eng...@users.noreply.github.com>
AuthorDate: Wed Apr 16 14:53:40 2025 -0500
Merge pull request #842 from jengebr/nonstandard_tags
Adding nonstandard support for c:set and c:remove
java/org/apache/jasper/EmbeddedServletOptions.java | 12 ++
java/org/apache/jasper/JspC.java | 19 ++
:22 2025 +0100
Merge pull request #34 from jbampton/fix-spelling
misc: fix spelling
modules/tls-03.html | 2 +-
modules/tomcat-11-jakarta-ee-11.html | 4 ++--
modules/tomcat-11-preview.html | 10 +-
res/tls-03/script.txt| 4 ++--
4
2025 +0100
Merge pull request #2 from adoroszlai/snapshots-only
prefer central repo, disable releases for asf-snapshots
pom.xml | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
-
To unsubscribe, e
https://bz.apache.org/bugzilla/show_bug.cgi?id=69610
Bug ID: 69610
Summary: Consider implementing support for
upgrade-insecure-requests request header and
conditional HSTS
Product: Tomcat 11
Version: unspecified
https://bz.apache.org/bugzilla/show_bug.cgi?id=69604
Remy Maucherat changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=69604
Bug ID: 69604
Summary: Catalina connector request does not adhere to RFC 7232
3.3 (If-Modified-Since)
Product: Tomcat 10
Version: 10.1.34
Hardware: All
dsoumis commented on PR #826:
URL: https://github.com/apache/tomcat/pull/826#issuecomment-2658927616
Indeed Mark, that's a fair point. I've refactored the order as suggested in:
[commit](https://github.com/apache/tomcat/commit/e451872) .
--
This is an automated message from the Apache Git
markt-asf commented on PR #826:
URL: https://github.com/apache/tomcat/pull/826#issuecomment-2658848926
I echo n828cl's concerns about calling `isSameOrigin()` before
`isValidOrigin()`. I can't see an obvious issue but swapping the order of those
two checks is going to be a lot faster than d
koust6u commented on PR #826:
URL: https://github.com/apache/tomcat/pull/826#issuecomment-2657908424
@n828cl
Which part do you find harder to follow? If you could clarify, it would help
me understand better.
I also believe that calling `isSameOrigin()` before `isValidOrigin()`
dsoumis commented on PR #826:
URL: https://github.com/apache/tomcat/pull/826#issuecomment-2657902498
The revised code, though less nested, adheres to the CORS flow as specified.
In my opinion, this structure offers a more maintainable and understandable
implementation.
Also the ordering
n828cl commented on PR #826:
URL: https://github.com/apache/tomcat/pull/826#issuecomment-2657751803
If this were to be merged, the CORS flowchart should be updated accordingly.
See
--
This is an automated mes
n828cl commented on PR #826:
URL: https://github.com/apache/tomcat/pull/826#issuecomment-2657748693
I'm not sure that the revised code properly implements the spec.
(Unfortunately, the current spec is much harder to follow than the previous
iteration.) Also, calling IsSameOrigin() before is
This is an automated email from the ASF dual-hosted git repository.
dsoumis pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 3d967dddad Clean up check CORS request type
This is an automated email from the ASF dual-hosted git repository.
dsoumis pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 73d5ee6afd Clean up check CORS request type
This is an automated email from the ASF dual-hosted git repository.
dsoumis pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new ad2f570cde Clean up check CORS request type
This is an automated email from the ASF dual-hosted git repository.
dsoumis pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new a4ccdba4bf Clean up check CORS request type method
dsoumis merged PR #826:
URL: https://github.com/apache/tomcat/pull/826
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
koust6u opened a new pull request, #826:
URL: https://github.com/apache/tomcat/pull/826
This PR refactors the checkRequestType method in the CORS filter to simplify
and improve the readability of the request type determination logic. The main
changes are:
+ Early Returns: The code
https://bz.apache.org/bugzilla/show_bug.cgi?id=69486
--- Comment #12 from Chen Jp ---
Would to know how apache httpd server deal cleanup ops. // I'm not a C fan.
--
You are receiving this mail because:
You are the assignee for the bug.
---
and DBCP provides a range of options to enabled applications to
select the strategy that works best for them.
