(tomcat) branch 11.0.x updated: Fix BZ 69731 - correct maxParameterCount tracking.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new bac6f1dd48 Fix BZ 69731 - correct maxParameterCount tracking.
bac6f1dd48 is described below
commit bac6f1dd489535fe6d3eaec9db4878898ce380ca
Author: Mark Thomas
AuthorDate: Tue Jul 1 19:04:18 2025 +0100
Fix BZ 69731 - correct maxParameterCount tracking.
Limit was was smaller than intended for multipart uploads with non-file
parts when the parts were processed before query string parameters
https://bz.apache.org/bugzilla/show_bug.cgi?id=69731
---
java/org/apache/catalina/connector/Request.java| 50 +++-
.../catalina/valves/TestParameterLimitValve.java | 134 -
webapps/docs/changelog.xml | 6 +
3 files changed, 184 insertions(+), 6 deletions(-)
diff --git a/java/org/apache/catalina/connector/Request.java
b/java/org/apache/catalina/connector/Request.java
index 6f4d313928..2b34c03534 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -111,6 +111,7 @@ import org.apache.tomcat.util.http.ServerCookies;
import org.apache.tomcat.util.http.fileupload.FileItem;
import org.apache.tomcat.util.http.fileupload.FileUpload;
import org.apache.tomcat.util.http.fileupload.disk.DiskFileItemFactory;
+import
org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException;
import org.apache.tomcat.util.http.fileupload.impl.InvalidContentTypeException;
import org.apache.tomcat.util.http.fileupload.impl.SizeException;
import org.apache.tomcat.util.http.fileupload.servlet.ServletRequestContext;
@@ -2482,6 +2483,26 @@ public class Request implements HttpServletRequest {
}
}
+/*
+ * When the request body is multipart/form-data, both the parts and
the query string count towards
+ * maxParameterCount. If parseParts() is called before
getParameterXXX() then the parts will be parsed before
+ * the query string. Otherwise, the query string will be parsed first.
+ *
+ * maxParameterCount must be respected regardless of which is parsed
first.
+ *
+ * maxParameterCount is reset from the Connector at the start of every
request.
+ *
+ * If parts are parsed first, non-file parts will be added to the
parameter map and any files will reduce
+ * maxParameterCount by 1 so that when the query string is parsed the
difference between the size of the
+ * parameter map and maxParameterCount will be the original
maxParameterCount less the number of parts. i.e. the
+ * maxParameterCount applied to the query string will be the original
maxParameterCount less the number of
+ * parts.
+ *
+ * If the query string is parsed first, all parameters will be added
to the parameter map and, ignoring
+ * maxPartCount, the part limit will be set to the original
maxParameterCount less the size of the parameter
+ * map. i.e. the maxParameterCount applied to the parts will be the
original maxParameterCount less the number
+ * of query parameters.
+ */
Parameters parameters = coyoteRequest.getParameters();
parameters.setLimit(maxParameterCount);
@@ -2582,11 +2603,14 @@ public class Request implements HttpServletRequest {
// Not possible
}
parameters.addParameter(name, value);
+} else {
+// Adjust the limit to account for a file part which is
not added to the parameter map.
+maxParameterCount--;
}
}
} catch (InvalidContentTypeException e) {
partsParseException = new ServletException(e);
-} catch (SizeException e) {
+} catch (SizeException | FileCountLimitExceededException e) {
checkSwallowInput();
partsParseException = new InvalidParameterException(e,
HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE);
} catch (IOException e) {
@@ -2834,11 +2858,27 @@ public class Request implements HttpServletRequest {
}
parametersParsed = true;
+/*
+ * When the request body is multipart/form-data, both the parts and
the query string count towards
+ * maxParameterCount. If parseParts() is called before
getParameterXXX() then the parts will be parsed before
+ * the query string. Otherwise, the query string will be parsed first.
+ *
+ * maxParameterCount must be respected regardless of which is parsed
first.
+ *
+ * maxParameterCount is reset from the Connector at the start of every
request.
+ *
+ * If parts are parsed first, non-file parts
(tomcat) branch main updated: Fix BZ 69731 - correct maxParameterCount tracking.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new b55723bc0f Fix BZ 69731 - correct maxParameterCount tracking.
b55723bc0f is described below
commit b55723bc0fd7e8b0c34d69c410f09c2a1de8f4fb
Author: Mark Thomas
AuthorDate: Tue Jul 1 19:04:18 2025 +0100
Fix BZ 69731 - correct maxParameterCount tracking.
Limit was was smaller than intended for multipart uploads with non-file
parts when the parts were processed before query string parameters
https://bz.apache.org/bugzilla/show_bug.cgi?id=69731
---
java/org/apache/catalina/connector/Request.java| 50 +++-
.../catalina/valves/TestParameterLimitValve.java | 134 -
webapps/docs/changelog.xml | 6 +
3 files changed, 184 insertions(+), 6 deletions(-)
diff --git a/java/org/apache/catalina/connector/Request.java
b/java/org/apache/catalina/connector/Request.java
index ce06e6e10d..760e728e28 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -109,6 +109,7 @@ import org.apache.tomcat.util.http.ServerCookies;
import org.apache.tomcat.util.http.fileupload.FileItem;
import org.apache.tomcat.util.http.fileupload.FileUpload;
import org.apache.tomcat.util.http.fileupload.disk.DiskFileItemFactory;
+import
org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException;
import org.apache.tomcat.util.http.fileupload.impl.InvalidContentTypeException;
import org.apache.tomcat.util.http.fileupload.impl.SizeException;
import org.apache.tomcat.util.http.fileupload.servlet.ServletRequestContext;
@@ -2374,6 +2375,26 @@ public class Request implements HttpServletRequest {
}
}
+/*
+ * When the request body is multipart/form-data, both the parts and
the query string count towards
+ * maxParameterCount. If parseParts() is called before
getParameterXXX() then the parts will be parsed before
+ * the query string. Otherwise, the query string will be parsed first.
+ *
+ * maxParameterCount must be respected regardless of which is parsed
first.
+ *
+ * maxParameterCount is reset from the Connector at the start of every
request.
+ *
+ * If parts are parsed first, non-file parts will be added to the
parameter map and any files will reduce
+ * maxParameterCount by 1 so that when the query string is parsed the
difference between the size of the
+ * parameter map and maxParameterCount will be the original
maxParameterCount less the number of parts. i.e. the
+ * maxParameterCount applied to the query string will be the original
maxParameterCount less the number of
+ * parts.
+ *
+ * If the query string is parsed first, all parameters will be added
to the parameter map and, ignoring
+ * maxPartCount, the part limit will be set to the original
maxParameterCount less the size of the parameter
+ * map. i.e. the maxParameterCount applied to the parts will be the
original maxParameterCount less the number
+ * of query parameters.
+ */
Parameters parameters = coyoteRequest.getParameters();
parameters.setLimit(maxParameterCount);
@@ -2474,11 +2495,14 @@ public class Request implements HttpServletRequest {
// Not possible
}
parameters.addParameter(name, value);
+} else {
+// Adjust the limit to account for a file part which is
not added to the parameter map.
+maxParameterCount--;
}
}
} catch (InvalidContentTypeException e) {
partsParseException = new ServletException(e);
-} catch (SizeException e) {
+} catch (SizeException | FileCountLimitExceededException e) {
checkSwallowInput();
partsParseException = new InvalidParameterException(e,
HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE);
} catch (IOException e) {
@@ -2726,11 +2750,27 @@ public class Request implements HttpServletRequest {
}
parametersParsed = true;
+/*
+ * When the request body is multipart/form-data, both the parts and
the query string count towards
+ * maxParameterCount. If parseParts() is called before
getParameterXXX() then the parts will be parsed before
+ * the query string. Otherwise, the query string will be parsed first.
+ *
+ * maxParameterCount must be respected regardless of which is parsed
first.
+ *
+ * maxParameterCount is reset from the Connector at the start of every
request.
+ *
+ * If parts are parsed first, non-file parts will
[VOTE] Release Apache Tomcat 10.1.43
The proposed Apache Tomcat 10.1.43 release is now available for voting. All committers and PMC members are kindly requested to provide a vote if possible. ANY TOMCAT USER MAY VOTE, though only PMC members votes are binding. We welcome non-committer votes or comments on release builds. The notable changes compared to 10.1.42 are: - Increase the default for maxPartCount from 10 to 50. Update the documentation to provide more details on the memory requirements to support multi-part uploads while avoiding a denial of service risk. - Improvements to http/2 support, including data-frame padding, request statistics, and suppression of warnings when client certificate verification has been configured in certain environments. - Fix a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. For full details, see the change log: https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.43/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1551 The tag is: https://github.com/apache/tomcat/tree/10.1.43 https://github.com/apache/tomcat/commit/e6c2a4b773a2bf03f94a31ed8fc30df1a735217e Please reply with a +1 for release or +0/-0/-1 with an explanation. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Increment versions numbers for next release.
