Chenjp commented on PR #823:
URL: https://github.com/apache/tomcat/pull/823#issuecomment-2670712406
Ok, final decision ups to you.
Write is reserved to administrators... If share this standard, would to know
your opinion on RCE
[CVE-2017-12617](http://cve.mitre.org/cgi-bin/cvename.c
rmaucher commented on PR #823:
URL: https://github.com/apache/tomcat/pull/823#issuecomment-2670663780
We answered this quite a few times already, so let's leave it at that. Write
enabled allows editing webapp contents, which is reserved to administrators.
--
This is an automated message f
rmaucher closed pull request #823: BZ69446 - add parameter maxPutFileSize in
DefaultServlet
URL: https://github.com/apache/tomcat/pull/823
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specifi
Chenjp commented on PR #823:
URL: https://github.com/apache/tomcat/pull/823#issuecomment-2670515402
@rmaucher @markt-asf I have to talk here since previous vul report has been
rejected. I really think the target issue of this PR is a perfect match of
CWE-770 / CWE-400. ***```The product all
Chenjp commented on PR #820:
URL: https://github.com/apache/tomcat/pull/820#issuecomment-2670122793
+1
Since create a case sensitivity verification file is not a good idea, then
treats all as insensitive simply, remove the indicator.
see PR #829.
--
This is an automated message
Chenjp opened a new pull request, #829:
URL: https://github.com/apache/tomcat/pull/829
Discarding the file name case sensitivity of resource directory.
Detection of a directory case sensitivity is expansive, we have to create
file with different upper/lower case name and check result.
On Wed, Feb 19, 2025 at 7:15 PM Mark Thomas wrote:
>
> All,
>
> A case sensitivity test was added to DirResourceSet as part of the fix
> for CVE-2024-50379. It is also used to check whether the JVM setting
> described in CVE-2024-56337 is required.
>
> The current case sensitivity check is imperfe
All,
A case sensitivity test was added to DirResourceSet as part of the fix
for CVE-2024-50379. It is also used to check whether the JVM setting
described in CVE-2024-56337 is required.
The current case sensitivity check is imperfect. Things are complicated by:
- Windows introducing per direc
markt-asf commented on PR #820:
URL: https://github.com/apache/tomcat/pull/820#issuecomment-2669367602
Mounting case insensitive file systems on Linux adds yet more complexity.
And I don't see an easy way to address that - especially if we want to avoid
creating files to test case sensitivi
Build status: BUILD FAILED: failed compile (failure)
Worker used: bb_worker2_ubuntu
URL: https://ci2.apache.org/#builders/120/builds/387
Blamelist: Mark Thomas
Build Text: failed compile (failure)
Status Detected: new failure
Build Source Stamp: [branch main] 11056e8d52069f4270095f396047beb9fbba0e
markt-asf closed pull request #819: SpnegoAuthenticator allows wrong calls to
login/logout methods
URL: https://github.com/apache/tomcat/pull/819
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the
markt-asf commented on PR #819:
URL: https://github.com/apache/tomcat/pull/819#issuecomment-2669268717
Thanks for the test case and the detailed configuration settings. That made
working on this a lot easier.
I have applied a fairly narrow fix for this issue that is similar to the
`M
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new fd96ab4156 Fix credential validation when JNDIRea
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new c32bbd37ea Fix credential validation when JNDIRealm
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 0cd21c0393 Fix credential validation when JNDIRea
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 99e3403b0d Fix credential validation when JNDIRealm i
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new e2586cbc62 Use a constant for GSSAPI authenticati
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new bdd8318130 Ensure user credentials are removed when
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 34c94915e5 Ensure user credentials are removed wh
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new ac3208e4b1 Ensure user credentials are removed wh
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 66372303a7 Ensure user credentials are removed when n
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 85e322aa5a Use a constant for GSSAPI authentication
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 32082b6712 Use a constant for GSSAPI authenticati
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from 11056e8d52 Improve docs for useDelegatedCredential
add 2e0542a0d1 Use a constant for GSSAPI authentication name
No
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new cc58f50880 Improve docs for useDelegatedCredential
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new a6c40b8765 Improve docs for useDelegatedCredentia
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 9625583ab6 Improve docs for useDelegatedCredentia
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from 5708495734 Move constant to start of class
add 11056e8d52 Improve docs for useDelegatedCredential
No new revisions
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 79509006d6 Move constant to start of class
795090
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 603aa2eb24 Move constant to start of class
603aa2eb
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new c037d2148d Move constant to start of class
c037d2
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 5708495734 Move constant to start of class
5708495734
https://bz.apache.org/bugzilla/show_bug.cgi?id=69575
--- Comment #4 from Christopher Schultz ---
I'm happy to add this capability, but it's not immediately clear to be how to
get all of the current Content-Encoding header values. Would I actually have to
loop through all headers, assembling as I
https://bz.apache.org/bugzilla/show_bug.cgi?id=69575
Christopher Schultz changed:
What|Removed |Added
Status|RESOLVED|REOPENED
Resolution|FIXE
markt-asf commented on PR #819:
URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668964117
I don't expect the bind to use kerberos, I am debugging my way through the
code and seeing kerberos being used.
--
This is an automated message from the Apache Git Service.
To respond to
michael-o commented on PR #819:
URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668906926
> > It is not that easy and I do not agree with that. Here are cases which
will not work:
>
> As the OP has indicated, they are already using a solution along these
lines and it wor
markt-asf commented on PR #819:
URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668831744
> It is not that easy and I do not agree with that. Here are cases which
will not work:
As the OP has indicated, they are already using a solution along these lines
and it works for
natalia-s-ivanova commented on PR #819:
URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668518211
> 2. If user/password auth is attempted when `authentication="GSSAPI"` then
remove the environment properties that configured GSSAPI, perform user/password
authentication and then
michael-o commented on PR #819:
URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668513322
> I think the current support for `logout()` can stay. I don't see a reason
to change it.
>
> I think the issue with `login()` is slightly different. The `JNDIRealm`
attempts to swi
markt-asf commented on PR #819:
URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668483655
I think the current support for `logout()` can stay. I don't see a reason to
change it.
I think the issue with `login()` is slightly different. The `JNDIRealm`
attempts to switch be
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from 0113948270 69575: Avoid using compression if a response is already
compressed
add 3f7bb7fa19 Fix copy/paste error i
https://bz.apache.org/bugzilla/show_bug.cgi?id=69530
--- Comment #7 from Remy Maucherat ---
Without additional information, this issue will be resolved as invalid.
Testing 10.1.36 could be worthwhile as the request body processing code was
refined.
--
You are receiving this mail because:
You ar
https://bz.apache.org/bugzilla/show_bug.cgi?id=69575
--- Comment #2 from Todor Bonchev ---
The fix:
https://github.com/apache/tomcat/commit/01139482700c1a850bec9d5efea93a778615b211
will cover zstd, compress and deflate, but to make it
future proof you should check on line 291 whether an encoding
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 210a0d552e Fix copy/paste error in Javadoc
210a0d
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new e8ae34b9fa Fix copy/paste error in Javadoc
e8ae34b9
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new d40c587727 Fix copy/paste error in Javadoc
d40c58
https://bz.apache.org/bugzilla/show_bug.cgi?id=69575
Remy Maucherat changed:
What|Removed |Added
Resolution|--- |FIXED
Status|NEW
47 matches
Mail list logo
