Cookies are broken in 6.0.16?

Hi, I've just encountered that Cookies seem to be a little bit broken in 6.0.16. If you want to read a cookie which ends on one or more equals-sign (=), the equals-signs are removed by Tomcat when the cookie is read. If you run the following example, you'll see, that the test_cookies are stored c

Redirect page from http11processor

Hi developers. I want to redirect the client browser from the Http11Processor. To do that, I create a "class CustomProcessor extends Http11Processor" and override the process(socket) method. I did try with methods above with IE or Mozilla but unsuccessfully. Instead of that, The page cannot be d

[SECURITY] CVE-2007-6286: Tomcat duplicate request processing vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-6286: Tomcat duplicate request processing vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.11 to 5.5.25 Tomcat 6.0.0 to 6.0.15 Description: When using the native (APR based) connector,

DO NOT REPLY [Bug 44383] - Possible leak: tomcat does not release Jasper compilation contexts

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

svn commit: r620037 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html xdocs/security-5.xml xdocs/security-6.xml

Author: markt Date: Fri Feb 8 15:34:32 2008 New Revision: 620037 URL: http://svn.apache.org/viewvc?rev=620037&view=rev Log: Publish details of CVE-2007-6286 Modified: tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/xdocs/security-5.xml

DO NOT REPLY [Bug 44383] New: - Possible leak: tomcat does not release Jasper compilation contexts

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

svn commit: r620033 - /tomcat/current/tc4.1.x/STATUS.txt

Author: markt Date: Fri Feb 8 15:22:02 2008 New Revision: 620033 URL: http://svn.apache.org/viewvc?rev=620033&view=rev Log: Patch has been applied. Note that in tc4 the cookie parsing code is in CoyoteAdaptor rather than CoyoteRequest. Modified: tomcat/current/tc4.1.x/STATUS.txt Modified:

[SECURITY] CVE-2007-5333: Tomcat Cookie handling vulnerabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-5333: Tomcat Cookie handling vulnerabilities Severity: low - Session hi-jacking Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.36 Tomcat 5.5.0 to 5.5.25 Tomcat 6.0.0 to 6.0.14 Description: The previous fix f

svn commit: r620030 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-6.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-6.xml

Author: markt Date: Fri Feb 8 15:16:41 2008 New Revision: 620030 URL: http://svn.apache.org/viewvc?rev=620030&view=rev Log: Publish details of CVE-2007-5333 Modified: tomcat/site/trunk/docs/security-4.html tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html

svn commit: r620028 - in /tomcat: connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteResponse.java container

Author: markt Date: Fri Feb 8 15:15:48 2008 New Revision: 620028 URL: http://svn.apache.org/viewvc?rev=620028&view=rev Log: Fix cookie handling for quotes and %5C - CVE-2007-5333. Modified: tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java tomcat/conn

CVE-2008-0002: Tomcat information disclosure vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2008-0002: Tomcat information disclosure vulnerability Severity: important Vendor: The Apache Software Foundation Versions Affected: Tomcat 6.0.5 to 6.0.15 Description: If an exception occurs during the processing of parameters (eg if the clie

svn commit: r620013 - in /tomcat/site/trunk: docs/security-6.html xdocs/security-6.xml

Author: markt Date: Fri Feb 8 14:21:58 2008 New Revision: 620013 URL: http://svn.apache.org/viewvc?rev=620013&view=rev Log: Publish details of CVE-2008-0002 Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/xdocs/security-6.xml Modified: tomcat/site/trunk/docs/security-

svn commit: r619987 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html xdocs/security-5.xml xdocs/security-6.xml

Author: markt Date: Fri Feb 8 12:06:56 2008 New Revision: 619987 URL: http://svn.apache.org/viewvc?rev=619987&view=rev Log: Update after recent releases Modified: tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/xdocs/security-5.xml

HTTPOnly session cookie security support

I would like to add HTTPOnly support to the tomcat session handler I added a bugzilla item http://issues.apache.org/bugzilla/show_bug.cgi?id=44382 Thoughts would be greatly apprecited Jim Manico, Senior Application Security Engineer [EMAIL P

svn commit: r619955 - /tomcat/current/tc4.1.x/STATUS.txt

Author: jim Date: Fri Feb 8 09:40:01 2008 New Revision: 619955 URL: http://svn.apache.org/viewvc?rev=619955&view=rev Log: Applied Modified: tomcat/current/tc4.1.x/STATUS.txt Modified: tomcat/current/tc4.1.x/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/current/tc4.1.x/STATUS.txt?rev=

svn commit: r619954 - in /tomcat/container/branches/tc4.1.x: BUILDING.txt RELEASE-NOTES-4.1.txt build.properties.default catalina/build.xml webapps/admin/build.xml webapps/examples/build.xml

Author: jim Date: Fri Feb 8 09:39:21 2008 New Revision: 619954 URL: http://svn.apache.org/viewvc?rev=619954&view=rev Log: * Update to latest library versions (where possible). Tidy up build flags since we require JDK 1.3+ to build. Update location of downloads for commons libraries. Remove

svn commit: r619953 - /tomcat/connectors/trunk/jk/jkstatus/build.xml

Author: jim Date: Fri Feb 8 09:38:57 2008 New Revision: 619953 URL: http://svn.apache.org/viewvc?rev=619953&view=rev Log: * Update to latest library versions (where possible). Tidy up build flags since we require JDK 1.3+ to build. Update location of downloads for commons libraries. Remove

svn commit: r619951 - /tomcat/current/tc4.1.x/STATUS.txt

Author: jim Date: Fri Feb 8 09:35:05 2008 New Revision: 619951 URL: http://svn.apache.org/viewvc?rev=619951&view=rev Log: Cast vote Modified: tomcat/current/tc4.1.x/STATUS.txt Modified: tomcat/current/tc4.1.x/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/current/tc4.1.x/STATUS.txt?r

