svn commit: r547096 - in /tomcat/trunk/java/org/apache: coyote/ajp/AjpAprProcessor.java coyote/ajp/AjpProcessor.java jk/common/HandlerRequest.java

Author: billbarker Date: Wed Jun 13 19:55:26 2007 New Revision: 547096 URL: http://svn.apache.org/viewvc?view=rev&rev=547096 Log: Porting large-file support for the AJP Connectors from 5.5 Modified: tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java tomcat/trunk/java/org/apache/

[CVE-2007-2450]: Apache Tomcat XSS vulnerability in Manager

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-2450: Apache Tomcat XSS vulnerabilities in Manager Severity: low (cross-site scripting) Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.0.0 to 4.0.6 Tomcat 4.1.0 to 4.1.36 Tomcat 5.0.0 to 5.0.30 Tomcat 5.5.0 to 5.5.24 Tom

[CVE-2007-2449] Apache Tomcat XSS vulnerabilities in the JSP examples

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-2449: Apache Tomcat XSS vulnerabilities in the JSP examples Severity: low (cross-site scripting) Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.0.0 to 4.0.6 Tomcat 4.1.0 to 4.1.36 Tomcat 5.0.0 to 5.0.30 Tomcat 5.5.0 to 5

svn commit: r547089 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-6.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-6.xml

Author: markt Date: Wed Jun 13 19:20:24 2007 New Revision: 547089 URL: http://svn.apache.org/viewvc?view=rev&rev=547089 Log: Add CVE-2007-2449 and CVE-2007-2450. Modified: tomcat/site/trunk/docs/security-4.html tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.h

svn commit: r547088 - /tomcat/container/branches/tc5.0.x/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java

Author: markt Date: Wed Jun 13 19:17:22 2007 New Revision: 547088 URL: http://svn.apache.org/viewvc?view=rev&rev=547088 Log: Port fix for XSS issue in Manager. This is CVE-2007-2450. Modified: tomcat/container/branches/tc5.0.x/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLM

svn commit: r547087 - in /tomcat/container/branches/tc4.1.x/webapps/examples/jsp: security/protected/index.jsp snp/snoop.html snp/snoop.jsp snp/snoop.txt source.jsp

Author: markt Date: Wed Jun 13 19:14:55 2007 New Revision: 547087 URL: http://svn.apache.org/viewvc?view=rev&rev=547087 Log: Port fix for XSS issues in snoop.jsp. This is CVE-2007-2449. Modified: tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/protected/index.jsp tomcat/c

svn commit: r547085 - /tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/HTMLManagerServlet.java

Author: markt Date: Wed Jun 13 19:13:59 2007 New Revision: 547085 URL: http://svn.apache.org/viewvc?view=rev&rev=547085 Log: Port fix for XSS issue in Manager. This is CVE-2007-2450. Modified: tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/HTMLManagerServle

svn commit: r547083 - in /tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples: security/protected/index.jsp snp/snoop.html snp/snoop.jsp source.jsp

Author: markt Date: Wed Jun 13 19:12:38 2007 New Revision: 547083 URL: http://svn.apache.org/viewvc?view=rev&rev=547083 Log: Port fix for XSS issues in snoop.jsp. This is CVE-2007-2449. Modified: tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp tomca

svn commit: r547082 - in /tomcat/container/tc5.5.x/webapps: host-manager/WEB-INF/classes/org/apache/catalina/hostmanager/HTMLHostManagerServlet.java manager/WEB-INF/classes/org/apache/catalina/manager

Author: markt Date: Wed Jun 13 19:12:04 2007 New Revision: 547082 URL: http://svn.apache.org/viewvc?view=rev&rev=547082 Log: Port fix for XSS issue in Manager and Host Manager. This is CVE-2007-2450. Modified: tomcat/container/tc5.5.x/webapps/host-manager/WEB-INF/classes/org/apache/catalina/

svn commit: r547081 - in /tomcat/tc6.0.x/trunk/webapps/examples/jsp: security/protected/index.jsp snp/snoop.html snp/snoop.jsp source.jsp

