class JSONFilter {
+
+private JSONFilter() {
+// Utility class. Hide the default constructor.
+}
+
+public static String escape(String input) {
+/*
+ * While any character MAY be escaped, only U+ to U+001F (control
+ * characters), U+0022 (quotation mark) and U+005C (reverse solidus)
+ * MUST be escaped.
+ */
+char[] chars = input.toCharArray();
+StringBuffer escaped = null;
+int lastUnescapedStart = 0;
+for (int i = 0; i < chars.length; i++) {
+if (chars[i] < 0x20 || chars[i] == 0x22 || chars[i] == 0x5c) {
+if (escaped == null) {
+escaped = new StringBuffer(chars.length + 20);
+}
+if (lastUnescapedStart < i) {
+escaped.append(input.subSequence(lastUnescapedStart, i));
+}
+lastUnescapedStart = i + 1;
+escaped.append("\\u");
+escaped.append(String.format("%04X",
Integer.valueOf(chars[i])));
+}
+}
+if (escaped == null) {
+return input;
+} else {
+if (lastUnescapedStart < chars.length) {
+escaped.append(input.subSequence(lastUnescapedStart,
chars.length));
+}
+return escaped.toString();
+}
+}
+}
diff --git a/test/org/apache/tomcat/util/json/TestJSONFilter.java
b/test/org/apache/tomcat/util/json/TestJSONFilter.java
new file mode 100644
index 00..0e064
[tomcat] branch 10.1.x updated: Avoid invalid JSON in JSONErrorReportValve output
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 1f50bff8da Avoid invalid JSON in JSONErrorReportValve output
1f50bff8da is described below
commit 1f50bff8daabb48c5f15398689988f26aac6ec56
Author: Mark Thomas
AuthorDate: Wed Nov 9 12:39:15 2022 +
Avoid invalid JSON in JSONErrorReportValve output
---
.../catalina/valves/JsonErrorReportValve.java | 7 +-
java/org/apache/tomcat/util/json/JSONFilter.java | 61
.../apache/tomcat/util/json/TestJSONFilter.java| 82 ++
webapps/docs/changelog.xml | 5 ++
4 files changed, 152 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/valves/JsonErrorReportValve.java
b/java/org/apache/catalina/valves/JsonErrorReportValve.java
index a9bb895585..1e7719fb51 100644
--- a/java/org/apache/catalina/valves/JsonErrorReportValve.java
+++ b/java/org/apache/catalina/valves/JsonErrorReportValve.java
@@ -24,6 +24,7 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.coyote.ActionCode;
import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.json.JSONFilter;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -82,9 +83,9 @@ public class JsonErrorReportValve extends ErrorReportValve {
}
}
String jsonReport = "{\n" +
-" \"type\": \"" + type + "\",\n" +
-" \"message\": \"" + message + "\",\n" +
-" \"description\": \"" + description + "\"\n" +
+" \"type\": \"" + JSONFilter.escape(type) +
"\",\n" +
+" \"message\": \"" + JSONFilter.escape(message) +
"\",\n" +
+" \"description\": \"" +
JSONFilter.escape(description) + "\"\n" +
"}";
try {
try {
diff --git a/java/org/apache/tomcat/util/json/JSONFilter.java
b/java/org/apache/tomcat/util/json/JSONFilter.java
new file mode 100644
index 00..cb255dc41b
--- /dev/null
+++ b/java/org/apache/tomcat/util/json/JSONFilter.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.json;
+
+/**
+ * Provides escaping of values so they can be included in a JSON document.
+ * Escaping is based on the definition of JSON found in
+ * https://www.rfc-editor.org/rfc/rfc8259.html";>RFC 8259.
+ */
+public class JSONFilter {
+
+private JSONFilter() {
+// Utility class. Hide the default constructor.
+}
+
+public static String escape(String input) {
+/*
+ * While any character MAY be escaped, only U+ to U+001F (control
+ * characters), U+0022 (quotation mark) and U+005C (reverse solidus)
+ * MUST be escaped.