Re: svn commit: r619460 - /tomcat/current/tc4.1.x/STATUS.txt

On Feb 8, 2008, at 3:26 AM, Mark Thomas wrote: [EMAIL PROTECTED] wrote: Author: jim Date: Thu Feb 7 07:39:21 2008 New Revision: 619460 URL: http://svn.apache.org/viewvc?rev=619460&view=rev Log: Cast some votes... mulling over: http://people.apache.org/~markt/patches/2008-01-17-tc4-lib-updat

svn commit: r619930 - /tomcat/current/tc4.1.x/STATUS.txt

Author: fhanik Date: Fri Feb 8 08:27:03 2008 New Revision: 619930 URL: http://svn.apache.org/viewvc?rev=619930&view=rev Log: recast vote Modified: tomcat/current/tc4.1.x/STATUS.txt Modified: tomcat/current/tc4.1.x/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/current/tc4.1.x/STATUS.t

DO NOT REPLY [Bug 43925] - org.apache.jasper.runtime.BodyContentImpl causing huge memory allocations

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

svn commit: r619893 - /tomcat/connectors/trunk/jni/xdocs/index.xml

Author: jfclere Date: Fri Feb 8 06:10:07 2008 New Revision: 619893 URL: http://svn.apache.org/viewvc?rev=619893&view=rev Log: Add the windows part install and tests. Modified: tomcat/connectors/trunk/jni/xdocs/index.xml Modified: tomcat/connectors/trunk/jni/xdocs/index.xml URL: http://svn.

DO NOT REPLY [Bug 44380] - TldConfig / Scan of URL that are not files

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 44380] New: - TldConfig / Scan of URL that are not files

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

svn commit: r619842 - /tomcat/connectors/trunk/jni/xdocs/style.xsl

Author: jfclere Date: Fri Feb 8 03:43:59 2008 New Revision: 619842 URL: http://svn.apache.org/viewvc?rev=619842&view=rev Log: Arrange the data of the copyright. Modified: tomcat/connectors/trunk/jni/xdocs/style.xsl Modified: tomcat/connectors/trunk/jni/xdocs/style.xsl URL: http://svn.apach

svn commit: r619841 - /tomcat/connectors/trunk/jni/xdocs/index.xml

Author: jfclere Date: Fri Feb 8 03:42:40 2008 New Revision: 619841 URL: http://svn.apache.org/viewvc?rev=619841&view=rev Log: Add installing and testing for UNIXES. Modified: tomcat/connectors/trunk/jni/xdocs/index.xml Modified: tomcat/connectors/trunk/jni/xdocs/index.xml URL: http://svn.a

[ANN] Apache Tomcat 6.0.16 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.16 stable. This release includes many bugfixes over Apache Tomcat 6.0.14. Apache Tomcat 6.0 includes new features over Apache Tomcat 5.5, including support for the new Servlet 2.5 and JSP 2.1 specifications, a refacto

svn commit: r619831 - /tomcat/connectors/trunk/jni/xdocs/index.xml

Author: jfclere Date: Fri Feb 8 02:58:17 2008 New Revision: 619831 URL: http://svn.apache.org/viewvc?rev=619831&view=rev Log: Add the building part. Modified: tomcat/connectors/trunk/jni/xdocs/index.xml Modified: tomcat/connectors/trunk/jni/xdocs/index.xml URL: http://svn.apache.org/viewvc

4.1.x release

Thanks for the votes. I am working my way through the patches but it is taking longer than planned since I am currently on my third room in this hotel trying to get a broadband connection that works. I'm back home tonight with (hopefully) reliable connectivity and will finish off the remaining

Re: svn commit: r619460 - /tomcat/current/tc4.1.x/STATUS.txt

[EMAIL PROTECTED] wrote: Author: jim Date: Thu Feb 7 07:39:21 2008 New Revision: 619460 URL: http://svn.apache.org/viewvc?rev=619460&view=rev Log: Cast some votes... mulling over: http://people.apache.org/~markt/patches/2008-01-17-tc4-lib-updates.patch Any queries, let me know. I am expec

Re: svn commit: r619506 - /tomcat/current/tc4.1.x/STATUS.txt

[EMAIL PROTECTED] wrote: Author: fhanik Date: Thu Feb 7 09:00:59 2008 New Revision: 619506 * Update TC4 with the new Cookie handling code from TC6. Request/Response only. http://svn.apache.org/viewvc?view=rev&revision=594968 +1: markt, yoavs, jim -1: + 0: what does the patch

svn commit: r619801 - in /tomcat/site/trunk: docs/security-4.html xdocs/security-4.xml

Author: markt Date: Fri Feb 8 00:17:09 2008 New Revision: 619801 URL: http://svn.apache.org/viewvc?rev=619801&view=rev Log: Fix for CVE-2007-5461 has been applied to TC4. Modified: tomcat/site/trunk/docs/security-4.html tomcat/site/trunk/xdocs/security-4.xml Modified: tomcat/site/trunk/

svn commit: r619799 - in /tomcat: container/branches/tc4.1.x/ container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/ current/tc4.1.x/

Author: markt Date: Fri Feb 8 00:14:43 2008 New Revision: 619799 URL: http://svn.apache.org/viewvc?rev=619799&view=rev Log: Fix CVE-2007-5461, an info disclosure vulnerability. Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt tomcat/container/branches/tc4.1.x/catalina/s