This is an automated email from the ASF dual-hosted git repository. schultz pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 0c970f662b Increment versions numbers for next release. 0c970f662b is described below commit 0c970f662b0db8b6bfec282b2b772b91f599d96a Author: Christopher Schultz AuthorDate: Tue Jul 1 17:49:15 2025 -0400 Increment versions numbers for next release. --- build.properties.default | 2 +- res/maven/mvn.properties.default | 2 +- webapps/docs/changelog.xml | 4 +++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/build.properties.default b/build.properties.default index 926d575b03..f3960197e9 100644 --- a/build.properties.default +++ b/build.properties.default @@ -31,7 +31,7 @@ # - Version Control Flags - version.major=10 version.minor=1 -version.build=43 +version.build=44 version.patch=0 version.suffix= version.dev=-dev diff --git a/res/maven/mvn.properties.default b/res/maven/mvn.properties.default index 462ecadedd..27c0e3c6c1 100644 --- a/res/maven/mvn.properties.default +++ b/res/maven/mvn.properties.default @@ -39,7 +39,7 @@ maven.asf.release.repo.url=https://repository.apache.org/service/local/staging/d maven.asf.release.repo.repositoryId=apache.releases.https # Release version info -maven.asf.release.deploy.version=10.1.43 +maven.asf.release.deploy.version=10.1.44 #Where do we load the libraries from tomcat.lib.path=../../output/build/lib diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index db094d4294..3a5a743b3b 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -104,7 +104,9 @@ They eventually become mixed with the numbered issues (i.e., numbered issues do not "pop up" wrt. others). --> - + + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 11.0.9
Mark, Thanks for RMing. On 7/1/25 5:42 PM, Mark Thomas wrote: The proposed Apache Tomcat 11.0.9 release is now available for voting. The notable changes compared to 11.0.8 include: - Increase the default for maxPartCount from 10 to 50. Update the documentation to provide more details on the memory requirements to support multi-part uploads while avoiding a denial of service risk. - Various improvements to HTTP/2 - Fix JMX value for keepAliveCount on the endpoint. Also add the value of useVirtualThreads in JMX. For full details, see the change log: https://nightlies.apache.org/tomcat/tomcat-11.0.x/docs/changelog.html Applications that run on Tomcat 9 and earlier will not run on Tomcat 11 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. Applications using deprecated APIs may require further changes. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-11/v11.0.9/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1550 The tag is: https://github.com/apache/tomcat/tree/11.0.9 2640cdf945fd8b715cec93e6c7840970a13634a0 The proposed 11.0.9 release is: [ ] -1 Broken - do not release [ ] +1 Stable - go ahead and release as 11.0.9 +1 for stable release. The build is 100% reproducible on MacOS aarm64, and the unit tests pass. Details: * Environment * Java (build):openjdk version "24.0.1" 2025-04-15 OpenJDK Runtime Environment Temurin-24.0.1+9 (build 24.0.1+9) OpenJDK 64-Bit Server VM Temurin-24.0.1+9 (build 24.0.1+9, mixed mode, sharing) * Java (test): openjdk version "24.0.1" 2025-04-15 OpenJDK Runtime Environment Temurin-24.0.1+9 (build 24.0.1+9) OpenJDK 64-Bit Server VM Temurin-24.0.1+9 (build 24.0.1+9, mixed mode, sharing) * Ant: Apache Ant(TM) version 1.10.15 compiled on August 25 2024 * OS: Darwin 24.5.0 arm64 * cc: Apple clang version 17.0.0 (clang-1700.0.13.5) * make:GNU Make 3.81 * OpenSSL: OpenSSL 3.5.0 8 Apr 2025 (Library: OpenSSL 3.5.0 8 Apr 2025) * APR: 1.7.6 * * Valid SHA-512 signature for apache-tomcat-11.0.9.zip * Valid GPG signature for apache-tomcat-11.0.9.zip * Valid SHA-512 signature for apache-tomcat-11.0.9.tar.gz * Valid GPG signature for apache-tomcat-11.0.9.tar.gz * Valid SHA-512 signature for apache-tomcat-11.0.9.exe * Valid GPG signature for apache-tomcat-11.0.9.exe * Valid Windows Digital Signature for apache-tomcat-11.0.9.exe * Valid SHA512 signature for apache-tomcat-11.0.9-src.zip * Valid GPG signature for apache-tomcat-11.0.9-src.zip * Valid SHA512 signature for apache-tomcat-11.0.9-src.tar.gz * Valid GPG signature for apache-tomcat-11.0.9-src.tar.gz * * Binary Zip and tarball: Same * Source Zip and tarball: Same * * Building dependencies returned: 0 * Tomcat builds cleanly * tcnative builds cleanly * Junit Tests: PASSED -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) tag 10.1.43 created (now e6c2a4b773)
This is an automated email from the ASF dual-hosted git repository. schultz pushed a change to tag 10.1.43 in repository https://gitbox.apache.org/repos/asf/tomcat.git at e6c2a4b773 (commit) This tag includes the following new commits: new e6c2a4b773 Tag 10.1.43 The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 01/01: Tag 10.1.43
This is an automated email from the ASF dual-hosted git repository. schultz pushed a commit to tag 10.1.43 in repository https://gitbox.apache.org/repos/asf/tomcat.git commit e6c2a4b773a2bf03f94a31ed8fc30df1a735217e Author: Christopher Schultz AuthorDate: Tue Jul 1 17:32:18 2025 -0400 Tag 10.1.43 --- build.properties.release | 54 +++ res/install-win/Uninstall.exe.sig| Bin 0 -> 8275 bytes res/install-win/tomcat-installer.exe.sig | Bin 0 -> 8275 bytes res/maven/mvn.properties.release | 27 webapps/docs/changelog.xml | 2 +- 5 files changed, 82 insertions(+), 1 deletion(-) diff --git a/build.properties.release b/build.properties.release new file mode 100644 index 00..e32b83b9a3 --- /dev/null +++ b/build.properties.release @@ -0,0 +1,54 @@ +# - +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# - + +# This file was auto-generated by the pre-release Ant target. + +# Any unwanted settings may be over-ridden in a build.properties file located +# in the same directory as this file. + +# Set the version-dev to "" (empty string) as this is not a development release. +version.dev= + +# Ensure consistent timestamps for reproducible builds. +ant.tstamp.now.iso=2025-07-01T21:30:20Z + +# Enable insertion of detached signatures into the Windows installer. +do.codesigning=true + +# Re-use the same GPG executable. +gpg.exec=/usr/local/bin/gpg + +# Reproducible builds require the use of the build tools defined below. The +# vendors (where appropriate) and versions must match exactly for a reproducible +# build since this data is embedded in various files, particularly JAR file +# manifests, as part of the build process. +# +# Apache Ant: Apache Ant(TM) version 1.10.15 compiled on August 25 2024 +# +# Java Name: OpenJDK 64-Bit Server VM +# Java Vendor: Eclipse Adoptium +# Java Version:24.0.1+9 + +# The following is provided for information only. Builds will be repeatable +# whether or not the build environment is consistent with this information. +# +# OS: aarch64 Mac OS X 15.5 +# File encoding: UTF-8 +# +# Release Manager: schultz +release-java-version=24.0.1+9 +release-ant-version=1.10.15 diff --git a/res/install-win/Uninstall.exe.sig b/res/install-win/Uninstall.exe.sig new file mode 100644 index 00..d21f38ff41 Binary files /dev/null and b/res/install-win/Uninstall.exe.sig differ diff --git a/res/install-win/tomcat-installer.exe.sig b/res/install-win/tomcat-installer.exe.sig new file mode 100644 index 00..c3acd06be6 Binary files /dev/null and b/res/install-win/tomcat-installer.exe.sig differ diff --git a/res/maven/mvn.properties.release b/res/maven/mvn.properties.release new file mode 100644 index 00..9ce3af5f32 --- /dev/null +++ b/res/maven/mvn.properties.release @@ -0,0 +1,27 @@ +# - +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# - + +# This file was auto-generated by the pre-release Ant target. + +# Remove "-dev" from the version since this is not a development release. +maven.asf.release.deploy.version=10.1.43 + +# Re-use the same GPG executable. +gpg.exec=/usr/local/bin/gpg + +
svn commit: r77891 - in /dev/tomcat/tomcat-10/v10.1.43: ./ bin/ bin/embed/ src/
Author: schultz Date: Tue Jul 1 21:34:47 2025 New Revision: 77891 Log: Upload 10.1.34 for voting Added: dev/tomcat/tomcat-10/v10.1.43/ dev/tomcat/tomcat-10/v10.1.43/KEYS dev/tomcat/tomcat-10/v10.1.43/README.html dev/tomcat/tomcat-10/v10.1.43/RELEASE-NOTES dev/tomcat/tomcat-10/v10.1.43/bin/ dev/tomcat/tomcat-10/v10.1.43/bin/README.html dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-deployer.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-deployer.tar.gz.asc dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-deployer.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-deployer.zip (with props) dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-deployer.zip.asc dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-deployer.zip.sha512 dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-fulldocs.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-fulldocs.tar.gz.asc dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-fulldocs.