Author: markt Date: Wed Jun 13 19:01:19 2007 New Revision: 547081 URL: http://svn.apache.org/viewvc?view=rev&rev=547081 Log: Fix XSS issues in snoop.jsp. This is CVE-2007-2449. Some of these are harder (impossible?) to exploit than others but doing all of them means there won't be another XSS is

svn commit: r547079 - /tomcat/tc6.0.x/trunk/

Author: markt Date: Wed Jun 13 18:57:01 2007 New Revision: 547079 URL: http://svn.apache.org/viewvc?view=rev&rev=547079 Log: Ignore local build properties Modified: tomcat/tc6.0.x/trunk/ (props changed) Propchange: tomcat/tc6.0.x/trunk/ -

svn commit: r547078 - in /tomcat/tc6.0.x/trunk/java/org/apache: coyote/ajp/AjpAprProcessor.java coyote/ajp/AjpProcessor.java jk/common/HandlerRequest.java

Author: billbarker Date: Wed Jun 13 18:56:16 2007 New Revision: 547078 URL: http://svn.apache.org/viewvc?view=rev&rev=547078 Log: Porting large-file support for the AJP Connectors from 5.5 Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java tomcat/tc6.0.x/trunk/

svn commit: r547077 - in /tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager: HTMLManagerServlet.java host/HTMLHostManagerServlet.java

Author: markt Date: Wed Jun 13 18:55:09 2007 New Revision: 547077 URL: http://svn.apache.org/viewvc?view=rev&rev=547077 Log: Fix XSS issue in Manager and Host Manager. This is CVE-2007-2450. Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java tomcat/t

Re: Proposed simplification of CometEvent

> > > Sounds better - but as Remy explained you would first need to explain > why blocking is needed in this context and how to deal with the confusion > of mixing blocking and non-blocking for users, and the implementation > complexities it adds. trunk doesn't mix them. a comet connection is eith

Re: Proposed simplification of CometEvent

here we go, some examples http://people.apache.org/~fhanik/tomcat/aio.html#Example%20code%20snippets and the entire document has been updated to reflect most changes http://people.apache.org/~fhanik/tomcat/aio.html Filip Filip Hanik - Dev Lists wrote: I'll work on some examples to illustrate

svn commit: r547055 - /tomcat/trunk/webapps/docs/aio.xml

Author: fhanik Date: Wed Jun 13 15:51:56 2007 New Revision: 547055 URL: http://svn.apache.org/viewvc?view=rev&rev=547055 Log: added simple example code snippets to comet usage Modified: tomcat/trunk/webapps/docs/aio.xml Modified: tomcat/trunk/webapps/docs/aio.xml URL: http://svn.apache.org/

5.5.24 candidate binaries

http://people.apache.org/~fhanik/tomcat/tomcat-5.5/v5.5.24/ will let these sit to mid next week, and then we can take a vote. feedback between now and then is welcome at any time. Filip - To unsubscribe, e-mail: [EMAIL PROTECTED

svn commit: r547026 - /tomcat/site/tags/TOMCAT_5_5_24/

Author: fhanik Date: Wed Jun 13 13:48:36 2007 New Revision: 547026 URL: http://svn.apache.org/viewvc?view=rev&rev=547026 Log: Tagging Tomcat version TOMCAT_5_5_24. Added: tomcat/site/tags/TOMCAT_5_5_24/ - copied from r547025, tomcat/site/trunk/

svn commit: r547025 - /tomcat/servletapi/tags/servlet2.4-jsp2.0-tc5.x/TOMCAT_5_5_24/

Author: fhanik Date: Wed Jun 13 13:48:26 2007 New Revision: 547025 URL: http://svn.apache.org/viewvc?view=rev&rev=547025 Log: Tagging Tomcat version TOMCAT_5_5_24. Added: tomcat/servletapi/tags/servlet2.4-jsp2.0-tc5.x/TOMCAT_5_5_24/ - copied from r547024, tomcat/servletapi/servlet2.4-js

svn commit: r547024 - /tomcat/jasper/tags/tc5.5.x/TOMCAT_5_5_24/

Author: fhanik Date: Wed Jun 13 13:48:16 2007 New Revision: 547024 URL: http://svn.apache.org/viewvc?view=rev&rev=547024 Log: Tagging Tomcat version TOMCAT_5_5_24. Added: tomcat/jasper/tags/tc5.5.x/TOMCAT_5_5_24/ - copied from r547023, tomcat/jasper/tc5.5.x/ --