+ */
+char[] chars = input.toCharArray();
+StringBuffer escaped = null;
+int lastUnescapedStart = 0;
+for (int i = 0; i < chars.length; i++) {
+if (chars[i] < 0x20 || chars[i] == 0x22 || chars[i] == 0x5c) {
+if (escaped == null) {
+escaped = new StringBuffer(chars.length + 20);
+}
+if (lastUnescapedStart < i) {
+escaped.append(input.subSequence(lastUnescapedStart, i));
+}
+lastUnescapedStart = i + 1;
+escaped.append("\\u");
+escaped.append(String.format("%04X",
Integer.valueOf(chars[i])));
+}
+}
+if (escaped == null) {
+return input;
+} else {
+if (lastUnescapedStart < chars.length) {
+escaped.append(input.subSequence(lastUnescapedStart,
chars.length));
+}
+return escaped.toString();
+}
+}
+}
diff --git a/test/org/apache/tomcat/util/json/TestJSONFilter.java
b/test/org/apache/tomcat/util/json/TestJSONFilter.java
new file mode 100644
index 00..0
[tomcat] branch 9.0.x updated: Avoid invalid JSON in JSONErrorReportValve output
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new b336f4e588 Avoid invalid JSON in JSONErrorReportValve output
b336f4e588 is described below
commit b336f4e58893ea35114f1e4a415657f723b1298e
Author: Mark Thomas
AuthorDate: Wed Nov 9 12:39:15 2022 +
Avoid invalid JSON in JSONErrorReportValve output
---
.../catalina/valves/JsonErrorReportValve.java | 7 +-
java/org/apache/tomcat/util/json/JSONFilter.java | 61
.../apache/tomcat/util/json/TestJSONFilter.java| 82 ++
webapps/docs/changelog.xml | 5 ++
4 files changed, 152 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/valves/JsonErrorReportValve.java
b/java/org/apache/catalina/valves/JsonErrorReportValve.java
index a9bb895585..1e7719fb51 100644
--- a/java/org/apache/catalina/valves/JsonErrorReportValve.java
+++ b/java/org/apache/catalina/valves/JsonErrorReportValve.java
@@ -24,6 +24,7 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.coyote.ActionCode;
import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.json.JSONFilter;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -82,9 +83,9 @@ public class JsonErrorReportValve extends ErrorReportValve {
}
}
String jsonReport = "{\n" +
-" \"type\": \"" + type + "\",\n" +
-" \"message\": \"" + message + "\",\n" +
-" \"description\": \"" + description + "\"\n" +
+" \"type\": \"" + JSONFilter.escape(type) +
"\",\n" +
+" \"message\": \"" + JSONFilter.escape(message) +
"\",\n" +
+" \"description\": \"" +
JSONFilter.escape(description) + "\"\n" +
"}";
try {
try {
diff --git a/java/org/apache/tomcat/util/json/JSONFilter.java
b/java/org/apache/tomcat/util/json/JSONFilter.java
new file mode 100644
index 00..cb255dc41b
--- /dev/null
+++ b/java/org/apache/tomcat/util/json/JSONFilter.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.json;
+
+/**
+ * Provides escaping of values so they can be included in a JSON document.
+ * Escaping is based on the definition of JSON found in
+ * https://www.rfc-editor.org/rfc/rfc8259.html";>RFC 8259.
+ */
+public class JSONFilter {
+
+private JSONFilter() {
+// Utility class. Hide the default constructor.
+}
+
+public static String escape(String input) {
+/*
+ * While any character MAY be escaped, only U+ to U+001F (control
+ * characters), U+0022 (quotation mark) and U+005C (reverse solidus)
+ * MUST be escaped.
+ */
+char[] chars = input.toCharArray();
+StringBuffer escaped = null;
+int lastUnescapedStart = 0;
+for (int i = 0; i < chars.length; i++) {
+if (chars[i] < 0x20 || chars[i] == 0x22 || chars[i] == 0x5c) {
+if (escaped == null) {
+escaped = new StringBuffer(chars.length + 20);
+}
+if (lastUnescapedStart < i) {
+escaped.append(input.subSequence(lastUnescapedStart, i));
+}
+lastUnescapedStart = i + 1;
+escaped.append("\\u");
+escaped.append(String.format("%04X",
Integer.valueOf(chars[i])));
+}
+}
+if (escaped == null) {
+return input;
+} else {
+if (lastUnescapedStart < chars.length) {
+escaped.append(input.subSequence(lastUnescapedStart,
chars.length));
+}
+return escaped.toString();
+}
+}
+}
diff --git a/test/org/apache/tomcat/util/json/TestJSONFilter.java
b/test/org/apache/tomcat/util/json/TestJSONFilter.java
new file mode 100644
index 00..0e0
[tomcat] branch 8.5.x updated: Avoid invalid JSON in JSONErrorReportValve output
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 0cab3a56bd Avoid invalid JSON in JSONErrorReportValve output
0cab3a56bd is described below
commit 0cab3a56bd89f70e7481bb0d68395dc7e130dbbf
Author: Mark Thomas
AuthorDate: Wed Nov 9 12:39:15 2022 +
Avoid invalid JSON in JSONErrorReportValve output
---
.../catalina/valves/JsonErrorReportValve.java | 7 +-
java/org/apache/tomcat/util/json/JSONFilter.java | 61
.../apache/tomcat/util/json/TestJSONFilter.java| 82 ++
webapps/docs/changelog.xml | 5 ++
4 files changed, 152 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/valves/JsonErrorReportValve.java
b/java/org/apache/catalina/valves/JsonErrorReportValve.java
index a9bb895585..1e7719fb51 100644
--- a/java/org/apache/catalina/valves/JsonErrorReportValve.java
+++ b/java/org/apache/catalina/valves/JsonErrorReportValve.java
@@ -24,6 +24,7 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.coyote.ActionCode;
import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.json.JSONFilter;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -82,9 +83,9 @@ public class JsonErrorReportValve extends ErrorReportValve {
}
}
String jsonReport = "{\n" +
-" \"type\": \"" + type + "\",\n" +
-" \"message\": \"" + message + "\",\n" +
-" \"description\": \"" + description + "\"\n" +
+" \"type\": \"" + JSONFilter.escape(type) +
"\",\n" +
+" \"message\": \"" + JSONFilter.escape(message) +
"\",\n" +
+" \"description\": \"" +
JSONFilter.escape(description) + "\"\n" +
"}";
try {
try {
diff --git a/java/org/apache/tomcat/util/json/JSONFilter.java
b/java/org/apache/tomcat/util/json/JSONFilter.java
new file mode 100644
index 00..cb255dc41b
--- /dev/null
+++ b/java/org/apache/tomcat/util/json/JSONFilter.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.json;
+
+/**
+ * Provides escaping of values so they can be included in a JSON document.
+ * Escaping is based on the definition of JSON found in
+ * https://www.rfc-editor.org/rfc/rfc8259.html";>RFC 8259.
+ */
+public class JSONFilter {
+
+private JSONFilter() {
+// Utility class. Hide the default constructor.