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-windows-x64.zip (with props) dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-windows-x64.zip.asc dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-windows-x64.zip.sha512 dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-windows-x86.zip (with props) dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-windows-x86.zip.asc dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43-windows-x86.zip.sha512 dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43.exe (with props) dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43.exe.asc dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43.exe.sha512 dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43.tar.gz.asc dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43.zip (with props) dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43.zip.asc dev/tomcat/tomcat-10/v10.1.43/bin/apache-tomcat-10.1.43.zip.sha512 dev/tomcat/tomcat-10/v10.1.43/bin/embed/ dev/tomcat/tomcat-10/v10.1.43/bin/embed/apache-tomcat-10.1.43-embed.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.43/bin/embed/apache-tomcat-10.1.43-embed.tar.gz.asc dev/tomcat/tomcat-10/v10.1.43/bin/embed/apache-tomcat-10.1.43-embed.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.43/bin/embed/apache-tomcat-10.1.43-embed.zip (with props) dev/tomcat/tomcat-10/v10.1.43/bin/embed/apache-tomcat-10.1.43-embed.zip.asc dev/tomcat/tomcat-10/v10.1.43/bin/embed/apache-tomcat-10.1.43-embed.zip.sha512 dev/tomcat/tomcat-10/v10.1.43/src/ dev/tomcat/tomcat-10/v10.1.43/src/apache-tomcat-10.1.43-src.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.43/src/apache-tomcat-10.1.43-src.tar.gz.asc dev/tomcat/tomcat-10/v10.1.43/src/apache-tomcat-10.1.43-src.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.43/src/apache-tomcat-10.1.43-src.zip (with props) dev/tomcat/tomcat-10/v10.1.43/src/apache-tomcat-10.1.43-src.zip.asc dev/tomcat/tomcat-10/v10.1.43/src/apache-tomcat-10.1.43-src.zip.sha512 Added: dev/tomcat/tomcat-10/v10.1.43/KEYS == --- dev/tomcat/tomcat-10/v10.1.43/KEYS (added) +++ dev/tomcat/tomcat-10/v10.1.43/KEYS Tue Jul 1 21:34:47 2025 @@ -0,0 +1,562 @@ +This file contains the PGP&GPG keys of various Apache developers. +Please don't use them for email unless you have to. Their main +purpose is code signing. + +Apache users: pgp < KEYS +Apache developers: +(pgpk -ll && pgpk -xa ) >> this file. + or +(gpg --fingerprint --list-sigs + && gpg --armor --export ) >> this file. + +Apache developers: please ensure that your key is also available via the +PGP keyservers (such as pgpkeys.mit.edu). + + +pub 4096R/2F6059E7 2009-09-18 + Key fingerprint = A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60 59E7 +uid Mark E D Thomas +sub 4096R/5E763BEC 2009-09-18 + +-BEGIN PGP PUBLIC KEY BLOCK- +Comment: GPGTools - http://gpgtools.org + +mQINBEq0DukBEAD4jovHOPJDxoD+JnO1Go2kiwpgRULasGlrVKuSUdP6wzcaqWmX +pqtOJKKwW2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7WzTCz2S6vxC4zxKck4t +6RZBq2dJsYKF0CEh6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m335/6K +GH59oysn1NE7a2a+kZzjBSEgv23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz +4yvDOZItqDURP24zWOodxgboldV6Y88C3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7M +UVviQcy29y/RlLSDTTYoVlCZ1ni14qFU7Hpw43KJtgXmcUwq31T1+SlXdYjNJ1aF +kUi8BjCHDcSgE/IReKUanjHzm4XSymKDTeqqzidi4k6PDD4jyHb8k8vxi6qT6Udn +lcfo5NBkkUT1TauhEy8ktHhbl9k60BvvMBP9l6cURiJg1WS77egI4P/82oPbzzFi +GFqXyJKULVgxtdQ3JikCpodp3f1fh6PlYZwkW4xCJLJucJ5MiQp07HAkMVW5w+k8 +Xvuk4i5quh3N+2kzKHOOiQCDmN0sz0XjO
svn commit: r77892 - in /dev/tomcat/tomcat-11/v11.0.9: ./ bin/ bin/embed/ src/
Author: markt Date: Tue Jul 1 21:36:09 2025 New Revision: 77892 Log: Upload 11.0.9 for voting Added: dev/tomcat/tomcat-11/v11.0.9/ dev/tomcat/tomcat-11/v11.0.9/KEYS dev/tomcat/tomcat-11/v11.0.9/README.html dev/tomcat/tomcat-11/v11.0.9/RELEASE-NOTES dev/tomcat/tomcat-11/v11.0.9/bin/ dev/tomcat/tomcat-11/v11.0.9/bin/README.html dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9-deployer.tar.gz (with props) dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9-deployer.tar.gz.asc dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9-deployer.tar.gz.sha512 dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9-deployer.zip (with props) dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9-deployer.zip.asc dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9-deployer.zip.sha512 dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9-fulldocs.tar.gz (with props) dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9-fulldocs.tar.gz.asc dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9-fulldocs.tar.gz.sha512 dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9-windows-x64.zip (with props) dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9-windows-x64.zip.asc dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9-windows-x64.zip.sha512 dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9.exe (with props) dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9.exe.asc dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9.exe.sha512 dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9.tar.gz (with props) dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9.tar.gz.asc dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9.tar.gz.sha512 dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9.zip (with props) dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9.zip.asc dev/tomcat/tomcat-11/v11.0.9/bin/apache-tomcat-11.0.9.zip.sha512 dev/tomcat/tomcat-11/v11.0.9/bin/embed/ dev/tomcat/tomcat-11/v11.0.9/bin/embed/apache-tomcat-11.0.9-embed.tar.gz (with props) dev/tomcat/tomcat-11/v11.0.9/bin/embed/apache-tomcat-11.0.9-embed.tar.gz.asc dev/tomcat/tomcat-11/v11.0.9/bin/embed/apache-tomcat-11.0.9-embed.tar.gz.sha512 dev/tomcat/tomcat-11/v11.0.9/bin/embed/apache-tomcat-11.0.9-embed.zip (with props) dev/tomcat/tomcat-11/v11.0.9/bin/embed/apache-tomcat-11.0.9-embed.zip.asc dev/tomcat/tomcat-11/v11.0.9/bin/embed/apache-tomcat-11.0.9-embed.zip.sha512 dev/tomcat/tomcat-11/v11.0.9/src/ dev/tomcat/tomcat-11/v11.0.9/src/apache-tomcat-11.0.9-src.tar.gz (with props) dev/tomcat/tomcat-11/v11.0.9/src/apache-tomcat-11.0.9-src.tar.gz.asc dev/tomcat/tomcat-11/v11.0.9/src/apache-tomcat-11.0.9-src.tar.gz.sha512 dev/tomcat/tomcat-11/v11.0.9/src/apache-tomcat-11.0.9-src.zip (with props) dev/tomcat/tomcat-11/v11.0.9/src/apache-tomcat-11.0.9-src.zip.asc dev/tomcat/tomcat-11/v11.0.9/src/apache-tomcat-11.0.9-src.zip.sha512 Added: dev/tomcat/tomcat-11/v11.0.9/KEYS == --- dev/tomcat/tomcat-11/v11.0.9/KEYS (added) +++ dev/tomcat/tomcat-11/v11.0.9/KEYS Tue Jul 1 21:36:09 2025 @@ -0,0 +1,573 @@ +This file contains the PGP&GPG keys of various Apache developers. +Please don't use them for email unless you have to. Their main +purpose is code signing. + +Apache users: pgp < KEYS +Apache developers: +(pgpk -ll && pgpk -xa ) >> this file. + or +(gpg --fingerprint --list-sigs + && gpg --armor --export ) >> this file. + +Apache developers: please ensure that your key is also available via the +PGP keyservers (such as pgpkeys.mit.edu). + + +pub 4096R/2F6059E7 2009-09-18 + Key fingerprint = A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60 59E7 +uid Mark E D Thomas +sub 4096R/5E763BEC 2009-09-18 + +-BEGIN PGP PUBLIC KEY BLOCK- +Comment: GPGTools - http://gpgtools.org + +mQINBEq0DukBEAD4jovHOPJDxoD+JnO1Go2kiwpgRULasGlrVKuSUdP6wzcaqWmX +pqtOJKKwW2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7WzTCz2S6vxC4zxKck4t +6RZBq2dJsYKF0CEh6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m335/6K +GH59oysn1NE7a2a+kZzjBSEgv23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz +4yvDOZItqDURP24zWOodxgboldV6Y88C3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7M +UVviQcy29y/RlLSDTTYoVlCZ1ni14qFU7Hpw43KJtgXmcUwq31T1+SlXdYjNJ1aF +kUi8BjCHDcSgE/IReKUanjHzm4XSymKDTeqqzidi4k6PDD4jyHb8k8vxi6qT6Udn +lcfo5NBkkUT1TauhEy8ktHhbl9k60BvvMBP9l6cURiJg1WS77egI4P/82oPbzzFi +GFqXyJKULVgxtdQ3JikCpodp3f1fh6PlYZwkW4xCJLJucJ5MiQp07HAkMVW5w+k8 +Xvuk4i5quh3N+2kzKHOOiQCDmN0sz0XjOE+7XBvM1lvz3+UarLfgSVmW8aheLd7e +aIl5ItBk8844ZJ60LrQ+JiIqvqJemxyIM6epoZvY5a3ZshZpcLilC5hW8QARAQAB +tCJNYXJrIEUgRCBUaG9tYXMgPG1hcmt0QGFwYWNoZS5vcmc+iQI3BBMBCgAhBQJK +tA7pAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBDAHFovYFnn2YgQAKN6 +FLG/I1Ij3PUlC/XNlhasQxPeE3w2OvttweOQPYkblJ9nHtGH5pNqG2/qoGShlpI0 +4jJy9GxWKOo7NV4v7M0mbVlCXVgjdlvMFWdL7lnocggwJA
[VOTE] Release Apache Tomcat 11.0.9
The proposed Apache Tomcat 11.0.9 release is now available for voting. The notable changes compared to 11.0.8 include: - Increase the default for maxPartCount from 10 to 50. Update the documentation to provide more details on the memory requirements to support multi-part uploads while avoiding a denial of service risk. - Various improvements to HTTP/2 - Fix JMX value for keepAliveCount on the endpoint. Also add the value of useVirtualThreads in JMX. For full details, see the change log: https://nightlies.apache.org/tomcat/tomcat-11.0.x/docs/changelog.html Applications that run on Tomcat 9 and earlier will not run on Tomcat 11 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. Applications using deprecated APIs may require further changes. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-11/v11.0.9/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1550 The tag is: https://github.com/apache/tomcat/tree/11.0.9 2640cdf945fd8b715cec93e6c7840970a13634a0 The proposed 11.0.9 release is: [ ] -1 Broken - do not release [ ] +1 Stable - go ahead and release as 11.0.9 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Fix BZ 69731 - correct maxParameterCount tracking.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new a99f8c70a0 Fix BZ 69731 - correct maxParameterCount tracking.
a99f8c70a0 is described below
commit a99f8c70a091376fba34471ee262c0b0b2c693b4
Author: Mark Thomas
AuthorDate: Tue Jul 1 19:04:18 2025 +0100
Fix BZ 69731 - correct maxParameterCount tracking.