svn commit: r547023 - /tomcat/container/tags/tc5.5.x/TOMCAT_5_5_24/

Author: fhanik Date: Wed Jun 13 13:48:06 2007 New Revision: 547023 URL: http://svn.apache.org/viewvc?view=rev&rev=547023 Log: Tagging Tomcat version TOMCAT_5_5_24. Added: tomcat/container/tags/tc5.5.x/TOMCAT_5_5_24/ - copied from r547022, tomcat/container/tc5.5.x/

svn commit: r547022 - /tomcat/connectors/tags/tc5.5.x/TOMCAT_5_5_24/

Author: fhanik Date: Wed Jun 13 13:47:56 2007 New Revision: 547022 URL: http://svn.apache.org/viewvc?view=rev&rev=547022 Log: Tagging Tomcat version TOMCAT_5_5_24. Added: tomcat/connectors/tags/tc5.5.x/TOMCAT_5_5_24/ - copied from r547021, tomcat/connectors/trunk/

svn commit: r547021 - /tomcat/build/tags/tc5.5.x/TOMCAT_5_5_24/

Author: fhanik Date: Wed Jun 13 13:47:46 2007 New Revision: 547021 URL: http://svn.apache.org/viewvc?view=rev&rev=547021 Log: Tagging Tomcat version TOMCAT_5_5_24. Added: tomcat/build/tags/tc5.5.x/TOMCAT_5_5_24/ - copied from r547020, tomcat/build/tc5.5.x/

Re: Proposed simplification of CometEvent

Costin Manolache wrote: On 6/13/07, Filip Hanik - Dev Lists <[EMAIL PROTECTED]> wrote: Costin Manolache wrote: > For a separate opinion: > > In the trunk version: > - the '...' and array return seem strange and generate GC ( not a big > issue > those days, but still inconsistent with the > rest

Re: Proposed simplification of CometEvent

On 6/13/07, Remy Maucherat <[EMAIL PROTECTED]> wrote: Costin Manolache wrote: >> setTimeout() is not optional (the javadoc is out of date, sorry), there >> was an agreement on that earlier. Timeout sets the connection timeout, >> which is most likely useful even if there are events. It's quite >

Re: Proposed simplification of CometEvent

On 6/13/07, Filip Hanik - Dev Lists <[EMAIL PROTECTED]> wrote: Costin Manolache wrote: > For a separate opinion: > > In the trunk version: > - the '...' and array return seem strange and generate GC ( not a big > issue > those days, but still inconsistent with the > rest of tomcat ) yes, its a n

svn commit: r546999 - in /tomcat/trunk/java/org/apache: catalina/CometEvent.java catalina/connector/CometEventImpl.java coyote/ActionCode.java coyote/http11/Http11NioProcessor.java

Author: fhanik Date: Wed Jun 13 11:51:38 2007 New Revision: 546999 URL: http://svn.apache.org/viewvc?view=rev&rev=546999 Log: simplify API a bit based on feedback Modified: tomcat/trunk/java/org/apache/catalina/CometEvent.java tomcat/trunk/java/org/apache/catalina/connector/CometEventImpl

Re: Proposed simplification of CometEvent

Costin Manolache wrote: For a separate opinion: In the trunk version: - the '...' and array return seem strange and generate GC ( not a big issue those days, but still inconsistent with the rest of tomcat ) yes, its a new language feature, hence it wasn't available in previous JDKs or Tomcat.

DO NOT REPLY [Bug 42650] - PooledParallelSender.sendMessage throws NullpointerException

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

svn commit: r546959 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/tribes/transport/nio/PooledParallelSender.java

Author: fhanik Date: Wed Jun 13 10:07:06 2007 New Revision: 546959 URL: http://svn.apache.org/viewvc?view=rev&rev=546959 Log: fix for BZ 42650 http://issues.apache.org/bugzilla/show_bug.cgi?id=42650 Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/tribes/transport/nio/PooledParallelSe

svn commit: r546958 - /tomcat/trunk/java/org/apache/catalina/tribes/transport/nio/PooledParallelSender.java

Author: fhanik Date: Wed Jun 13 10:05:14 2007 New Revision: 546958 URL: http://svn.apache.org/viewvc?view=rev&rev=546958 Log: fix for BZ 42650 http://issues.apache.org/bugzilla/show_bug.cgi?id=42650 Modified: tomcat/trunk/java/org/apache/catalina/tribes/transport/nio/PooledParallelSender.ja