+}
+
+public static String escape(String input) {
+/*
+ * While any character MAY be escaped, only U+ to U+001F (control
+ * characters), U+0022 (quotation mark) and U+005C (reverse solidus)
+ * MUST be escaped.
+ */
+char[] chars = input.toCharArray();
+StringBuffer escaped = null;
+int lastUnescapedStart = 0;
+for (int i = 0; i < chars.length; i++) {
+if (chars[i] < 0x20 || chars[i] == 0x22 || chars[i] == 0x5c) {
+if (escaped == null) {
+escaped = new StringBuffer(chars.length + 20);
+}
+if (lastUnescapedStart < i) {
+escaped.append(input.subSequence(lastUnescapedStart, i));
+}
+lastUnescapedStart = i + 1;
+escaped.append("\\u");
+escaped.append(String.format("%04X",
Integer.valueOf(chars[i])));
+}
+}
+if (escaped == null) {
+return input;
+} else {
+if (lastUnescapedStart < chars.length) {
+escaped.append(input.subSequence(lastUnescapedStart,
chars.length));
+}
+return escaped.toString();
+}
+}
+}
diff --git a/test/org/apache/tomcat/util/json/TestJSONFilter.java
b/test/org/apache/tomcat/util/json/TestJSONFilter.java
new file mode 100644
index 00..0e0
[tomcat] tag 10.1.2 created (now 153506ba8a)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to tag 10.1.2 in repository https://gitbox.apache.org/repos/asf/tomcat.git at 153506ba8a (commit) This tag includes the following new commits: new 153506ba8a Tag 10.1.2 The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/01: Tag 10.1.2
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to tag 10.1.2 in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 153506ba8aaabbafbf75b9084f5869e02f35facc Author: Mark Thomas AuthorDate: Wed Nov 9 15:58:59 2022 + Tag 10.1.2 --- build.properties.release | 52 +++ res/install-win/Uninstall.exe.sig| Bin 0 -> 10247 bytes res/install-win/tomcat-installer.exe.sig | Bin 0 -> 10247 bytes res/maven/mvn.properties.release | 27 webapps/docs/changelog.xml | 2 +- 5 files changed, 80 insertions(+), 1 deletion(-) diff --git a/build.properties.release b/build.properties.release new file mode 100644 index 00..002e0c33b0 --- /dev/null +++ b/build.properties.release @@ -0,0 +1,52 @@ +# - +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# - + +# This file was auto-generated by the pre-release Ant target. + +# Any unwanted settings may be over-ridden in a build.properties file located +# in the same directory as this file. + +# Set the version-dev to "" (empty string) as this is not a development release. +version.dev= + +# Ensure consistent timestamps for reproducible builds. +ant.tstamp.now.iso=2022-11-09T15:47:04Z + +# Enable insertion of detached signatures into the Windows installer. +do.codesigning=true + +# Re-use the same GPG executable. +gpg.exec=C:/Program Files (x86)/GnuPG/bin/gpg.exe + +# Reproducible builds require the use of the build tools defined below. The +# vendors (where appropriate) and versions must match exactly for a reproducible +# build since this data is embedded in various files, particularly JAR file +# manifests, as part of the build process. +# +# Apache Ant: Apache Ant(TM) version 1.10.12 compiled on October 13 2021 +# +# Java Name: OpenJDK 64-Bit Server VM +# Java Vendor: Eclipse Adoptium +# Java Version:11.0.17+8 + +# The following is provided for information only. Builds will be repeatable +# whether or not the build environment in consistent with this information. +# +# OS: amd64 Windows Server 2022 10.0 +# File encoding: Cp1252 +# +# Release Manager: markt diff --git a/res/install-win/Uninstall.exe.sig b/res/install-win/Uninstall.exe.sig new file mode 100644 index 00..6850afd95f Binary files /dev/null and b/res/install-win/Uninstall.exe.sig differ diff --git a/res/install-win/tomcat-installer.exe.sig b/res/install-win/tomcat-installer.exe.sig new file mode 100644 index 00..62ec678285 Binary files /dev/null and b/res/install-win/tomcat-installer.exe.sig differ diff --git a/res/maven/mvn.properties.release b/res/maven/mvn.properties.release new file mode 100644 index 00..3401426862 --- /dev/null +++ b/res/maven/mvn.properties.release @@ -0,0 +1,27 @@ +# - +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# - + +# This file was auto-generated by the pre-release Ant target. + +# Remove "-dev" from the version since this is not a development release. +maven.asf.release.deploy.version=10.1.2 + +# Re-use the same GPG executable. +gpg.exec=C:/Program Files (x86)/GnuPG/bin/gpg.exe + +# Set the user na
HTTP workshop
Hi all, Last week I attended the 2022 HTTP workshop [1]. There was lots of interesting discussion and I thought it was worth highlighting the key things relevant to Tomcat. 1. Draft updates to RFC 6265 Cookies [2]. Most changes don't impact Tomcat. However, it clarifies that quotes are part of the value if the value is quoted. RFC 6265 also states this (I missed it). Tomcat current strips these quotes. If we fix this (I think we should) we'll almost certainly need to make it optional. 2. There are some new HTTP/2 frames (origin [3] and certificate [4]) we may need to implement at some point. Too early at the moment though. 3. qlog, developed to help debug QUIC, may expand to cover HTTP/2 and add additional tooling. If it does, we may want to create a conversion tool to make our HTTP/2 debug logs readable by these tools. 