Re: [PR] Csrf filter improvements [tomcat]
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1432402971
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private String nonceRequestParameterName =
Constants.CSRF_NONCE_REQUEST_PARAM;
+private boolean enforce = true;
+
+private Collection> noNoncePatterns =
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+private static final Collection>
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+static {
+ArrayList> defaultNoNonceURLPatterns = new
ArrayList<>();
+
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".css"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".js"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".gif"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".png"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".jpg"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".svg"));
+
+DEFAULT_NO_NONCE_URL_PATTERNS =
Collections.unmodifiableList(defaultNoNonceURLPatterns);
Review Comment:
Is is possible that an image is created on the fly containing some kind of
secret (e.g., QR code, OTP) which should be protected?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Update Graal install and options
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 513c62ed82 Update Graal install and options 513c62ed82 is described below commit 513c62ed8289e0778e46eb2999419be0862f9fa5 Author: remm AuthorDate: Wed Dec 20 11:17:41 2023 +0100 Update Graal install and options Testing with 21. No fundamental breaking changes, only some warnings. --- webapps/docs/graal.xml | 19 --- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/webapps/docs/graal.xml b/webapps/docs/graal.xml index ca98a5db42..3701078150 100644 --- a/webapps/docs/graal.xml +++ b/webapps/docs/graal.xml @@ -58,17 +58,6 @@ Download and install GraalVM or Mandrel. - - If using GraalVM, the first step is then to add the Native Image tool. - export JAVA_HOME=/absolute...path...to/graalvm-ce-javaX-x.y.z -cd $JAVA_HOME/bin -./gu install native-image - Mandrel already includes the Native Image tool ready to use, so this - step can be skipped. Only JAVA_HOME must be set to the folder - which contains the bin folder with the JVM binaries, such as: - export JAVA_HOME=/absolute...path...to/mandrel-javaXX-platform-x.x.x.x/mandrelJDK - - Download the Tomcat Stuffed module from https://github.com/apache/tomcat/tree/main/modules/stuffed. @@ -169,11 +158,11 @@ ant -Dwebapp.name=$WEBAPPNAME -f webapp-jspc.ant.xml If everything has been done properly, the native image can now be built using the native-image tool. -$JAVA_HOME/bin/native-image --no-server\ ---allow-incomplete-classpath --enable-https\ +$JAVA_HOME/bin/native-image --report-unsupported-elements-at-runtime\ +--enable-http --enable-https --enable-url-protocols=http,https,jar,jrt\ --initialize-at-build-time=org.eclipse.jdt,org.apache.el.parser.SimpleNode,jakarta.servlet.jsp.JspFactory,org.apache.jasper.servlet.JasperInitializer,org.apache.jasper.runtime.JspFactoryImpl\ --H:+JNI -H:+ReportUnsupportedElementsAtRuntime\ --H:+ReportExceptionStackTraces -H:EnableURLProtocols=http,https,jar,jrt\ +-H:+UnlockExperimentalVMOptions\ +-H:+JNI -H:+ReportExceptionStackTraces\ -H:ConfigurationFileDirectories=$TOMCAT_STUFFED/target/\ -H:ReflectionConfigurationFiles=$TOMCAT_STUFFED/tomcat-reflection.json\ -H:ResourceConfigurationFiles=$TOMCAT_STUFFED/tomcat-resource.json\ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Update Graal install and options
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 4b5f519268 Update Graal install and options 4b5f519268 is described below commit 4b5f519268a04924de7584313bb0e54c40291413 Author: remm AuthorDate: Wed Dec 20 11:17:41 2023 +0100 Update Graal install and options Testing with 21. No fundamental breaking changes, only some warnings. --- webapps/docs/graal.xml | 19 --- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/webapps/docs/graal.xml b/webapps/docs/graal.xml index ebd31bf892..9c05759a84 100644 --- a/webapps/docs/graal.xml +++ b/webapps/docs/graal.xml @@ -58,17 +58,6 @@ Download and install GraalVM or Mandrel. - - If using GraalVM, the first step is then to add the Native Image tool. - export JAVA_HOME=/absolute...path...to/graalvm-ce-javaX-x.y.z -cd $JAVA_HOME/bin -./gu install native-image - Mandrel already includes the Native Image tool ready to use, so this - step can be skipped. Only JAVA_HOME must be set to the folder - which contains the bin folder with the JVM binaries, such as: - export JAVA_HOME=/absolute...path...to/mandrel-javaXX-platform-x.x.x.x/mandrelJDK - - Download the Tomcat Stuffed module from https://github.com/apache/tomcat/tree/10.1.x/modules/stuffed. @@ -169,11 +158,11 @@ ant -Dwebapp.name=$WEBAPPNAME -f webapp-jspc.ant.xml If everything has been done properly, the native image can now be built using the native-image tool. -$JAVA_HOME/bin/native-image --no-server\ ---allow-incomplete-classpath --enable-https\ +$JAVA_HOME/bin/native-image --report-unsupported-elements-at-runtime\ +--enable-http --enable-https --enable-url-protocols=http,https,jar,jrt\ --initialize-at-build-time=org.eclipse.jdt,org.apache.el.parser.SimpleNode,jakarta.servlet.jsp.JspFactory,org.apache.jasper.servlet.JasperInitializer,org.apache.jasper.runtime.JspFactoryImpl\ --H:+JNI -H:+ReportUnsupportedElementsAtRuntime\ --H:+ReportExceptionStackTraces -H:EnableURLProtocols=http,https,jar,jrt\ +-H:+UnlockExperimentalVMOptions\ +-H:+JNI -H:+ReportExceptionStackTraces\ -H:ConfigurationFileDirectories=$TOMCAT_STUFFED/target/\ -H:ReflectionConfigurationFiles=$TOMCAT_STUFFED/tomcat-reflection.json\ -H:ResourceConfigurationFiles=$TOMCAT_STUFFED/tomcat-resource.json\ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Update Graal install and options
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 92adcbcfb5 Update Graal install and options 92adcbcfb5 is described below commit 92adcbcfb5d6ee3d7fedf97f26606e139b3e2db5 Author: remm AuthorDate: Wed Dec 20 11:17:41 2023 +0100 Update Graal install and options Testing with 21. No fundamental breaking changes, only some warnings. --- webapps/docs/graal.xml | 19 --- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/webapps/docs/graal.xml b/webapps/docs/graal.xml index 4f660d30ef..e2a631a513 100644 --- a/webapps/docs/graal.xml +++ b/webapps/docs/graal.xml @@ -58,17 +58,6 @@ Download and install GraalVM or Mandrel. - - If using GraalVM, the first step is then to add the Native Image tool. - export JAVA_HOME=/absolute...path...to/graalvm-ce-javaX-x.y.z -cd $JAVA_HOME/bin -./gu install native-image - Mandrel already includes the Native Image tool ready to use, so this - step can be skipped. Only JAVA_HOME must be set to the folder - which contains the bin folder with the JVM binaries, such as: - export JAVA_HOME=/absolute...path...to/mandrel-javaXX-platform-x.x.x.x/mandrelJDK - - Download the Tomcat Stuffed module from https://github.com/apache/tomcat/tree/10.1.x/modules/stuffed. @@ -169,11 +158,11 @@ ant -Dwebapp.name=$WEBAPPNAME -f webapp-jspc.ant.xml If everything has been done properly, the native image can now be built using the native-image tool. -$JAVA_HOME/bin/native-image --no-server\ ---allow-incomplete-classpath --enable-https\ +$JAVA_HOME/bin/native-image --report-unsupported-elements-at-runtime\ +--enable-http --enable-https --enable-url-protocols=http,https,jar,jrt\ --initialize-at-build-time=org.eclipse.jdt,org.apache.el.parser.SimpleNode,javax.servlet.jsp.JspFactory,org.apache.jasper.servlet.JasperInitializer,org.apache.jasper.runtime.JspFactoryImpl\ --H:+JNI -H:+ReportUnsupportedElementsAtRuntime\ --H:+ReportExceptionStackTraces -H:EnableURLProtocols=http,https,jar,jrt\ +-H:+UnlockExperimentalVMOptions\ +-H:+JNI -H:+ReportExceptionStackTraces\ -H:ConfigurationFileDirectories=$TOMCAT_STUFFED/target/\ -H:ReflectionConfigurationFiles=$TOMCAT_STUFFED/tomcat-reflection.json\ -H:ResourceConfigurationFiles=$TOMCAT_STUFFED/tomcat-resource.json\ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot success in on tomcat-9.0.x
Build status: Build succeeded! Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/37/builds/794 Blamelist: remm Build Text: build successful Status Detected: restored build Build Source Stamp: [branch 9.0.x] 92adcbcfb5d6ee3d7fedf97f26606e139b3e2db5 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 1 shell_6: 0 shell_7: 0 shell_8: 0 shell_9: 0 Rsync docs to nightlies.apache.org: 0 shell_10: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 1 shell_11: 0 Rsync Logs to nightlies.apache.org: 0 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1432853641
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private String nonceRequestParameterName =
Constants.CSRF_NONCE_REQUEST_PARAM;
+private boolean enforce = true;
+
+private Collection> noNoncePatterns =
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+private static final Collection>
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+static {
+ArrayList> defaultNoNonceURLPatterns = new
ArrayList<>();
+
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".css"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".js"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".gif"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".png"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".jpg"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".svg"));
+
+DEFAULT_NO_NONCE_URL_PATTERNS =
Collections.unmodifiableList(defaultNoNonceURLPatterns);
Review Comment:
@markt-asf Sure, this could work. I could use a new type of matcher such as
`mime:[whatever]` and then use the match based upon MIME type instead of
filename. Then you can mix-and-match.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1432856054