Limit was was smaller than intended for multipart uploads with non-file
parts when the parts were processed before query string parameters
https://bz.apache.org/bugzilla/show_bug.cgi?id=69731
---
java/org/apache/catalina/connector/Request.java| 49 ++-
.../catalina/valves/TestParameterLimitValve.java | 143 -
webapps/docs/changelog.xml | 6 +
3 files changed, 192 insertions(+), 6 deletions(-)
diff --git a/java/org/apache/catalina/connector/Request.java
b/java/org/apache/catalina/connector/Request.java
index fbcc700047..12f58d9ae4 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -111,6 +111,7 @@ import org.apache.tomcat.util.http.ServerCookies;
import org.apache.tomcat.util.http.fileupload.FileItem;
import org.apache.tomcat.util.http.fileupload.FileUpload;
import org.apache.tomcat.util.http.fileupload.disk.DiskFileItemFactory;
+import
org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException;
import org.apache.tomcat.util.http.fileupload.impl.InvalidContentTypeException;
import org.apache.tomcat.util.http.fileupload.impl.SizeException;
import org.apache.tomcat.util.http.fileupload.servlet.ServletRequestContext;
@@ -2618,6 +2619,26 @@ public class Request implements HttpServletRequest {
}
}
+/*
+ * When the request body is multipart/form-data, both the parts and
the query string count towards
+ * maxParameterCount. If parseParts() is called before
getParameterXXX() then the parts will be parsed before
+ * the query string. Otherwise, the query string will be parsed first.
+ *
+ * maxParameterCount must be respected regardless of which is parsed
first.
+ *
+ * maxParameterCount is reset from the Connector at the start of every
request.
+ *
+ * If parts are parsed first, non-file parts will be added to the
parameter map and any files will reduce
+ * maxParameterCount by 1 so that when the query string is parsed the
difference between the size of the
+ * parameter map and maxParameterCount will be the original
maxParameterCount less the number of parts. i.e. the
+ * maxParameterCount applied to the query string will be the original
maxParameterCount less the number of
+ * parts.
+ *
+ * If the query string is parsed first, all parameters will be added
to the parameter map and, ignoring
+ * maxPartCount, the part limit will be set to the original
maxParameterCount less the size of the parameter
+ * map. i.e. the maxParameterCount applied to the parts will be the
original maxParameterCount less the number
+ * of query parameters.
+ */
Parameters parameters = coyoteRequest.getParameters();
parameters.setLimit(maxParameterCount);
@@ -2723,6 +2744,9 @@ public class Request implements HttpServletRequest {
// Not possible
}
parameters.addParameter(name, value);
+} else {
+// Adjust the limit to account for a file part which
is not added to the parameter map.
+maxParameterCount--;
}
}
@@ -2730,7 +2754,7 @@ public class Request implements HttpServletRequest {
} catch (InvalidContentTypeException e) {
parameters.setParseFailedReason(FailReason.INVALID_CONTENT_TYPE);
partsParseException = new ServletException(e);
-} catch (SizeException e) {
+} catch (SizeException | FileCountLimitExceededException e) {
parameters.setParseFailedReason(FailReason.POST_TOO_LARGE);
checkSwallowInput();
partsParseException = new IllegalStateException(e);
@@ -2984,13 +3008,30 @@ public class Request implements HttpServletRequest {
parametersParsed = true;
+/*
+ * When the request body is multipart/form-data, both the parts and
the query string count towards
+ * maxParameterCount. If parseParts() is called before
getParameterXXX() then the parts will be parsed before
+ * the query string. Otherwise, the query string will be parsed first.
+ *
+ * maxParameterCount must be respected regardless of w
(tomcat) branch 10.1.x updated: Fix BZ 69731 - correct maxParameterCount tracking.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 016c7e0c41 Fix BZ 69731 - correct maxParameterCount tracking.
016c7e0c41 is described below
commit 016c7e0c41d2282a31db5b6bdb362394a1bb0c99
Author: Mark Thomas
AuthorDate: Tue Jul 1 19:04:18 2025 +0100
Fix BZ 69731 - correct maxParameterCount tracking.
Limit was was smaller than intended for multipart uploads with non-file
parts when the parts were processed before query string parameters
https://bz.apache.org/bugzilla/show_bug.cgi?id=69731
---
java/org/apache/catalina/connector/Request.java| 49 ++-
.../catalina/valves/TestParameterLimitValve.java | 143 -
webapps/docs/changelog.xml | 6 +
3 files changed, 192 insertions(+), 6 deletions(-)
diff --git a/java/org/apache/catalina/connector/Request.java
b/java/org/apache/catalina/connector/Request.java
index dfab466afd..cc1306dff0 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -111,6 +111,7 @@ import org.apache.tomcat.util.http.ServerCookies;
import org.apache.tomcat.util.http.fileupload.FileItem;
import org.apache.tomcat.util.http.fileupload.FileUpload;
import org.apache.tomcat.util.http.fileupload.disk.DiskFileItemFactory;
+import
org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException;
import org.apache.tomcat.util.http.fileupload.impl.InvalidContentTypeException;
import org.apache.tomcat.util.http.fileupload.impl.SizeException;
import org.apache.tomcat.util.http.fileupload.servlet.ServletRequestContext;
@@ -2577,6 +2578,26 @@ public class Request implements HttpServletRequest {
}
}
+/*
+ * When the request body is multipart/form-data, both the parts and
the query string count towards
+ * maxParameterCount. If parseParts() is called before
getParameterXXX() then the parts will be parsed before
+ * the query string. Otherwise, the query string will be parsed first.
+ *
+ * maxParameterCount must be respected regardless of which is parsed
first.
+ *
+ * maxParameterCount is reset from the Connector at the start of every
request.
+ *
+ * If parts are parsed first, non-file parts will be added to the
parameter map and any files will reduce
+ * maxParameterCount by 1 so that when the query string is parsed the
difference between the size of the
+ * parameter map and maxParameterCount will be the original
maxParameterCount less the number of parts. i.e. the
+ * maxParameterCount applied to the query string will be the original
maxParameterCount less the number of
+ * parts.
+ *
+ * If the query string is parsed first, all parameters will be added
to the parameter map and, ignoring
+ * maxPartCount, the part limit will be set to the original
maxParameterCount less the size of the parameter
+ * map. i.e. the maxParameterCount applied to the parts will be the
original maxParameterCount less the number
+ * of query parameters.
+ */
Parameters parameters = coyoteRequest.getParameters();
parameters.setLimit(maxParameterCount);
@@ -2682,6 +2703,9 @@ public class Request implements HttpServletRequest {
// Not possible
}
parameters.addParameter(name, value);
+} else {
+// Adjust the limit to account for a file part which
is not added to the parameter map.
+maxParameterCount--;
}
}
@@ -2689,7 +2713,7 @@ public class Request implements HttpServletRequest {
} catch (InvalidContentTypeException e) {
parameters.setParseFailedReason(FailReason.INVALID_CONTENT_TYPE);
partsParseException = new ServletException(e);
-} catch (SizeException e) {
+} catch (SizeException | FileCountLimitExceededException e) {
parameters.setParseFailedReason(FailReason.POST_TOO_LARGE);
checkSwallowInput();
partsParseException = new IllegalStateException(e);
@@ -2934,13 +2958,30 @@ public class Request implements HttpServletRequest {
parametersParsed = true;
+/*
+ * When the request body is multipart/form-data, both the parts and
the query string count towards
+ * maxParameterCount. If parseParts() is called before
getParameterXXX() then the parts will be parsed before
+ * the query string. Otherwise, the query string will be parsed first.
+ *
+ * maxParameterCount must be respected regardless of
[Bug 69731] Incorrect count of maxParameterCount (double count) when executing req.getParameter(name) after req.getParts()
https://bz.apache.org/bugzilla/show_bug.cgi?id=69731 Mark Thomas changed: What|Removed |Added Resolution|--- |FIXED Status|REOPENED|RESOLVED --- Comment #4 from Mark Thomas --- Fixed in: - 11.0.x for 11.0.9 onwards - 10.1.x for 10.1.43 onwards - 9.0.x for 9.0.107 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated (b55723bc0f -> d9d0ccac80)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from b55723bc0f Fix BZ 69731 - correct maxParameterCount tracking. add d9d0ccac80 Apply the initial HTTP/2 connection limits earlier. No new revisions were added by this update. Summary of changes: .../apache/coyote/http2/ConnectionSettingsBase.java | 19 +-- .../apache/coyote/http2/ConnectionSettingsLocal.java | 5 - java/org/apache/coyote/http2/Http2UpgradeHandler.java | 8 ++-- webapps/docs/changelog.xml| 4 4 files changed, 31 insertions(+), 5 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Apply the initial HTTP/2 connection limits earlier.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new be8f330f83 Apply the initial HTTP/2 connection limits earlier.
be8f330f83 is described below
commit be8f330f83ceddaf3baeed57522e571572b6b99b
Author: Mark Thomas
AuthorDate: Tue Jul 1 19:58:55 2025 +0100
Apply the initial HTTP/2 connection limits earlier.