4. Structured fields [5]. As these start to get used more, we may need to adopt / write a parser for them. 5. TLS 1.3 0RTT. Not an issue for us. JSSE opted not to implement it. 6. New status codes. The Servlet spec may want to update the list. 7. New methods. Particularly PATCH [6]. Do we want to implement it? Does the spec want to add to to the list of standard methods? 8. Oblivious HTTP (hides client IP address from origin server) is interesting but Tomcat doesn't need to do anything. 9. Encrypted Client Hello [7]. If Tomcat needs to support this, we will need to do it 'manually' in the handshake parsing code that currently handles SNI. 10. HTTP testing. There is interest in some form of common testing tool. The only think we need to do anything about right now is the cookie value quoting issue. I plan to look at this after 10.1.2. Mark [1] https://github.com/HTTPWorkshop [2] https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-11 [3] https://www.rfc-editor.org/rfc/rfc8336.html [4] https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-http2-secondary-certs-06 [5] https://www.rfc-editor.org/rfc/rfc8941.html [6] https://www.rfc-editor.org/rfc/rfc5789 [7] https://datatracker.ietf.org/doc/draft-ietf-tls-esni/ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r57922 - in /dev/tomcat/tomcat-10/v10.1.2: ./ bin/ bin/embed/ src/
Author: markt Date: Wed Nov 9 17:10:17 2022 New Revision: 57922 Log: Upload 10.1.2 for voting Added: dev/tomcat/tomcat-10/v10.1.2/ dev/tomcat/tomcat-10/v10.1.2/KEYS dev/tomcat/tomcat-10/v10.1.2/README.html dev/tomcat/tomcat-10/v10.1.2/RELEASE-NOTES dev/tomcat/tomcat-10/v10.1.2/bin/ dev/tomcat/tomcat-10/v10.1.2/bin/README.html dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-deployer.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-deployer.tar.gz.asc dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-deployer.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-deployer.zip (with props) dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-deployer.zip.asc dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-deployer.zip.sha512 dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-fulldocs.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-fulldocs.tar.gz.asc dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-fulldocs.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-windows-x64.zip (with props) dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-windows-x64.zip.asc dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-windows-x64.zip.sha512 dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-windows-x86.zip (with props) dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-windows-x86.zip.asc dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2-windows-x86.zip.sha512 dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2.exe (with props) dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2.exe.asc dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2.exe.sha512 dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2.tar.gz.asc dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2.zip (with props) dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2.zip.asc dev/tomcat/tomcat-10/v10.1.2/bin/apache-tomcat-10.1.2.zip.sha512 dev/tomcat/tomcat-10/v10.1.2/bin/embed/ dev/tomcat/tomcat-10/v10.1.2/bin/embed/apache-tomcat-10.1.2-embed.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.2/bin/embed/apache-tomcat-10.1.2-embed.tar.gz.asc dev/tomcat/tomcat-10/v10.1.2/bin/embed/apache-tomcat-10.1.2-embed.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.2/bin/embed/apache-tomcat-10.1.2-embed.zip (with props) dev/tomcat/tomcat-10/v10.1.2/bin/embed/apache-tomcat-10.1.2-embed.zip.asc dev/tomcat/tomcat-10/v10.1.2/bin/embed/apache-tomcat-10.1.2-embed.zip.sha512 dev/tomcat/tomcat-10/v10.1.2/src/ dev/tomcat/tomcat-10/v10.1.2/src/apache-tomcat-10.1.2-src.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.2/src/apache-tomcat-10.1.2-src.tar.gz.asc dev/tomcat/tomcat-10/v10.1.2/src/apache-tomcat-10.1.2-src.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.2/src/apache-tomcat-10.1.2-src.zip (with props) dev/tomcat/tomcat-10/v10.1.2/src/apache-tomcat-10.1.2-src.zip.asc dev/tomcat/tomcat-10/v10.1.2/src/apache-tomcat-10.1.2-src.zip.sha512 Added: dev/tomcat/tomcat-10/v10.1.2/KEYS == --- dev/tomcat/tomcat-10/v10.1.2/KEYS (added) +++ dev/tomcat/tomcat-10/v10.1.2/KEYS Wed Nov 9 17:10:17 2022 @@ -0,0 +1,453 @@ +This file contains the PGP&GPG keys of various Apache developers. +Please don't use them for email unless you have to. Their main +purpose is code signing. + +Apache users: pgp < KEYS +Apache developers: +(pgpk -ll && pgpk -xa ) >> this file. + or +(gpg --fingerprint --list-sigs + && gpg --armor --export ) >> this file. + +Apache developers: please ensure that your key is also available via the +PGP keyservers (such as pgpkeys.mit.edu). + + +pub 4096R/2F6059E7 2009-09-18 + Key fingerprint = A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60 59E7 +uid Mark E D Thomas +sub 4096R/5E763BEC 2009-09-18 + +-BEGIN PGP PUBLIC KEY BLOCK- +Comment: GPGTools - http://gpgtools.org + +mQINBEq0DukBEAD4jovHOPJDxoD+JnO1Go2kiwpgRULasGlrVKuSUdP6wzcaqWmX +pqtOJKKwW2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7WzTCz2S6vxC4zxKck4t +6RZBq2dJsYKF0CEh6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m335/6K +GH59oysn1NE7a2a+kZzjBSEgv23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz +4yvDOZItqDURP24zWOodxgboldV6Y88C3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7M +UVviQcy29y/RlLSDTTYoVlCZ1ni14qFU7Hpw43KJtgXmcUwq31T1+SlXdYjNJ1aF +kUi8BjCHDcSgE/IReKUanjHzm4XSymKDTeqqzidi4k6PDD4jyHb8k8vxi6qT6Udn +lcfo5NBkkUT1TauhEy8ktHhbl9k60BvvMBP9l6cURiJg1WS77egI4P/82oPbzzFi +GFqXyJKULVgxtdQ3JikCpodp3f1fh6PlYZwkW4xCJLJucJ5MiQp07HAkMVW5w+k8 +Xvuk4i5quh3N+2kzKHOOiQCDmN0sz0XjOE+7XBvM1lvz3+UarLfgSVmW8aheLd7e +aIl5ItBk8844ZJ60LrQ+JiIqvqJemxyIM6epoZvY5a3ZshZpcLilC5hW8QARA