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private String nonceRequestParameterName =
Constants.CSRF_NONCE_REQUEST_PARAM;
+private boolean enforce = true;
+
+private Collection> noNoncePatterns =
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+private static final Collection>
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+static {
+ArrayList> defaultNoNonceURLPatterns = new
ArrayList<>();
+
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".css"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".js"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".gif"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".png"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".jpg"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".svg"));
+
+DEFAULT_NO_NONCE_URL_PATTERNS =
Collections.unmodifiableList(defaultNoNonceURLPatterns);
Review Comment:
@michael-o All of this stuff can be configured-around by the user. We are
just talking about the defaults, here. If you want to serve static content from
`/static/*.jpg` but dynamic files from `/dynamic/*.jpg` which need protection,
then you can set up a regular-expression-based check.
An out-of-the-box default should work for "a great many environments" not
"every single conceivable environment".
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1432880460
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private String nonceRequestParameterName =
Constants.CSRF_NONCE_REQUEST_PARAM;
+private boolean enforce = true;
+
+private Collection> noNoncePatterns =
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+private static final Collection>
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+static {
+ArrayList> defaultNoNonceURLPatterns = new
ArrayList<>();
+
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".css"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".js"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".gif"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".png"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".jpg"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".svg"));
+
+DEFAULT_NO_NONCE_URL_PATTERNS =
Collections.unmodifiableList(defaultNoNonceURLPatterns);
Review Comment:
I think this has been resolved in ef54a1e44fe32aa0ec0fd0559726b214275046aa
and d0433b10c98b90cdca573a14c4eb64dff8bdc980.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 68378] New: Add MIME type mapping for *.mjs (JavaScript module)
https://bz.apache.org/bugzilla/show_bug.cgi?id=68378 Bug ID: 68378 Summary: Add MIME type mapping for *.mjs (JavaScript module) Product: Tomcat 11 Version: 11.0.0-M15 Hardware: All OS: All Status: NEW Severity: minor Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: knst.koli...@gmail.com Target Milestone: --- mjs = text/javascript See IANA registry and HTTPD patch, bug 61383. https://www.iana.org/assignments/media-types/text/javascript https://svn.apache.org/viewvc?view=revision&revision=1901273 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1432909931
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private String nonceRequestParameterName =
Constants.CSRF_NONCE_REQUEST_PARAM;
+private boolean enforce = true;
+
+private Collection> noNoncePatterns =
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+private static final Collection>
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+static {
+ArrayList> defaultNoNonceURLPatterns = new
ArrayList<>();
+
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".css"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".js"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".gif"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".png"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".jpg"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".svg"));
+
+DEFAULT_NO_NONCE_URL_PATTERNS =
Collections.unmodifiableList(defaultNoNonceURLPatterns);
Review Comment:
Agree
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 68312] Virtual threads with Http11Nio2Protocol
https://bz.apache.org/bugzilla/show_bug.cgi?id=68312 Christopher Schultz changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID |--- -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 68312] Virtual threads with Http11Nio2Protocol
https://bz.apache.org/bugzilla/show_bug.cgi?id=68312 Christopher Schultz changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --- Comment #2 from Christopher Schultz --- This has been fixed 11.x branch: f9fb4f443d5c6814445a42174288ae549abc83ec will be in 11.0.0-M16 9.0.x branch: 81ff43e1e7f6f5f833a035ad97422c94cd82a4bc will be in 9.0.85 8.5.x branch: bf1a093b63eb9ab50a8f37feff3feb64e90b8c1f will be in 8.5.98 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: (tomcat) branch main updated: Fix NIO2 and virtual threads (NIO2 requires ExecutorService)
Mark,
Was this back-ported to the 10.1.x branch? I see the back-port to 9.0.x
and 8.5.x but not 10.1.x.