DO NOT REPLY [Bug 42648] - SWAP increases by the cluster of Tomca6

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

svn commit: r546955 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java

Author: fhanik Date: Wed Jun 13 10:00:21 2007 New Revision: 546955 URL: http://svn.apache.org/viewvc?view=rev&rev=546955 Log: fix for BZ 42648 http://issues.apache.org/bugzilla/show_bug.cgi?id=42648 Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/tribes/transport/nio/NioReplicationTa

svn commit: r546952 - /tomcat/trunk/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java

Author: fhanik Date: Wed Jun 13 09:55:27 2007 New Revision: 546952 URL: http://svn.apache.org/viewvc?view=rev&rev=546952 Log: Fix for BZ 42648 http://issues.apache.org/bugzilla/show_bug.cgi?id=42648 Modified: tomcat/trunk/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java

Re: svn commit: r544401 - in /tomcat/container/tc5.5.x: catalina/src/share/org/apache/catalina/mbeans/JMXAdaptorLifecycleListener.java webapps/docs/changelog.xml webapps/docs/monitoring.xml

Filip Hanik - Dev Lists wrote: My changes to the AJP Connectors are pretty much harmless for anything that currently works. Tomcat will do exactly the same thing it always has unless the request body is over 2GB. Currently, mod_jk can't handle this case anyway, and the reporter of BZ 42608 cl

Tagging 5.5.24

in about 2-4 hours - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]

Re: svn commit: r544401 - in /tomcat/container/tc5.5.x: catalina/src/share/org/apache/catalina/mbeans/JMXAdaptorLifecycleListener.java webapps/docs/changelog.xml webapps/docs/monitoring.xml

Bill Barker wrote: "Filip Hanik - Dev Lists" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Bill Barker wrote: "Filip Hanik - Dev Lists" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] so if we are not going to build the class, why would we include it i

Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

Mladen Turk wrote: That's why I suggested to stop for a while and see all the possibilities. We've talked about it for a while (see the length of this thread ...), and I consider it is time to think over code: apply the proposed patch which aims to harmonize with mod_proxy, and see what actua

Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

Remy Maucherat wrote: Mladen Turk wrote: Why? Let's stop a bit and test things before. Jean-Frédéric proposes implementing the same behavior as mod_proxy, so I don't see how this can be a bad thing. First of all I didn't said it's a bad thing or anything like that. We need the same behavior

Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

Mladen Turk wrote: Why? Let's stop a bit and test things before. Jean-Frédéric has of course done extended testing before proposing this :) The original patch was meant to close the "security problem" as soon as possible, but in the end has a bad behavior and should be reverted. Jean-Frédéri

Re: Proposed simplification of CometEvent

On Wed, 2007-06-13 at 12:04 +0200, Remy Maucherat wrote: > Costin Manolache wrote: > >> setTimeout() is not optional (the javadoc is out of date, sorry), there > >> was an agreement on that earlier. Timeout sets the connection timeout, > >> which is most likely useful even if there are events. It's

Re: Proposed simplification of CometEvent

Costin Manolache wrote: setTimeout() is not optional (the javadoc is out of date, sorry), there was an agreement on that earlier. Timeout sets the connection timeout, which is most likely useful even if there are events. It's quite possible sleep could use a timeout argument (I think calling setT

DO NOT REPLY [Bug 42650] New: - PooledParallelSender.sendMessage throws NullpointerException

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 42648] - SWAP increases by the cluster of Tomca6

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 42648] - SWAP increases by the cluster of Tomca6

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 42648] New: - SWAP increases by the cluster of Tomca6

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

Re: svn commit: r546531 - in /tomcat/connectors/trunk/jk/native: apache-1.3/mod_jk.c apache-2.0/mod_jk.c common/jk_global.h common/jk_url.c common/jk_url.h common/list.mk.in

On Tue, 2007-06-12 at 19:50 +0200, Mladen Turk wrote: > Jean-Frederic wrote: > >>> Add ForwardURIProxy to the URl handling option. > >>> common/jk_url.c is just a porting of the routines > >>> from proxy_util.c (Apache httpd). > >> After quite a few discussions, I think this should be the only