[tomcat] branch 10.1.x updated: Increment version for next dev cycle
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new cfb16d2055 Increment version for next dev cycle cfb16d2055 is described below commit cfb16d2055c1dd63e3622358279cf251a0972d0c Author: Mark Thomas AuthorDate: Wed Nov 9 17:16:29 2022 + Increment version for next dev cycle --- build.properties.default | 2 +- res/maven/mvn.properties.default | 2 +- webapps/docs/changelog.xml | 4 +++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/build.properties.default b/build.properties.default index 6660ad5184..8556c59b07 100644 --- a/build.properties.default +++ b/build.properties.default @@ -31,7 +31,7 @@ # - Version Control Flags - version.major=10 version.minor=1 -version.build=2 +version.build=3 version.patch=0 version.suffix= version.dev=-dev diff --git a/res/maven/mvn.properties.default b/res/maven/mvn.properties.default index 6e72713f8a..38a8a57ce2 100644 --- a/res/maven/mvn.properties.default +++ b/res/maven/mvn.properties.default @@ -39,7 +39,7 @@ maven.asf.release.repo.url=https://repository.apache.org/service/local/staging/d maven.asf.release.repo.repositoryId=apache.releases.https # Release version info -maven.asf.release.deploy.version=10.1.2 +maven.asf.release.deploy.version=10.1.3 #Where do we load the libraries from tomcat.lib.path=../../output/build/lib diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 03622bdf90..41bb7e3547 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -104,7 +104,9 @@ They eventually become mixed with the numbered issues (i.e., numbered issues do not "pop up" wrt. others). --> - + + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[VOTE] Release Apache Tomcat 10.1.2
The proposed Apache Tomcat 10.1.2 release is now available for voting. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. The notable changes compared to 10.1.1 are: - Fix concurrency issue in evaluation of expression language containing lambda expressions. - Update the packaged version of the Apache Tomcat Native Library to 2.0.2 to pick up the Windows binaries built with with OpenSSL 3.0.7. - Correct the date format used with the expires attribute of HTTP cookies. A single space rather than a single dash should be used to separate the day, month and year components to be compliant with RFC 6265. For full details, see the change log: https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.2/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1405 The tag is: https://github.com/apache/tomcat/tree/10.1.2 153506ba8aaabbafbf75b9084f5869e02f35facc The proposed 10.1.2 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 10.1.2 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] Naturbelassen opened a new pull request, #565: updated link to download cvs
Naturbelassen opened a new pull request, #565: URL: https://github.com/apache/tomcat/pull/565 The documentation suggest to get cvs by following this link: http://www.cvshome.org/ However the linked page has nothing to do with csv. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] tag 9.0.69 created (now cd5fd93c5d)
This is an automated email from the ASF dual-hosted git repository. remm pushed a change to tag 9.0.69 in repository https://gitbox.apache.org/repos/asf/tomcat.git at cd5fd93c5d (commit) This tag includes the following new commits: new cd5fd93c5d Tag 9.0.69 The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/01: Tag 9.0.69
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to tag 9.0.69 in repository https://gitbox.apache.org/repos/asf/tomcat.git commit cd5fd93c5df3699868ec39731f5a347450112299 Author: remm AuthorDate: Wed Nov 9 19:50:15 2022 +0100 Tag 9.0.69 --- build.properties.release | 52 +++ res/install-win/Uninstall.exe.sig| Bin 0 -> 10247 bytes res/install-win/tomcat-installer.exe.sig | Bin 0 -> 10247 bytes res/maven/mvn.properties.release | 27 webapps/docs/changelog.xml | 2 +- 5 files changed, 80 insertions(+), 1 deletion(-) diff --git a/build.properties.release b/build.properties.release new file mode 100644 index 00..8f85d3abb1 --- /dev/null +++ b/build.properties.release @@ -0,0 +1,52 @@ +# - +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# - + +# This file was auto-generated by the pre-release Ant target. + +# Any unwanted settings may be over-ridden in a build.properties file located +# in the same directory as this file. + +# Set the version-dev to "" (empty string) as this is not a development release. +version.dev= + +# Ensure consistent timestamps for reproducible builds. +ant.tstamp.now.iso=2022-11-09T18:43:47Z + +# Enable insertion of detached signatures into the Windows installer. +do.codesigning=true + +# Re-use the same GPG executable. +gpg.exec=/usr/bin/gpg + +# Reproducible builds require the use of the build tools defined below. The +# vendors (where appropriate) and versions must match exactly for a reproducible +# build since this data is embedded in various files, particularly JAR file +# manifests, as part of the build process. +# +# Apache