-chris
On 12/8/23 05:27, ma...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new f9fb4f443d Fix NIO2 and virtual threads (NIO2 requires
ExecutorService)
f9fb4f443d is described below
commit f9fb4f443d5c6814445a42174288ae549abc83ec
Author: Mark Thomas
AuthorDate: Fri Dec 8 10:26:49 2023 +
Fix NIO2 and virtual threads (NIO2 requires ExecutorService)
---
.../tomcat/util/threads/LocalStrings.properties| 2 +
.../tomcat/util/threads/VirtualThreadExecutor.java | 63 +-
webapps/docs/changelog.xml | 9
3 files changed, 72 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/threads/LocalStrings.properties
b/java/org/apache/tomcat/util/threads/LocalStrings.properties
index 4b28c96f84..e6999e19e4 100644
--- a/java/org/apache/tomcat/util/threads/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/threads/LocalStrings.properties
@@ -19,3 +19,5 @@ threadPoolExecutor.invalidKeepAlive=Core threads must have
positive keep alive t
threadPoolExecutor.queueFull=Queue capacity is full
threadPoolExecutor.taskRejected=Task [{0}] rejected from [{1}]
threadPoolExecutor.threadStoppedToAvoidPotentialLeak=Stopping thread [{0}] to
avoid potential memory leaks after a context was stopped.
+
+vvirtualThreadExecutor.taskRejected=Task [{0}] rejected from [{1}]
\ No newline at end of file
diff --git a/java/org/apache/tomcat/util/threads/VirtualThreadExecutor.java
b/java/org/apache/tomcat/util/threads/VirtualThreadExecutor.java
index 0e177fe861..461d16e05f 100644
--- a/java/org/apache/tomcat/util/threads/VirtualThreadExecutor.java
+++ b/java/org/apache/tomcat/util/threads/VirtualThreadExecutor.java
@@ -16,12 +16,23 @@
*/
package org.apache.tomcat.util.threads;
-import java.util.concurrent.Executor;
+import java.util.Collections;
+import java.util.List;
+import java.util.concurrent.AbstractExecutorService;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.RejectedExecutionException;
+import java.util.concurrent.TimeUnit;
+
+import org.apache.tomcat.util.res.StringManager;
/**
* An executor that uses a new virtual thread for each task.
*/
-public class VirtualThreadExecutor implements Executor {
+public class VirtualThreadExecutor extends AbstractExecutorService {
+
+private static final StringManager sm =
StringManager.getManager(VirtualThreadExecutor.class);
+
+private CountDownLatch shutdown = new CountDownLatch(1);
private Thread.Builder threadBuilder;
@@ -31,6 +42,54 @@ public class VirtualThreadExecutor implements Executor {
@Override
public void execute(Runnable command) {
+if (isShutdown()) {
+throw new RejectedExecutionException(
+sm.getString("virtualThreadExecutor.taskRejected",
command.toString(), this.toString()));
+}
threadBuilder.start(command);
}
+
+@Override
+public void shutdown() {
+shutdown.countDown();
+}
+
+/**
+ * {@inheritDoc}
+ *
+ * The VirtualThreadExecutor does not track in-progress tasks so calling
this method is equivalent to calling
+ * {@link #shutdown()}.
+ */
+@Override
+public List shutdownNow() {
+shutdown();
+return Collections.emptyList();
+}
+
+@Override
+public boolean isShutdown() {
+return shutdown.getCount() == 0;
+}
+
+/**
+ * {@inheritDoc}
+ *
+ * The VirtualThreadExecutor does not track in-progress tasks so calling
this method is equivalent to calling
+ * {@link #isShutdown()}.
+ */
+@Override
+public boolean isTerminated() {
+return isShutdown();
+}
+
+/**
+ * {@inheritDoc}
+ *
+ * The VirtualThreadExecutor does not track in-progress tasks so calling
this method is effectively waiting for
+ * {@link #shutdown()} to be called.
+ */
+@Override
+public boolean awaitTermination(long timeout, TimeUnit unit) throws
InterruptedException {
+return shutdown.await(timeout, unit);
+}
}
\ No newline at end of file
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 75f8106c27..73b9aaca03 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,15 @@
issues do not "pop up" wrt. others).
-->
+
+
+
+Refactor the VirtualThreadExecutor so that it can be used
+by the NIO2 connector which was using platform threads even when
+configured to use virtual threads. (markt)
+
+
+
Re: (tomcat) branch main updated: Fix NIO2 and virtual threads (NIO2 requires ExecutorService)
On Wed, Dec 20, 2023 at 5:21 PM Christopher Schultz
wrote:
>
> Mark,
>
> Was this back-ported to the 10.1.x branch? I see the back-port to 9.0.x
> and 8.5.x but not 10.1.x.