---
.../apache/coyote/http2/ConnectionSettingsBase.java | 19 +--
.../apache/coyote/http2/ConnectionSettingsLocal.java | 5 -
java/org/apache/coyote/http2/Http2UpgradeHandler.java | 8 ++--
webapps/docs/changelog.xml| 4
4 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/coyote/http2/ConnectionSettingsBase.java
b/java/org/apache/coyote/http2/ConnectionSettingsBase.java
index cdb95ab10b..8fd9f77236 100644
--- a/java/org/apache/coyote/http2/ConnectionSettingsBase.java
+++ b/java/org/apache/coyote/http2/ConnectionSettingsBase.java
@@ -65,6 +65,11 @@ abstract class ConnectionSettingsBase {
final void set(Setting setting, long value) throws T {
+set(setting, value, false);
+}
+
+
+final void set(Setting setting, long value, boolean force) throws T {
if (log.isTraceEnabled()) {
log.trace(sm.getString("connectionSettings.debug", connectionId,
getEndpointName(), setting,
Long.toString(value)));
@@ -90,11 +95,21 @@ abstract class ConnectionSettingsBase {
}
}
-set(setting, Long.valueOf(value));
+set(setting, Long.valueOf(value), force);
}
-synchronized void set(Setting setting, Long value) {
+/**
+ * Specify a new value for setting with the option to force the change to
take effect immediately rather than
+ * waiting until an {@code ACK} is received.
+ *
+ * @param setting The setting to update
+ * @param value The new value for the setting
+ * @param force {@code false} if an {@code ACK} must be received before
the setting takes effect or {@code true}
+ *if the setting to take effect immediately. Even if
the setting takes effect immediately, it
+ *will still be included in the next {@code SETTINGS}
frame and an {@code ACK} will be expected.
+ */
+synchronized void set(Setting setting, Long value, boolean force) {
current.put(setting, value);
}
diff --git a/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
b/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
index 372be80223..5ceec8ece1 100644
--- a/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
+++ b/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
@@ -40,12 +40,15 @@ class ConnectionSettingsLocal extends
ConnectionSettingsBase
+
+When setting the initial HTTP/2 connection limit, apply those limits
+earlier. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Apply the initial HTTP/2 connection limits earlier.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 2aa6261276 Apply the initial HTTP/2 connection limits earlier.
2aa6261276 is described below
commit 2aa6261276ebe50b99276953591e3a2be7898bdb
Author: Mark Thomas
AuthorDate: Tue Jul 1 19:58:55 2025 +0100
Apply the initial HTTP/2 connection limits earlier.
---
.../apache/coyote/http2/ConnectionSettingsBase.java | 19 +--
.../apache/coyote/http2/ConnectionSettingsLocal.java | 5 -
java/org/apache/coyote/http2/Http2UpgradeHandler.java | 8 ++--
webapps/docs/changelog.xml| 4
4 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/coyote/http2/ConnectionSettingsBase.java
b/java/org/apache/coyote/http2/ConnectionSettingsBase.java
index 749fac5cff..47141ba050 100644
--- a/java/org/apache/coyote/http2/ConnectionSettingsBase.java
+++ b/java/org/apache/coyote/http2/ConnectionSettingsBase.java
@@ -66,6 +66,11 @@ abstract class ConnectionSettingsBase {
final void set(Setting setting, long value) throws T {
+set(setting, value, false);
+}
+
+
+final void set(Setting setting, long value, boolean force) throws T {
if (log.isTraceEnabled()) {
log.trace(sm.getString("connectionSettings.debug", connectionId,
getEndpointName(), setting,
Long.toString(value)));
@@ -102,11 +107,21 @@ abstract class ConnectionSettingsBase {
return;
}
-set(setting, Long.valueOf(value));
+set(setting, Long.valueOf(value), force);
}
-synchronized void set(Setting setting, Long value) {
+/**
+ * Specify a new value for setting with the option to force the change to
take effect immediately rather than
+ * waiting until an {@code ACK} is received.
+ *
+ * @param setting The setting to update
+ * @param value The new value for the setting
+ * @param force {@code false} if an {@code ACK} must be received before
the setting takes effect or {@code true}
+ *if the setting to take effect immediately. Even if
the setting takes effect immediately, it
+ *will still be included in the next {@code SETTINGS}
frame and an {@code ACK} will be expected.
+ */
+synchronized void set(Setting setting, Long value, boolean force) {
current.put(setting, value);
}
diff --git a/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
b/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
index 372be80223..5ceec8ece1 100644
--- a/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
+++ b/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
@@ -40,12 +40,15 @@ class ConnectionSettingsLocal extends
ConnectionSettingsBase
+
+When setting the initial HTTP/2 connection limit, apply those limits
+earlier. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 01/01: Tag 11.0.9
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to tag 11.0.9 in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 2640cdf945fd8b715cec93e6c7840970a13634a0 Author: Mark Thomas AuthorDate: Tue Jul 1 22:01:28 2025 +0100 Tag 11.0.9 --- build.properties.release | 54 +++ res/install-win/Uninstall.exe.sig| Bin 0 -> 8275 bytes res/install-win/tomcat-installer.exe.sig | Bin 0 -> 8276 bytes res/maven/mvn.properties.release | 27 webapps/docs/changelog.xml | 2 +- 5 files changed, 82 insertions(+), 1 deletion(-) diff --git a/build.properties.release b/build.properties.release new file mode 100644 index 00..8667d8411b --- /dev/null +++ b/build.properties.release @@ -0,0 +1,54 @@ +# - +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# - + +# This file was auto-generated by the pre-release Ant target. + +# Any unwanted settings may be over-ridden in a build.properties file located +# in the same directory as this file. + +# Set the version-dev to "" (empty string) as this is not a development release. +version.dev= + +# Ensure consistent timestamps for reproducible builds. +ant.tstamp.now.iso=2025-07-01T20:39:04Z + +# Enable insertion of detached signatures into the Windows installer. +do.codesigning=true + +# Re-use the same GPG executable. +gpg.exec=C:/Program Files (x86)/GnuPG/bin/gpg.exe + +# Reproducible builds require the use of the build tools defined below. The +# vendors (where appropriate) and versions must match exactly for a reproducible +# build since this data is embedded in various files, particularly JAR file +# manifests, as part of the build process. +# +# Apache Ant: Apache Ant(TM) version 1.10.15 compiled on August 25 2024 +# +# Java Name: OpenJDK 64-Bit Server VM +# Java Vendor: Eclipse Adoptium +# Java Version:24.0.1+9 + +# The following is provided for information only. Builds will be repeatable +# whether or not the build environment is consistent with this information. +# +# OS: amd64 Windows Server 2022 10.0 +# File encoding: UTF-8 +# +# Release Manager: markt +release-java-version=24.0.1+9 +release-ant-version=1.10.15 diff --git a/res/install-win/Uninstall.exe.sig b/res/install-win/Uninstall.exe.sig new file mode 100644 index 00..f3e4afc4b7 Binary files /dev/null and b/res/install-win/Uninstall.exe.sig differ diff --git a/res/install-win/tomcat-installer.exe.sig b/res/install-win/tomcat-installer.exe.sig new file mode 100644 index 00..9422a9e0ef Binary files /dev/null and b/res/install-win/tomcat-installer.exe.sig differ diff --git a/res/maven/mvn.properties.release b/res/maven/mvn.properties.release new file mode 100644 index 00..9373373bf5 --- /dev/null +++ b/res/maven/mvn.properties.release @@ -0,0 +1,27 @@ +# - +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# - + +# This file was auto-generated by the pre-release Ant target. + +# Remove "-dev" from the version since this is not a development release. +maven.asf.release.deploy.version=11.0.9 + +# Re-use the same GPG executable. +gpg.exec=C:/Pro
(tomcat) tag 11.0.9 created (now 2640cdf945)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to tag 11.0.9 in repository https://gitbox.apache.org/repos/asf/tomcat.git at 2640cdf945 (commit) This tag includes the following new commits: new 2640cdf945 Tag 11.0.9 The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Align size tracking for multipart requests with FileUpload's use of long
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 266fbc953b Align size tracking for multipart requests with
FileUpload's use of long
266fbc953b is described below
commit 266fbc953b5d40b518e4eb10132e561bc6ae8c5a
Author: Mark Thomas
AuthorDate: Tue Jul 1 20:22:16 2025 +0100
Align size tracking for multipart requests with FileUpload's use of long
---
java/org/apache/catalina/connector/Request.java | 13 +++--
webapps/docs/changelog.xml | 4
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/java/org/apache/catalina/connector/Request.java
b/java/org/apache/catalina/connector/Request.java
index 760e728e28..042e199659 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -2467,23 +2467,23 @@ public class Request implements HttpServletRequest {
try {
List items = upload.parseRequest(new
ServletRequestContext(this));
int maxPostSize = getConnector().getMaxPostSize();
-int postSize = 0;
+long postSize = 0;
Charset charset = getCharset();
for (FileItem item : items) {
ApplicationPart part = new ApplicationPart(item, location);
-parts.add(part);
if (part.getSubmittedFileName() == null) {
String name = part.getName();
if (maxPostSize >= 0) {
// Have to calculate equivalent size. Not completely
// accurate but close enough.