Ant: Apache Ant(TM) version 1.10.12 compiled on June 6 2022 +# +# Java Name: OpenJDK 64-Bit Server VM +# Java Vendor: Eclipse Adoptium +# Java Version:11.0.17+8 + +# The following is provided for information only. Builds will be repeatable +# whether or not the build environment in consistent with this information. +# +# OS: amd64 Linux 6.0.5-200.fc36.x86_64 +# File encoding: UTF-8 +# +# Release Manager: remm diff --git a/res/install-win/Uninstall.exe.sig b/res/install-win/Uninstall.exe.sig new file mode 100644 index 00..87e9e3a3fa Binary files /dev/null and b/res/install-win/Uninstall.exe.sig differ diff --git a/res/install-win/tomcat-installer.exe.sig b/res/install-win/tomcat-installer.exe.sig new file mode 100644 index 00..2173f2a582 Binary files /dev/null and b/res/install-win/tomcat-installer.exe.sig differ diff --git a/res/maven/mvn.properties.release b/res/maven/mvn.properties.release new file mode 100644 index 00..3e40c50b76 --- /dev/null +++ b/res/maven/mvn.properties.release @@ -0,0 +1,27 @@ +# - +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# - + +# This file was auto-generated by the pre-release Ant target. + +# Remove "-dev" from the version since this is not a development release. +maven.asf.release.deploy.version=9.0.69 + +# Re-use the same GPG executable. +gpg.exec=/usr/bin/gpg + +# Set the user name to use to upload the artefacts to Nexus. +asf.ldap.username=remm
svn commit: r57925 - in /dev/tomcat/tomcat-9/v9.0.69: ./ bin/ bin/embed/ src/
Author: remm Date: Wed Nov 9 18:53:58 2022 New Revision: 57925 Log: Upload 9.0.69 for voting Added: dev/tomcat/tomcat-9/v9.0.69/ dev/tomcat/tomcat-9/v9.0.69/KEYS dev/tomcat/tomcat-9/v9.0.69/README.html dev/tomcat/tomcat-9/v9.0.69/RELEASE-NOTES dev/tomcat/tomcat-9/v9.0.69/bin/ dev/tomcat/tomcat-9/v9.0.69/bin/README.html dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-deployer.tar.gz (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-deployer.tar.gz.asc (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-deployer.tar.gz.sha512 dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-deployer.zip (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-deployer.zip.asc (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-deployer.zip.sha512 dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-fulldocs.tar.gz (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-fulldocs.tar.gz.asc (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-fulldocs.tar.gz.sha512 dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-windows-x64.zip (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-windows-x64.zip.asc (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-windows-x64.zip.sha512 dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-windows-x86.zip (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-windows-x86.zip.asc (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69-windows-x86.zip.sha512 dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.exe (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.exe.asc (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.exe.sha512 dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.tar.gz (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.tar.gz.asc (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.tar.gz.sha512 dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.zip (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.zip.asc (with props) dev/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.zip.sha512 dev/tomcat/tomcat-9/v9.0.69/bin/embed/ dev/tomcat/tomcat-9/v9.0.69/bin/embed/apache-tomcat-9.0.69-embed.tar.gz (with props) dev/tomcat/tomcat-9/v9.0.69/bin/embed/apache-tomcat-9.0.69-embed.tar.gz.asc (with props) dev/tomcat/tomcat-9/v9.0.69/bin/embed/apache-tomcat-9.0.69-embed.tar.gz.sha512 dev/tomcat/tomcat-9/v9.0.69/bin/embed/apache-tomcat-9.0.69-embed.zip (with props) dev/tomcat/tomcat-9/v9.0.69/bin/embed/apache-tomcat-9.0.69-embed.zip.asc (with props) dev/tomcat/tomcat-9/v9.0.69/bin/embed/apache-tomcat-9.0.69-embed.zip.sha512 dev/tomcat/tomcat-9/v9.0.69/src/ dev/tomcat/tomcat-9/v9.0.69/src/apache-tomcat-9.0.69-src.tar.gz (with props) dev/tomcat/tomcat-9/v9.0.69/src/apache-tomcat-9.0.69-src.tar.gz.asc (with props) dev/tomcat/tomcat-9/v9.0.69/src/apache-tomcat-9.0.69-src.tar.gz.sha512 dev/tomcat/tomcat-9/v9.0.69/src/apache-tomcat-9.0.69-src.zip (with props) dev/tomcat/tomcat-9/v9.0.69/src/apache-tomcat-9.0.69-src.zip.asc (with props) dev/tomcat/tomcat-9/v9.0.69/src/apache-tomcat-9.0.69-src.zip.sha512 Added: dev/tomcat/tomcat-9/v9.0.69/KEYS == --- dev/tomcat/tomcat-9/v9.0.69/KEYS (added) +++ dev/tomcat/tomcat-9/v9.0.69/KEYS Wed Nov 9 18:53:58 2022 @@ -0,0 +1,237 @@ +This file contains the PGP&GPG keys of various Apache developers. +Please don't use them for email unless you have to. Their main +purpose is code signing. + +Apache users: pgp < KEYS +Apache developers: +(pgpk -ll && pgpk -xa ) >> this file. + or +(gpg --fingerprint --list-sigs + && gpg --armor --export ) >> this file. + +Apache developers: please ensure that your key is also available via the +PGP keyservers (such as pgpkeys.mit.edu). + + +pub 1024D/33C60243 2004-09-12 + Key fingerprint = DCFD 35E0 BF8C A734 4752 DE8B 6FB2 1E89 33C6 0243 +uid Mark E D Thomas +uid Mark E D Thomas +uid Mark E D Thomas +sub 2048g/0BECE548 2004-09-12 + +pub 4096R/2F6059E7 2009-09-18 + Key fingerprint = A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60 59E7 +uid Mark E D Thomas +sub 4096R/5E763BEC 2009-09-18 + +-BEGIN PGP PUBLIC KEY BLOCK- +Version: GnuPG v1.4.9 (MingW32) + +mQGiBEFEjegRBADocGttfROvtLGrTOW3xRqZHmFWybmEaI6jmnRdN/1gGXmb3wQL +rHsS3fLFIIOYLPph0Kov9q4qNq36LekShIvjMBDFoj2/wRxaUtFq81asaRZg8Mcw +4kVeIoe8OIOuWmvYhU8SH2jJNUnVVrpTPAa6QWquTmseNi6UJMjLxuL7DwCg//9u +k2yj0vk6e4WSO6Fe5+EkQDED/AjQsy0kj9TpNHkKSSUR2evRlWPYA0YtxBSbsgON +tT0cYipAp5IcYt6Zq5QzHiZreyQXLAjItDS2oGCIXfNbTYJ3kxxJTCU/3wlefV