It's fine:
https://github.com/apache/tomcat/commit/2b3f0f09641e0d8504a114cf296a18d66039266b
Rémy
> -chris
>
> On 12/8/23 05:27, ma...@apache.org wrote:
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > markt pushed a commit to branch main
> > in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >
> >
> > The following commit(s) were added to refs/heads/main by this push:
> > new f9fb4f443d Fix NIO2 and virtual threads (NIO2 requires
> > ExecutorService)
> > f9fb4f443d is described below
> >
> > commit f9fb4f443d5c6814445a42174288ae549abc83ec
> > Author: Mark Thomas
> > AuthorDate: Fri Dec 8 10:26:49 2023 +
> >
> > Fix NIO2 and virtual threads (NIO2 requires ExecutorService)
> > ---
> > .../tomcat/util/threads/LocalStrings.properties| 2 +
> > .../tomcat/util/threads/VirtualThreadExecutor.java | 63
> > +-
> > webapps/docs/changelog.xml | 9
> > 3 files changed, 72 insertions(+), 2 deletions(-)
> >
> > diff --git a/java/org/apache/tomcat/util/threads/LocalStrings.properties
> > b/java/org/apache/tomcat/util/threads/LocalStrings.properties
> > index 4b28c96f84..e6999e19e4 100644
> > --- a/java/org/apache/tomcat/util/threads/LocalStrings.properties
> > +++ b/java/org/apache/tomcat/util/threads/LocalStrings.properties
> > @@ -19,3 +19,5 @@ threadPoolExecutor.invalidKeepAlive=Core threads must
> > have positive keep alive t
> > threadPoolExecutor.queueFull=Queue capacity is full
> > threadPoolExecutor.taskRejected=Task [{0}] rejected from [{1}]
> > threadPoolExecutor.threadStoppedToAvoidPotentialLeak=Stopping thread
> > [{0}] to avoid potential memory leaks after a context was stopped.
> > +
> > +vvirtualThreadExecutor.taskRejected=Task [{0}] rejected from [{1}]
> > \ No newline at end of file
> > diff --git a/java/org/apache/tomcat/util/threads/VirtualThreadExecutor.java
> > b/java/org/apache/tomcat/util/threads/VirtualThreadExecutor.java
> > index 0e177fe861..461d16e05f 100644
> > --- a/java/org/apache/tomcat/util/threads/VirtualThreadExecutor.java
> > +++ b/java/org/apache/tomcat/util/threads/VirtualThreadExecutor.java
> > @@ -16,12 +16,23 @@
> >*/
> > package org.apache.tomcat.util.threads;
> >
> > -import java.util.concurrent.Executor;
> > +import java.util.Collections;
> > +import java.util.List;
> > +import java.util.concurrent.AbstractExecutorService;
> > +import java.util.concurrent.CountDownLatch;
> > +import java.util.concurrent.RejectedExecutionException;
> > +import java.util.concurrent.TimeUnit;
> > +
> > +import org.apache.tomcat.util.res.StringManager;
> >
> > /**
> >* An executor that uses a new virtual thread for each task.
> >*/
> > -public class VirtualThreadExecutor implements Executor {
> > +public class VirtualThreadExecutor extends AbstractExecutorService {
> > +
> > +private static final StringManager sm =
> > StringManager.getManager(VirtualThreadExecutor.class);
> > +
> > +private CountDownLatch shutdown = new CountDownLatch(1);
> >
> > private Thread.Builder threadBuilder;
> >
> > @@ -31,6 +42,54 @@ public class VirtualThreadExecutor implements Executor {
> >
> > @Override
> > public void execute(Runnable command) {
> > +if (isShutdown()) {
> > +throw new RejectedExecutionException(
> > +sm.getString("virtualThreadExecutor.taskRejected",
> > command.toString(), this.toString()));
> > +}
> > threadBuilder.start(command);
> > }
> > +
> > +@Override
> > +public void shutdown() {
> > +shutdown.countDown();
> > +}
> > +
> > +/**
> > + * {@inheritDoc}
> > + *
> > + * The VirtualThreadExecutor does not track in-progress tasks so
> > calling this method is equivalent to calling
> > + * {@link #shutdown()}.