-postSize += name.getBytes(charset).length;
+// Name
+postSize = Math.addExact(postSize,
name.getBytes(charset).length);
// Equals sign
-postSize++;
+postSize = Math.addExact(postSize, 1);
// Value length
-postSize += (int) part.getSize();
+postSize = Math.addExact(postSize, part.getSize());
// Value separator
-postSize++;
+postSize = Math.addExact(postSize, 1);
if (postSize > maxPostSize) {
throw new
IllegalStateException(sm.getString("coyoteRequest.maxPostSizeExceeded"));
}
@@ -2499,6 +2499,7 @@ public class Request implements HttpServletRequest {
// Adjust the limit to account for a file part which is
not added to the parameter map.
maxParameterCount--;
}
+parts.add(part);
}
} catch (InvalidContentTypeException e) {
partsParseException = new ServletException(e);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 48ab93e696..e23bf7826e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -187,6 +187,10 @@
multipart uploads with non-file parts when the parts were processed
before query string parameters. (markt)
+
+Align size tracking for multipart requests with FileUpload's use of
+long. (schultz)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Align size tracking for multipart requests with FileUpload's use of long
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new a51e4bedcc Align size tracking for multipart requests with
FileUpload's use of long
a51e4bedcc is described below
commit a51e4bedccfafd35b7cdd0ee3e22267dee9f90db
Author: Mark Thomas
AuthorDate: Tue Jul 1 20:22:16 2025 +0100
Align size tracking for multipart requests with FileUpload's use of long
---
java/org/apache/catalina/connector/Request.java | 13 +++--
webapps/docs/changelog.xml | 4
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/java/org/apache/catalina/connector/Request.java
b/java/org/apache/catalina/connector/Request.java
index 2b34c03534..88d2c82c78 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -2575,23 +2575,23 @@ public class Request implements HttpServletRequest {
try {
List items = upload.parseRequest(new
ServletRequestContext(this));
int maxPostSize = getConnector().getMaxPostSize();
-int postSize = 0;
+long postSize = 0;
Charset charset = getCharset();
for (FileItem item : items) {
ApplicationPart part = new ApplicationPart(item, location);
-parts.add(part);
if (part.getSubmittedFileName() == null) {
String name = part.getName();
if (maxPostSize >= 0) {
// Have to calculate equivalent size. Not completely
// accurate but close enough.
-postSize += name.getBytes(charset).length;
+// Name
+postSize = Math.addExact(postSize,
name.getBytes(charset).length);
// Equals sign
-postSize++;
+postSize = Math.addExact(postSize, 1);
// Value length
-postSize += (int) part.getSize();
+postSize = Math.addExact(postSize, part.getSize());
// Value separator
-postSize++;
+postSize = Math.addExact(postSize, 1);
if (postSize > maxPostSize) {
throw new
IllegalStateException(sm.getString("coyoteRequest.maxPostSizeExceeded"));
}
@@ -2607,6 +2607,7 @@ public class Request implements HttpServletRequest {
// Adjust the limit to account for a file part which is
not added to the parameter map.
maxParameterCount--;
}
+parts.add(part);
}
} catch (InvalidContentTypeException e) {
partsParseException = new ServletException(e);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f56d589344..3402a7c235 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -132,6 +132,10 @@
multipart uploads with non-file parts when the parts were processed
before query string parameters. (markt)
+
+Align size tracking for multipart requests with FileUpload's use of
+long. (schultz)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot failure in on tomcat-9.0.x
Build status: BUILD FAILED: failed compile (failure) Logs copied. (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/37/builds/1445 Blamelist: Mark Thomas Build Text: failed compile (failure) Logs copied. (failure) Status Detected: new failure Build Source Stamp: [branch 9.0.x] a99f8c70a091376fba34471ee262c0b0b2c693b4 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 shell_6: 0 compile: 1 shell_7: 0 shell_8: 0 shell_9: 0 shell_10: 0 Rsync docs to nightlies.apache.org: 0 shell_11: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 2 shell_12: 2 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 69731] Incorrect count of maxParameterCount (double count) when executing req.getParameter(name) after req.getParts()
https://bz.apache.org/bugzilla/show_bug.cgi?id=69731 --- Comment #3 from Mark Thomas --- I have a clean fix for this. I just need to write some unit tests and I'll be ready to merge it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat-native) branch main updated: Add tracking file for possible changes for next major version
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat-native.git The following commit(s) were added to refs/heads/main by this push: new 7fd9268c0 Add tracking file for possible changes for next major version 7fd9268c0 is described below commit 7fd9268c0d1df305d468b91e2cb7beb66e4a6aa0 Author: Mark Thomas AuthorDate: Tue Jul 1 10:04:36 2025 +0100 Add tracking file for possible changes for next major version --- TOMCAT-NATIVE-NEXT.txt | 21 + 1 file changed, 21 insertions(+) diff --git a/TOMCAT-NATIVE-NEXT.txt b/TOMCAT-NATIVE-NEXT.txt new file mode 100644 index 0..4dca7ec8c --- /dev/null +++ b/TOMCAT-NATIVE-NEXT.txt @@ -0,0 +1,21 @@ + + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + +Notes of things to consider for the next Tomcat Native release (3.0.x) + +1. Drop OCSP support + https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 \ No newline at end of file - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Alphabetical order for Connector attributes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 11.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/11.0.x by this push: new 13c6c46a2a Alphabetical order for Connector attributes 13c6c46a2a is described below commit 13c6c46a2a68f83f12385653737aef70a92b1be4 Author: Mark Thomas AuthorDate: Tue Jul 1 08:47:57 2025 +0100 Alphabetical order for Connector attributes --- webapps/docs/security-howto.xml | 36 ++-- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 661c614aa2..e827f186d3 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -271,6 +271,13 @@ will interpret as UTF-7 a response containing characters that are safe for ISO-8859-1 but trigger an XSS vulnerability if interpreted as UTF-7. + The maxParameterCount attribute controls the maximum + total number of request parameters (including uploaded files) obtained + from the query string and, for POST requests, the request body if the + content type is application/x-www-form-urlencoded or + multipart/form-data. Requests with excessive parameters are + rejected. + The maxPartCount attribute controls the maximum number of parts supported for a multipart request. This is limited to 50 by default to reduce exposure to a DoS attack. The documentation for @@ -295,21 +302,9 @@ the FORM authenticator. - The maxParameterCount attribute controls the maximum - total number of request parameters (including uploaded files) obtained - from the query string and, for POST requests, the request body if the - content type is application/x-www-form-urlencoded or - multipart/form-data. Requests with excessive parameters are - rejected. - - The xpoweredBy attribute controls whether or not the - X-Powered-By HTTP header is sent with each request. If sent, the value of - the header contains the Servlet and JSP specification versions, the full - Tomcat version (e.g. Apache Tomcat/), the name of - the JVM vendor and - the version of the JVM. This header is disabled by default. This header - can provide useful information to both legitimate clients and attackers. - + The requiredSecret attribute in AJP connectors + configures shared secret between Tomcat and reverse proxy in front of + Tomcat. It is used to prevent unauthorized connections over AJP protocol. The server attribute controls the value of the Server HTTP header. The default value of this header for Tomcat 4.1.x to @@ -337,9 +332,14 @@ proxy (the authenticated user name is passed to Tomcat as part of the AJP protocol) with the option for Tomcat to still perform authorization. - The requiredSecret attribute in AJP connectors - configures shared secret between Tomcat and reverse proxy in front of - Tomcat. It is used to prevent unauthorized connections over AJP protocol. + The xpoweredBy attribute controls whether or not the + X-Powered-By HTTP header is sent with each request. If sent, the value of + the header contains the Servlet and JSP specification versions, the full + Tomcat version (e.g. Apache Tomcat/), the name of + the JVM vendor and + the version of the JVM. This header is disabled by default. This header + can provide useful information to both legitimate clients and attackers. + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Alphabetical order for Connector attributes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new cd0fb60321 Alphabetical order for Connector attributes cd0fb60321 is described below commit cd0fb60321392c6ecf034ded9766da3553bbbd98 Author: Mark Thomas AuthorDate: Tue Jul 1 08:47:57 2025 +0100 Alphabetical order for Connector attributes --- webapps/docs/security-howto.xml | 38 +++--- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 44c48f8031..9d58ba89e5 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -304,6 +304,14 @@ will interpret as UTF-7 a response containing characters that are safe for ISO-8859-1 but trigger an XSS vulnerability if interpreted as UTF-7. + The maxParameterCount attribute controls the maximum + total number of request parameters (including uploaded files) obtained + from the query string and, for POST requests, the request body if the + content type is application/x-www-form-urlencoded or + multipart/form-data. Excessive parameters are ignored. If you + want to reject such requests, configure a + FailedRequestFilter. + The maxPartCount attribute controls the maximum number of parts supported for a multipart request. This is limited to 50 by default to reduce exposure to a DoS attack. The documentation for @@ -330,22 +338,9 @@ the FORM authenticator. - The maxParameterCount attribute controls the maximum - total number of request parameters (including uploaded files) obtained - from the query string and, for POST requests, the request body if the - content type is application/x-www-form-urlencoded