[tomcat] branch 9.0.x updated: Increment version for next dev cycle
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new bba4c45fe1 Increment version for next dev cycle bba4c45fe1 is described below commit bba4c45fe132862571f48d821f05154f7b34edf3 Author: remm AuthorDate: Wed Nov 9 19:56:38 2022 +0100 Increment version for next dev cycle --- build.properties.default | 2 +- res/maven/mvn.properties.default | 2 +- webapps/docs/changelog.xml | 4 +++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/build.properties.default b/build.properties.default index b4f12cfa43..711447f433 100644 --- a/build.properties.default +++ b/build.properties.default @@ -31,7 +31,7 @@ # - Version Control Flags - version.major=9 version.minor=0 -version.build=69 +version.build=70 version.patch=0 version.suffix= version.dev=-dev diff --git a/res/maven/mvn.properties.default b/res/maven/mvn.properties.default index 19ce280d14..4c57a3d378 100644 --- a/res/maven/mvn.properties.default +++ b/res/maven/mvn.properties.default @@ -39,7 +39,7 @@ maven.asf.release.repo.url=https://repository.apache.org/service/local/staging/d maven.asf.release.repo.repositoryId=apache.releases.https # Release version info -maven.asf.release.deploy.version=9.0.69 +maven.asf.release.deploy.version=9.0.70 #Where do we load the libraries from tomcat.lib.path=../../output/build/lib diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index b121346358..14acc29493 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -104,7 +104,9 @@ They eventually become mixed with the numbered issues (i.e., numbered issues do not "pop up" wrt. others). --> - + + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[VOTE] Release Apache Tomcat 9.0.69
The proposed Apache Tomcat 9.0.69 release is now available for voting. The notable changes compared to 9.0.68 are: - Fix concurrency issue in evaluation of expression language containing lambda expressions. - Update the packaged version of the Apache Tomcat Native Library to 2.0.2 to pick up the Windows binaries built with with OpenSSL 3.0.7. - Correct the date format used with the expires attribute of HTTP cookies. A single space rather than a single dash should be used to separate the day, month and year components to be compliant with RFC 6265. Along with lots of other bug fixes and improvements. For full details, see the changelog: https://nightlies.apache.org/tomcat/tomcat-9.0.x/docs/changelog.html It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.69/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1406 The tag is: https://github.com/apache/tomcat/tree/9.0.69 cd5fd93c5df3699868ec39731f5a347450112299 The proposed 9.0.69 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 9.0.69 Rémy - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] aooohan commented on pull request #565: updated link to download cvs
aooohan commented on PR #565: URL: https://github.com/apache/tomcat/pull/565#issuecomment-1309666942 Thanks for bringing it to my attention. But CSV is too old and outdated and I think it's time to use Git instead. So I will try to change some docs related to this. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat-training] dependabot[bot] opened a new pull request, #9: Bump socket.io-parser from 2.3.1 to 3.3.3
dependabot[bot] opened a new pull request, #9: URL: https://github.com/apache/tomcat-training/pull/9 Bumps [socket.io-parser](https://github.com/socketio/socket.io-parser) from 2.3.1 to 3.3.3. Release notes Sourced from https://github.com/socketio/socket.io-parser/releases";>socket.io-parser's releases. 3.3.2 Bug Fixes prevent DoS (OOM) via massive packets (https://github-redirect.dependabot.com/Automattic/socket.io-parser/issues/95";>#95) (https://github.com/Automattic/socket.io-parser/commit/89197a05c43b18cc4569fd178d56e7bb8f403865";>89197a0) Links Diff: https://github.com/Automattic/socket.io-parser/compare/3.3.1...3.3.2";>https://github.com/Automattic/socket.io-parser/compare/3.3.1...3.3.2 3.3.1 Links Diff: https://github.com/socketio/socket.io-parser/compare/3.3.0...3.3.1";>https://github.com/socketio/socket.io-parser/compare/3.3.0...3.3.1 3.3.0 Bug Fixes remove any reference to the global variable (https://github.com/socketio/socket.io-parser/commit/b47efb2";>b47efb2) Links Milestone: - Diff: https://github.com/socketio/socket.io-parser/compare/3.2.0...3.3.0";>3.2.0...3.3.0 3.2.0 Bug fixes properly detect typed arrays (https://github-redirect.dependabot.com/socketio/socket.io-parser/issues/85";>#85) properly handle JSON.stringify errors (https://github-redirect.dependabot.com/socketio/socket.io-parser/issues/84";>#84) Note Binary detection was removed from the package (revert of https://github-redirect.dependabot.com/socketio/socket.io-parser/pull/66";>socketio/socket.io-parser#66), so that we can disable the binary check earlier in the chain. Links Milestone: https://github.com/socketio/socket.io-parser/milestone/8";>3.2.0 