> > + */
> > +@Override
> > +public List shutdownNow() {
> > +shutdown();
> > +return Collections.emptyList();
> > +}
> > +
> > +@Override
> > +public boolean isShutdown() {
> > +return shutdown.getCount() == 0;
> > +}
> > +
> > +/**
> > + * {@inheritDoc}
> > + *
> > + * The VirtualThreadExecutor does not track in-progress tasks so
> > calling this method is equivalent to calling
> > + * {@link #isShutdown()}.
> > + */
> > +@Override
> > +public boolean isTerminated() {
> > +return isShutdown();
> > +}
> > +
> > +/**
> > + * {@inheritDoc}
> > + *
> > + * The VirtualThreadExecutor does not track in-progress tasks so
> > calling this method is effectively waiting for
> > + * {@link #shutdown()} to be called.
> > + */
> > +@Override
> > +public boolean awaitTermination(long timeout, TimeUnit unit) throws
> > Interr
Re: [PR] Csrf filter improvements [tomcat]
kkolinko commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1864808958
1. There are case-insensitive file systems out there... I wonder whether
those default extensions should be treated case-insensitively. (If one is
serving a web site from an USB stick or a memory card formatted with FAT? From
a CD Drive? It is possible, but rare nowadays.)
2. Add "*.mjs" to the list (see
https://bz.apache.org/bugzilla/show_bug.cgi?id=68378 )
3. Documentation: The value in "The default is ..." does not match the
actual value of DEFAULT_NO_NONCE_URL_PATTERNS;
4. Documentation: "Complete regular expression ... Note that patterns
cannot contain a comma"
I think if the value starts and ends with a '/'. it would be better to treat
it whole as a single RegExp. Commas are useful in RegExes and disallowing them
in this case does not look like a benefit.
5. protected boolean skipNonceCheck(HttpServletRequest request) {
It is hard-coded to look for GET. How about a HEAD request?
6. protected boolean skipNonceCheck(HttpServletRequest request) {
Further in that method. "if (!entryPoints.contains(requestedPath)) { return
false; }" - note that unless it is an entry point, processing will end here and
subsequent lines will not run. I think it was intended to be the opposite.
7. private boolean shouldAddNonce(String url) { ... }
I think that it would make sense to skip adding nonces to the entryPoints.
(As a use case: the front page of Manager web application).
8. It would be good to have some test cases.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 68312] Virtual threads with Http11Nio2Protocol
https://bz.apache.org/bugzilla/show_bug.cgi?id=68312 --- Comment #3 from Christopher Schultz --- And Tomcat 10.1: 2b3f0f09641e0d8504a114cf296a18d66039266b will be in 10.1.18 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1864828084
> 1. There are case-insensitive file systems out there... I wonder whether
those default extensions should be treated case-insensitively. (If one is
serving a web site from an USB stick or a memory card formatted with FAT? From
a CD Drive? It is possible, but rare nowadays.)
Fair. Again, I was thinking of trying to minimize the amount of processing
required by default.
> 2. Add "*.mjs" to the list (see
https://bz.apache.org/bugzilla/show_bug.cgi?id=68378 )
Fair.
> 3. Documentation: The value in "The default is ..." does not match the
actual value of DEFAULT_NO_NONCE_URL_PATTERNS;
I will correct this.
> 4. Documentation: "Complete regular expression ... Note that patterns
cannot contain a comma"
>I think if the value starts and ends with a '/'. it would be better
to treat it whole as a single RegExp. Commas are useful in RegExes and
disallowing them in this case does not look like a benefit.
I suppose I could write a more fully-featured parser, but right now I'm
using `String.split(",")` to separate the patterns from each other. If we want
to parse `/anything/` including commas, we'll need to be able to recognize `/`
within `/.../`, escapes, etc.
I think I might like to save that for a separate PR since this one is
complicated enough. WDYT?
> 5. protected boolean skipNonceCheck(HttpServletRequest request) {
>It is hard-coded to look for GET. How about a HEAD request?
This check pre-dates this PR. I think it should be addressed separately.
> 6. protected boolean skipNonceCheck(HttpServletRequest request) {
>Further in that method. "if (!entryPoints.contains(requestedPath))
{ return false; }" - note that unless it is an entry point, processing will end
here and subsequent lines will not run. I think it was intended to be the
opposite.
I will review.
> 7. private boolean shouldAddNonce(String url) { ... }
>I think that it would make sense to skip adding nonces to the
entryPoints.
>(As a use case: the front page of Manager web application).
I think it does not matter much.
> 8. It would be good to have some test cases.