or - multipart/form-data. Excessive parameters are ignored. If you - want to reject such requests, configure a - FailedRequestFilter. - - The xpoweredBy attribute controls whether or not the - X-Powered-By HTTP header is sent with each request. If sent, the value of - the header contains the Servlet and JSP specification versions, the full - Tomcat version (e.g. Apache Tomcat/), the name of - the JVM vendor and - the version of the JVM. This header is disabled by default. This header - can provide useful information to both legitimate clients and attackers. - + The requiredSecret attribute in AJP connectors + configures shared secret between Tomcat and reverse proxy in front of + Tomcat. It is used to prevent unauthorized connections over AJP protocol. The server attribute controls the value of the Server HTTP header. The default value of this header for Tomcat 4.1.x to @@ -373,9 +368,14 @@ proxy (the authenticated user name is passed to Tomcat as part of the AJP protocol) with the option for Tomcat to still perform authorization. - The requiredSecret attribute in AJP connectors - configures shared secret between Tomcat and reverse proxy in front of - Tomcat. It is used to prevent unauthorized connections over AJP protocol. + The xpoweredBy attribute controls whether or not the + X-Powered-By HTTP header is sent with each request. If sent, the value of + the header contains the Servlet and JSP specification versions, the full + Tomcat version (e.g. Apache Tomcat/), the name of + the JVM vendor and + the version of the JVM. This header is disabled by default. This header + can provide useful information to both legitimate clients and attackers. + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 69710] FileCountLimitExceededException is thrown in version 11.0.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=69710 clement.demoul...@faveod.com changed: What|Removed |Added CC||clement.demoul...@faveod.co ||m -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Add rejectSuspiciousURIs
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 11.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/11.0.x by this push: new 762d3d29b7 Add rejectSuspiciousURIs 762d3d29b7 is described below commit 762d3d29b794e48d442c552387aabe7121b979be Author: Mark Thomas AuthorDate: Tue Jul 1 09:34:19 2025 +0100 Add rejectSuspiciousURIs --- webapps/docs/security-howto.xml | 6 ++ 1 file changed, 6 insertions(+) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index e827f186d3..d5fbc330cd 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -302,6 +302,12 @@ the FORM authenticator. + The rejectSuspiciousURIs attribute can be used to + reject valid URIs that contain patterns that are often used by malicious + clients to mount attacks using techniques such as directory traversal. + Note that this attribute is false by default as there is some + overlap betweeen suspicious URIs and legitimate usage. + The requiredSecret attribute in AJP connectors configures shared secret between Tomcat and reverse proxy in front of Tomcat. It is used to prevent unauthorized connections over AJP protocol. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Alphabetical order for Connector attributes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new d971a970c3 Alphabetical order for Connector attributes d971a970c3 is described below commit d971a970c3a7b4a825e78844a851dce16462dac2 Author: Mark Thomas AuthorDate: Tue Jul 1 08:47:57 2025 +0100 Alphabetical order for Connector attributes --- webapps/docs/security-howto.xml | 38 +++--- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index cbb2ed5f72..4cd7375228 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -292,6 +292,14 @@ non-default value when behind a reverse proxy may enable an attacker to bypass any security constraints enforced by the proxy. + The maxParameterCount attribute controls the maximum + total number of request parameters (including uploaded files) obtained + from the query string and, for POST requests, the request body if the + content type is application/x-www-form-urlencoded or + multipart/form-data. Excessive parameters are ignored. If you + want to reject such requests, configure a + FailedRequestFilter. + The maxPartCount attribute controls the maximum number of parts supported for a multipart request. This is limited to 50 by default to reduce exposure to a DoS attack. The documentation for @@ -318,22 +326,9 @@ the FORM authenticator. - The maxParameterCount attribute controls the maximum - total number of request parameters (including uploaded files) obtained - from the query string and, for POST requests, the request body if the - content type is application/x-www-form-urlencoded or - multipart/form-data. Excessive parameters are ignored. If you - want to reject such requests, configure a - FailedRequestFilter. - - The xpoweredBy attribute controls whether or not the - X-Powered-By HTTP header is sent with each request. If sent, the value of - the header contains the Servlet and JSP specification versions, the full - Tomcat version (e.g. Apache Tomcat/), the name of - the JVM vendor and - the version of the JVM. This header is disabled by default. This header - can provide useful information to both legitimate clients and attackers. - + The requiredSecret attribute in AJP connectors + configures shared secret between Tomcat and reverse proxy in front of + Tomcat. It is used to prevent unauthorized connections over AJP protocol. The server attribute controls the value of the Server HTTP header. The default value of this header for Tomcat 4.1.x to @@ -361,9 +356,14 @@ proxy (the authenticated user name is passed to Tomcat as part of the AJP protocol) with the option for Tomcat to still perform authorization. - The requiredSecret attribute in AJP connectors - configures shared secret between Tomcat and reverse proxy in front of - Tomcat. It is used to prevent unauthorized connections over AJP protocol. + The xpoweredBy attribute controls whether or not the + X-Powered-By HTTP header is sent with each request. If sent, the value of + the header contains the Servlet and JSP specification versions, the full + Tomcat version (e.g. Apache Tomcat/), the name of + the JVM vendor and + the version of the JVM. This header is disabled by default. This header + can provide useful information to both legitimate clients and attackers. + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 02/02: Add rejectSuspiciousURIs
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit d03a4f4c0733f15b78aa9dfef1593b8e213b4a3b Author: Mark Thomas AuthorDate: Tue Jul 1 09:34:19 2025 +0100 Add rejectSuspiciousURIs --- webapps/docs/security-howto.xml | 6 ++ 1 file changed, 6 insertions(+) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index e827f186d3..d5fbc330cd 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -302,6 +302,12 @@ the FORM authenticator. + The rejectSuspiciousURIs attribute can be used to + reject valid URIs that contain patterns that are often used by malicious + clients to mount attacks using techniques such as directory traversal. + Note that this attribute is false by default as there is some + overlap betweeen suspicious URIs and legitimate usage. + The requiredSecret attribute in AJP connectors configures shared secret between Tomcat and reverse proxy in front of Tomcat. It is used to prevent unauthorized connections over AJP protocol. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated (f2b49454b2 -> d03a4f4c07)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from f2b49454b2 Code clean-up - formatting. No functional change. new 8d7378ee09 Alphabetical order for Connector attributes new d03a4f4c07 Add rejectSuspiciousURIs The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: webapps/docs/security-howto.xml | 40 +++- 1 file changed, 23 insertions(+), 17 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 01/02: Alphabetical order for Connector attributes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 8d7378ee09648b5a6b7c81d5986cf634a2d6eaa6 Author: Mark Thomas AuthorDate: Tue Jul 1 08:47:57 2025 +0100 Alphabetical order for Connector attributes --- webapps/docs/security-howto.xml | 36 ++-- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 661c614aa2..e827f186d3 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -271,6 +271,13 @@ will interpret as UTF-7 a response containing characters that are safe for ISO-8859-1 but trigger an XSS vulnerability if interpreted as UTF-7. + The maxParameterCount attribute controls the maximum + total number of request parameters (including uploaded files) obtained + from the query string and, for POST requests, the request body if the + content type is application/x-www-form-urlencoded or + multipart/form-data. Requests with excessive parameters are + rejected. + The maxPartCount attribute controls the maximum number of parts supported for a multipart request. This is limited to 50 by default to reduce exposure to a DoS attack. The documentation for @@ -295,21 +302,9 @@ the FORM authenticator. - The maxParameterCount attribute controls the maximum - total number of request parameters (including uploaded files) obtained - from the query string and, for POST requests, the request body if the - content type is application/x-www-form-urlencoded or - multipart/form-data. Requests with excessive parameters are - rejected. - - The xpoweredBy attribute controls whether or not the - X-Powered-By HTTP header is sent with each request. If sent, the value of - the header contains the Servlet and JSP specification versions, the full - Tomcat version (e.g. Apache Tomcat/), the name of - the JVM vendor and - the version of the JVM. This header is disabled by default. This header - can provide useful information to both legitimate clients and attackers. - + The requiredSecret attribute in AJP connectors + configures shared secret between Tomcat and reverse proxy in front of + Tomcat. It is used to prevent unauthorized connections over AJP protocol. The server attribute controls the value of the Server HTTP header. The default value of this header for Tomcat 4.1.x to @@ -337,9 +332,14 @@ proxy (the authenticated user name is passed to Tomcat as part of the AJP protocol) with the option for Tomcat to still perform authorization. - The requiredSecret attribute in AJP connectors - configures shared secret between Tomcat and reverse proxy in front of - Tomcat. It is used to prevent unauthorized connections over AJP protocol. + The xpoweredBy attribute controls whether or not the + X-Powered-By HTTP header is sent with each request. If sent, the value of + the header contains the Servlet and JSP specification versions, the full + Tomcat version (e.g. Apache Tomcat/), the name of + the JVM vendor and + the version of the JVM. This header is disabled by default. This header + can provide useful information to both legitimate clients and attackers. + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #21 from Mark Thomas --- Thanks for the links Chris - they make for interesting reading. I am going to mark this issue as WONTFIX. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Make automatic ACK for settings configurable