Diff: https://github.com/socketio/socket.io-parser/compare/3.1.3...3.2.0";>3.1.3...3.2.0 3.1.3 Bug fixes use ArrayBuffer.isView to check for typed arrays (https://github-redirect.dependabot.com/socketio/socket.io-parser/issues/82";>#82) ensure packet data is an array (https://github-redirect.dependabot.com/socketio/socket.io-parser/issues/83";>#83) Links Milestone: https://github.com/socketio/socket.io-parser/milestones/9";>3.1.3 Diff: https://github.com/socketio/socket.io-parser/compare/3.1.2...3.1.3";>3.1.2...3.1.3 ... (truncated) Changelog Sourced from https://github.com/socketio/socket.io-parser/blob/main/CHANGELOG.md";>socket.io-parser's changelog. https://github.com/Automattic/socket.io-parser/compare/3.3.2...3.3.3";>3.3.3 (2022-11-09) Bug Fixes check the format of the index of each attachment (https://github.com/Automattic/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983";>fb21e42) https://github.com/socketio/socket.io-parser/compare/3.4.1...3.4.2";>3.4.2 (2022-11-09) Bug Fixes check the format of the index of each attachment (https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14";>04d23ce) https://github.com/socketio/socket.io-parser/compare/4.2.0...4.2.1";>4.2.1 (2022-06-27) Bug Fixes check the format of the index of each attachment (https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050";>b5d0cb7) https://github.com/socketio/socket.io-parser/compare/4.0.4...4.0.5";>4.0.5 (2022-06-27) Bug Fixes check the format of the index of each attachment (https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4";>b559f05) https://github.com/socketio/socket.io-parser/compare/4.1.2...4.2.0";>4.2.0 (2022-04-17) Features allow the usage of custom replacer and reviver (https://github-redirect.dependabot.com/socketio/socket.io-parser/issues/112";>#112) (https://github.com/socketio/socket.io-parser/commit/b08bc1a93e8e3194b776c8a0bdedee1e29333680";>b08bc1a) https://github.com/socketio/socket.io-parser/compare/4.1.1...4.1.2";>4.1.2 (2022-02-17) Bug Fixes ... (truncated) Commits https://github.com/socketio/socket.io-parser/commit/cd11e38e1a3e2146617bc586f86512605607b212";>cd11e38 chore(release): 3.3.3 https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983";>fb21e42 fix: check the format of the index of each attachment https://github.com/socketio/socket.io-parser/commit/3b0a3925fd9f765228e5d06e4a0cc90d81a60d0e";>3b0a392 chore(release): 3.3.2 https://github.com/socketio/socket.io-parser/commit/89197a05c43b18cc4569fd178d56e7bb8f403865";>89197a0 fix: prevent DoS (OOM) via massive packets (https://github-redirect.dependabot.com/socketio/socket.io-parser/issues/95";>#95) https://github.com/socketio/socket.io-parser/commit/25ca624b0d9eddc54a0dbaecc535cdf400722169";>25ca624 chore(release): 3.3.1 https://github.com/socketio/socket.io-parser/commit/b51b39b78d85841a5659778917f240
[tomcat-training] branch dependabot/npm_and_yarn/socket.io-parser-3.3.3 created (now e1fa056)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/npm_and_yarn/socket.io-parser-3.3.3 in repository https://gitbox.apache.org/repos/asf/tomcat-training.git at e1fa056 Bump socket.io-parser from 2.3.1 to 3.3.3 No new revisions were added by this update. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat-training] dependabot[bot] commented on pull request #8: Bump socket.io-parser from 2.3.1 to 3.3.2
dependabot[bot] commented on PR #8: URL: https://github.com/apache/tomcat-training/pull/8#issuecomment-1309683026 Superseded by #9. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat-training] dependabot[bot] closed pull request #8: Bump socket.io-parser from 2.3.1 to 3.3.2
dependabot[bot] closed pull request #8: Bump socket.io-parser from 2.3.1 to 3.3.2 URL: https://github.com/apache/tomcat-training/pull/8 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.2
> 2022年11月10日 01:32,Mark Thomas 写道: > > The proposed Apache Tomcat 10.1.2 release is now available for > voting. > > Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 > without changes. Java EE applications designed for Tomcat 9 and earlier may > be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will > automatically convert them to Jakarta EE and copy them to the webapps > directory. > > The notable changes compared to 10.1.1 are: > > - Fix concurrency issue in evaluation of expression language containing > lambda expressions. > > - Update the packaged version of the Apache Tomcat Native Library to > 2.0.2 to pick up the Windows binaries built with with OpenSSL 3.0.7. > > - Correct the date format used with the expires attribute of HTTP > cookies. A single space rather than a single dash should be used to > separate the day, month and year components to be compliant with RFC > 6265. > > > For full details, see the change log: > https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html > > It can be obtained from: > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.2/ > > The Maven staging repo is: > https://repository.apache.org/content/repositories/orgapachetomcat-1405 > > The tag is: > https://github.com/apache/tomcat/tree/10.1.2 > 153506ba8aaabbafbf75b9084f5869e02f35facc > > > The proposed 10.1.2 release is: > [ ] Broken - do not release > [ X] Stable - go ahead and release as 10.1.2 Tests pass with OpenSSL 3.0.7 and tc-native 2.0.2 on macOS 12.3.1. Han > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