Okay. Would you prefer very targeted unit tests against e.g. the predicates
and calls to `HttpServletResponse.encodeURL` or something that includes the
whole HTTP request/response, page-generation, etc.?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: TCK servlet TCK 6.0
On 12/19/23 18:37, Mark Thomas wrote: On 19/12/2023 13:05, jean-frederic clere wrote: Hi, I have tried to run the TCK against Tomcat-10.1.17 I have 12 failed tests. Before investigating I have questions: Did someone run the servlet TCK recently? Not recently but I have run it. Are some tests expected to fail (well for sure the DefaultContextPathTest and the signatures, but are there others? DefaultContextPathTest should be the only failure. Everything else should pass. OK the 2 security tests are failing for me and I know why and not sure what to do, the key/cert are too small (and very old). I will look to the 9 other tests (one seems a date format problem, the others look to be some "Locale" problem, probably related to my environment). I have created https://cwiki.apache.org/confluence/display/TOMCAT/Servlet+TCK+6.0 and I am planning to update it ;-) Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Backporting patch for CVE-2023-46589 to Tomcat 8.0.14
We, the RECDO organization is a legally registerednon-profit entity based in Kantale, Trincomalle. RECDO was established in 2000and serves marginalized communities in the Eastern Province, particularly theTrincomalee District. Our work focuses on the following thematic areas:community policing and public safety; gender equality, women’s’ empowerment andgender mainstreaming; educational outreach, Child wellbeing & protection;water, sanitation& Health; participatory governance &democracy,disaster risk reduction and climate adaptation including rural agriculture;entrepreneurship development& livelihood; rights-based social wellbeing,peace and community conflict resolution. We have successfully collaborated withreputed bilateral international donors and government sector for theimplementation of comprehensive projects. RECDO executed human-development oriented projects in partnership with TheAsia Foundation, GlobalFund for Children, C.I.E.LO (France), Muslim Aid, ONUR, ICES and CEPA (Colombo)Thank you very muchBest Regrads Azhar On Monday, 18 December 2023 at 11:55:31 am GMT-8, Emmanuel Bourg wrote: Le 18/12/2023 à 18:15, Michael Osipov a écrit : > SCNR: https://unixsheikh.com/articles/the-delusions-of-debian.html That's a low blow, this post smells more like an old systemd rant mixed with a complete misunderstanding on how Debian works than a well founded criticism. Emmanuel Bourg - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1914805 - in /tomcat/site/trunk: docs/index.html xdocs/index.xml
Author: schultz Date: Wed Dec 20 17:13:20 2023 New Revision: 1914805 URL: http://svn.apache.org/viewvc?rev=1914805&view=rev Log: Fix typo Modified: tomcat/site/trunk/docs/index.html tomcat/site/trunk/xdocs/index.xml Modified: tomcat/site/trunk/docs/index.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1914805&r1=1914804&r2=1914805&view=diff == --- tomcat/site/trunk/docs/index.html (original) +++ tomcat/site/trunk/docs/index.html Wed Dec 20 17:13:20 2023 @@ -46,7 +46,7 @@ Java EE 8 platform. The notable changes Correct unintended escaping of XML in some WebDAV responses. Use a 408 status code if a read timeout occurs during HTTP - HTTP request processing instead of an HTTP 400 status. + request processing instead of an HTTP 400 status. Full details of these changes, and all the other changes, are available in the @@ -78,7 +78,7 @@ migration tool for Jakarta EE tool w Correct unintended escaping of XML in some WebDAV responses. Use a 408 status code if a read timeout occurs during HTTP - HTTP request processing instead of an HTTP 400 status. + request processing instead of an HTTP 400 status. @@ -103,7 +103,7 @@ Java EE 7 platform. The notable changes Correct unintended escaping of XML in some WebDAV responses. Use a 408 status code if a read timeout occurs during HTTP - HTTP request processing instead of an HTTP 400 status. + request processing instead of an HTTP 400 status. Full details of these changes, and all the other changes, are available in the Modified: tomcat/site/trunk/xdocs/index.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/index.xml?rev=1914805&r1=1914804&r2=1914805&view=diff == --- tomcat/site/trunk/xdocs/index.xml (original) +++ tomcat/site/trunk/xdocs/index.xml Wed Dec 20 17:13:20 2023 @@ -67,7 +67,7 @@ Java EE 8 platform. The notable changes Correct unintended escaping of XML in some WebDAV responses. Use a 408 status code if a read timeout occurs during HTTP - HTTP request processing instead of an HTTP 400 status. + request processing instead of an HTTP 400 status. Full details of these changes, and all the other changes, are available in the @@ -102,7 +102,7 @@ migration tool for Jakarta EE tool w Correct unintended escaping of XML in some WebDAV responses. Use a 408 status code if a read timeout occurs during HTTP - HTTP request processing instead of an HTTP 400 status. + request processing instead of an HTTP 400 status. @@ -130,7 +130,7 @@ Java EE 7 platform. The notable changes Correct unintended escaping of XML in some WebDAV responses. Use a 408 status code if a read timeout occurs during HTTP - HTTP request processing instead of an HTTP 400 status. + request processing instead of an HTTP 400 status. Full details of these changes, and all the other changes, are available in the - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
kkolinko commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1864873921
Re 4: I think that if one is wise enough to write a RegExp, they could use
"|" to combine several patterns, and do not really need splitting by comma. Or
do you envision a use case, where different types of patterns are used
together, and one of them is a regular expression?