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 58f4329553 Make automatic ACK for settings configurable
58f4329553 is described below
commit 58f432955394e1072eda4a61a1ec6393e5d869a4
Author: Mark Thomas
AuthorDate: Tue Jul 1 12:16:27 2025 +0100
Make automatic ACK for settings configurable
---
test/org/apache/coyote/http2/Http2TestBase.java | 17 +++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/test/org/apache/coyote/http2/Http2TestBase.java
b/test/org/apache/coyote/http2/Http2TestBase.java
index 999f9057e0..c900f00bf9 100644
--- a/test/org/apache/coyote/http2/Http2TestBase.java
+++ b/test/org/apache/coyote/http2/Http2TestBase.java
@@ -668,6 +668,11 @@ public abstract class Http2TestBase extends TomcatBaseTest
{
}
protected void openClientConnection(boolean tls) throws IOException {
+openClientConnection(tls, true);
+}
+
+protected void openClientConnection(boolean tls, boolean autoAckSettings)
throws IOException {
+
SocketFactory socketFactory = tls ? TesterSupport.configureClientSsl()
: SocketFactory.getDefault();
// Open a connection
s = socketFactory.createSocket("localhost", getPort());
@@ -677,7 +682,7 @@ public abstract class Http2TestBase extends TomcatBaseTest {
InputStream is = s.getInputStream();
input = new TestInput(is);
-output = new TestOutput();
+output = new TestOutput(autoAckSettings);
parser = new TesterHttp2Parser("-1", input, output);
hpackEncoder = new HpackEncoder();
}
@@ -1062,6 +1067,8 @@ public abstract class Http2TestBase extends
TomcatBaseTest {
public class TestOutput implements Output, HeaderEmitter {
+private final boolean autoAckSettings;
+
private StringBuffer trace = new StringBuffer();
private String lastStreamId = "0";
private ConnectionSettingsRemote remoteSettings = new
ConnectionSettingsRemote("-1");
@@ -1070,6 +1077,10 @@ public abstract class Http2TestBase extends
TomcatBaseTest {
private long bytesRead;
private volatile HpackDecoder hpackDecoder = null;
+public TestOutput(boolean autoAckSettings) {
+this.autoAckSettings = autoAckSettings;
+}
+
public void setTraceBody(boolean traceBody) {
this.traceBody = traceBody;
}
@@ -1200,7 +1211,9 @@ public abstract class Http2TestBase extends
TomcatBaseTest {
trace.append("0-Settings-Ack\n");
} else {
trace.append("0-Settings-End\n");
-sendSettings(0, true);
+if (autoAckSettings) {
+sendSettings(0, true);
+}
}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Make automatic ACK for settings configurable
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 52fd25180f Make automatic ACK for settings configurable
52fd25180f is described below
commit 52fd25180fc2dc4866ff53b2079bf797301c0eb5
Author: Mark Thomas
AuthorDate: Tue Jul 1 12:16:27 2025 +0100
Make automatic ACK for settings configurable
---
test/org/apache/coyote/http2/Http2TestBase.java | 17 +++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/test/org/apache/coyote/http2/Http2TestBase.java
b/test/org/apache/coyote/http2/Http2TestBase.java
index 60b3f3128f..f1fe36890c 100644
--- a/test/org/apache/coyote/http2/Http2TestBase.java
+++ b/test/org/apache/coyote/http2/Http2TestBase.java
@@ -671,6 +671,11 @@ public abstract class Http2TestBase extends TomcatBaseTest
{
}
protected void openClientConnection(boolean tls) throws IOException {
+openClientConnection(tls, true);
+}
+
+protected void openClientConnection(boolean tls, boolean autoAckSettings)
throws IOException {
+
SocketFactory socketFactory = tls ? TesterSupport.configureClientSsl()
: SocketFactory.getDefault();
// Open a connection
s = socketFactory.createSocket("localhost", getPort());
@@ -680,7 +685,7 @@ public abstract class Http2TestBase extends TomcatBaseTest {
InputStream is = s.getInputStream();
input = new TestInput(is);
-output = new TestOutput();
+output = new TestOutput(autoAckSettings);
parser = new TesterHttp2Parser("-1", input, output);
hpackEncoder = new HpackEncoder();
}
@@ -1065,6 +1070,8 @@ public abstract class Http2TestBase extends
TomcatBaseTest {
public class TestOutput implements Output, HeaderEmitter {
+private final boolean autoAckSettings;
+
private StringBuffer trace = new StringBuffer();
private String lastStreamId = "0";
private ConnectionSettingsRemote remoteSettings = new
ConnectionSettingsRemote("-1");
@@ -1073,6 +1080,10 @@ public abstract class Http2TestBase extends
TomcatBaseTest {
private long bytesRead;
private volatile HpackDecoder hpackDecoder = null;
+public TestOutput(boolean autoAckSettings) {
+this.autoAckSettings = autoAckSettings;
+}
+
public void setTraceBody(boolean traceBody) {
this.traceBody = traceBody;
}
@@ -1203,7 +1214,9 @@ public abstract class Http2TestBase extends
TomcatBaseTest {
trace.append("0-Settings-Ack\n");
} else {
trace.append("0-Settings-End\n");
-sendSettings(0, true);
+if (autoAckSettings) {
+sendSettings(0, true);
+}
}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Make automatic ACK for settings configurable
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new a40fd56f7f Make automatic ACK for settings configurable
a40fd56f7f is described below
commit a40fd56f7f6390e2766c2461166b9fa0862d06b5
Author: Mark Thomas
AuthorDate: Tue Jul 1 12:16:27 2025 +0100
Make automatic ACK for settings configurable
---
test/org/apache/coyote/http2/Http2TestBase.java | 17 +++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/test/org/apache/coyote/http2/Http2TestBase.java
b/test/org/apache/coyote/http2/Http2TestBase.java
index bcee87916a..1821bb77ff 100644
--- a/test/org/apache/coyote/http2/Http2TestBase.java
+++ b/test/org/apache/coyote/http2/Http2TestBase.java
@@ -671,6 +671,11 @@ public abstract class Http2TestBase extends TomcatBaseTest
{
}
protected void openClientConnection(boolean tls) throws IOException {
+openClientConnection(tls, true);
+}
+
+protected void openClientConnection(boolean tls, boolean autoAckSettings)
throws IOException {
+
SocketFactory socketFactory = tls ? TesterSupport.configureClientSsl()
: SocketFactory.getDefault();
// Open a connection
s = socketFactory.createSocket("localhost", getPort());
@@ -680,7 +685,7 @@ public abstract class Http2TestBase extends TomcatBaseTest {
InputStream is = s.getInputStream();
input = new TestInput(is);
-output = new TestOutput();
+output = new TestOutput(autoAckSettings);
parser = new TesterHttp2Parser("-1", input, output);
hpackEncoder = new HpackEncoder();
}
@@ -1065,6 +1070,8 @@ public abstract class Http2TestBase extends
TomcatBaseTest {
public class TestOutput implements Output, HeaderEmitter {
+private final boolean autoAckSettings;
+
private StringBuffer trace = new StringBuffer();
private String lastStreamId = "0";
private ConnectionSettingsRemote remoteSettings = new
ConnectionSettingsRemote("-1");
@@ -1073,6 +1080,10 @@ public abstract class Http2TestBase extends
TomcatBaseTest {
private long bytesRead;
private volatile HpackDecoder hpackDecoder = null;
+public TestOutput(boolean autoAckSettings) {
+this.autoAckSettings = autoAckSettings;
+}
+
public void setTraceBody(boolean traceBody) {
this.traceBody = traceBody;
}
@@ -1203,7 +1214,9 @@ public abstract class Http2TestBase extends
TomcatBaseTest {
trace.append("0-Settings-Ack\n");
} else {
trace.append("0-Settings-End\n");
-sendSettings(0, true);
+if (autoAckSettings) {
+sendSettings(0, true);
+}
}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Make automatic ACK for settings configurable
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new b1e6a14c1a Make automatic ACK for settings configurable
b1e6a14c1a is described below
commit b1e6a14c1ab99ed44dacc6bad70d9aafcb71a66a
Author: Mark Thomas
AuthorDate: Tue Jul 1 12:16:27 2025 +0100
Make automatic ACK for settings configurable
---
test/org/apache/coyote/http2/Http2TestBase.java | 17 +++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/test/org/apache/coyote/http2/Http2TestBase.java
b/test/org/apache/coyote/http2/Http2TestBase.java
index bcee87916a..1821bb77ff 100644
--- a/test/org/apache/coyote/http2/Http2TestBase.java
+++ b/test/org/apache/coyote/http2/Http2TestBase.java
@@ -671,6 +671,11 @@ public abstract class Http2TestBase extends TomcatBaseTest
{
}
protected void openClientConnection(boolean tls) throws IOException {
+openClientConnection(tls, true);
+}
+
+protected void openClientConnection(boolean tls, boolean autoAckSettings)
throws IOException {
+
SocketFactory socketFactory = tls ? TesterSupport.configureClientSsl()
: SocketFactory.getDefault();
// Open a connection
s = socketFactory.createSocket("localhost", getPort());
@@ -680,7 +685,7 @@ public abstract class Http2TestBase extends TomcatBaseTest {
InputStream is = s.getInputStream();
input = new TestInput(is);
-output = new TestOutput();
+output = new TestOutput(autoAckSettings);
parser = new TesterHttp2Parser("-1", input, output);
hpackEncoder = new HpackEncoder();
}
@@ -1065,6 +1070,8 @@ public abstract class Http2TestBase extends
TomcatBaseTest {
public class TestOutput implements Output, HeaderEmitter {
+private final boolean autoAckSettings;
+
private StringBuffer trace = new StringBuffer();
private String lastStreamId = "0";
private ConnectionSettingsRemote remoteSettings = new
ConnectionSettingsRemote("-1");
@@ -1073,6 +1080,10 @@ public abstract class Http2TestBase extends
TomcatBaseTest {
private long bytesRead;
private volatile HpackDecoder hpackDecoder = null;
+public TestOutput(boolean autoAckSettings) {
+this.autoAckSettings = autoAckSettings;
+}
+
public void setTraceBody(boolean traceBody) {
this.traceBody = traceBody;
}
@@ -1203,7 +1214,9 @@ public abstract class Http2TestBase extends
TomcatBaseTest {
trace.append("0-Settings-Ack\n");
} else {
trace.append("0-Settings-End\n");
-sendSettings(0, true);
+if (autoAckSettings) {
+sendSettings(0, true);
+}
}
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