I mean: do a .startsWith("/") && .endsWith("/") test before calling
String.split(). Skip splitting.
```diff
- if (null == patterns || 0 == patterns.trim().length()) {
+ if (null == patterns || 0 == (patterns = patterns.trim()).length()) {
...
- String values[] = patterns.split(",");
+ String values[] = patterns.startsWith("/") && patterns.endsWith("/") ? new
String[]{ patterns } : patterns.split(",");
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
kkolinko commented on PR #681: URL: https://github.com/apache/tomcat/pull/681#issuecomment-1864889547 Re 8: Whatever is easier. (Maybe it will be easier to extract some logic into an utility class and test that utility class. My concern is just that the logic is not trivial, is complicated by nuances like case-insensitivity, and is not tested). (Existing TestCsrfPreventionFilter class has several "simple" tests. TestRestCsrfPreventionFilter has more substantial tests, using mocks). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1864951885
> Re 4: I think that if one is wise enough to write a RegExp, they could use
"|" to combine several patterns, and do not really need splitting by comma. Or
do you envision a use case, where different types of patterns are used
together, and one of them is a regular expression?
>
> I mean: do a .startsWith("/") && .endsWith("/") test before calling
String.split(). Skip splitting.
>
> ```diff
> - if (null == patterns || 0 == patterns.trim().length()) {
> + if (null == patterns || 0 == (patterns = patterns.trim()).length()) {
> ...
> - String values[] = patterns.split(",");
> + String values[] = patterns.startsWith("/") && patterns.endsWith("/") ?
new String[]{ patterns } : patterns.split(",");
> ```
Yes, I was thinking that someone could specify a series of checks like
`*.css, /.*includes.*/, *.png`. I suppose if you are going to use a regular
expression, maybe the entire pattern should be used since regex is very
expensive already.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1433225531
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -198,15 +416,27 @@ protected boolean skipNonceCheck(HttpServletRequest
request) {
String requestedPath = getRequestedPath(request);
-if (!entryPoints.contains(requestedPath)) {
-return false;
+if (entryPoints.contains(requestedPath)) {
+if (log.isTraceEnabled()) {
+log.trace("Skipping CSRF nonce-check for GET request to entry
point " + requestedPath);
+}
+
+return true;
}
-if (log.isTraceEnabled()) {
-log.trace("Skipping CSRF nonce-check for GET request to entry
point " + requestedPath);
+if (null != noNoncePredicates && !noNoncePredicates.isEmpty()) {
+for (Predicate p : noNoncePredicates) {
+if (p.test(requestedPath)) {
+if (log.isTraceEnabled()) {
+log.trace("Skipping CSRF nonce-check for GET request
to no-nonce path " + requestedPath);
Review Comment:
No `messages.properties`?
##
webapps/docs/config/filter.xml:
##
@@ -319,6 +326,34 @@
of java.security.SecureRandom will be used.
+
+A list of URL patterns that will not have CSRF nonces added
+to them. You may not want to add nonces to certain URLs to avoid
+creating unique URLs which may defeat resource caching, etc.
+
+There are 3 types of patterns supported:
Review Comment:
three
##
webapps/docs/config/filter.xml:
##
@@ -291,6 +291,13 @@
request. The default value is 403.
+
+A flag to enable or disable enforcement. When enforcement is
+disabled, the CsrfPreventionFilter will allow all requests and
+log CSRF failures as DEBUG messages. The default is true,
+enabling the enforcement of CSRF protections.
+
Review Comment:
I don't understand the purpose. I mean, why not then drop the filter from
the `web.xml`? We don't have this for other filter, do we?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