This proposal might protect against some Tomcat bugs in some circumstances but
at the price of a performance penalty for every single request. I might be
convinced that such a trade-off was
https://bz.apache.org/bugzilla/show_bug.cgi?id=69486
--- Comment #10 from Chen Jp ---
see https://github.com/apache/tomcat/pull/822
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-m
https://bz.apache.org/bugzilla/show_bug.cgi?id=69504
--- Comment #4 from Chen Jp ---
see PR 821.
https://github.com/apache/tomcat/pull/821
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscri
https://bz.apache.org/bugzilla/show_bug.cgi?id=69504
--- Comment #3 from Mark Thomas ---
If you want to propose a refactoring then please provide a patch for review.
--
You are receiving this mail because:
You are the assignee for the bug.
---
https://bz.apache.org/bugzilla/show_bug.cgi?id=69486
--- Comment #9 from Mark Thomas ---
It will also have a negative impact on performance.
The more I think about this, the more I am leaning towards WONTFIX.
--
You are receiving this mail because:
You are the assignee for the bug.
---
ParameterLimitValve to enforce request parameter limits for specific
URLs (#753)
Introduce ParameterLimitValve to enforce request parameter limits
- Added `ParameterLimitValve`, a new valve that allows enforcing limits on
the number of parameters in HTTP requests.
- Supports
dsoumis merged PR #753:
URL: https://github.com/apache/tomcat/pull/753
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
x.Pattern;
+
+import jakarta.servlet.ServletException;
+
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+
+
+/**
+ * This is a concrete implementation of {@link ValveBase} that enforces a
limit on the number of HTTP request parameters.
+ * The features of
On Wed, Jan 22, 2025 at 3:11 PM Mark Thomas wrote:
>
> As a result of a user request, I am looking at Tomcat's handling of %2f
> (encoded '/') and %5c (encoded '\').
>
> I have already added a new attribute (encodedReverseSolidusHandling) to
> the Conne
As a result of a user request, I am looking at Tomcat's handling of %2f
(encoded '/') and %5c (encoded '\').
I have already added a new attribute (encodedReverseSolidusHandling) to
the Connector to align options for %5c handling with options for %2f
handling.
s that ensure that
the request body length is restricted by LimitRequestBody.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail:
rmaucher commented on PR #806:
URL: https://github.com/apache/tomcat/pull/806#issuecomment-2586420543
As per the response in the BZ, we're not going to address this (esp not
using an unrelated configuration setting).
--
This is an automated message from the Apache Git Service.
To respond
rmaucher closed pull request #806: fix BZ 69446 - Propagate maxSwallowSize to
enforce partial PUT request target file size
URL: https://github.com/apache/tomcat/pull/806
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use
Chenjp opened a new pull request, #806:
URL: https://github.com/apache/tomcat/pull/806
maxSwallowSize is semantically equivalent to max file size of upload file
size. Send 413 when length of Content-Range request exceeds maxSwallowSize.
--
This is an automated message from the Apache Git
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 6863bc912b Drop code trying to detect a request body
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 3fc44630f7 Drop code trying to detect a request
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new bf1b3b7d76 Drop code trying to detect a request
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 7d14ee71e0 Drop code trying to detect a request
https://bz.apache.org/bugzilla/show_bug.cgi?id=69486
--- Comment #8 from Chen Jp ---
It is similar to DBCP alive checking in testOnBorrow() / testOnReturn().
Provides an extra opportunity, ensure that request/response are fresh and clean
when taken (borrow) from / returned to a pool or serving
https://bz.apache.org/bugzilla/show_bug.cgi?id=69504
--- Comment #2 from Chen Jp ---
propose extract recycling ops on external request/response from
CoyoteAdapter#log.
e.g. supposed implementation of CoyoteAdapter#checkRecycled: 1. access logging;
2. explicitly make sure req/resp were recycled
https://bz.apache.org/bugzilla/show_bug.cgi?id=69486
--- Comment #7 from Mark Thomas ---
(In reply to Chen Jp from comment #6)
> related cve: CVE-2024-21733
Sort of but not really. The root cause of that CVE was an error path that
bypassed resetting the buffer. It is just as likely that the zero
https://bz.apache.org/bugzilla/show_bug.cgi?id=69504
Mark Thomas changed:
What|Removed |Added
OS||All
--- Comment #1 from Mark Thomas ---
https://bz.apache.org/bugzilla/show_bug.cgi?id=69486
--- Comment #6 from Chen Jp ---
related cve: CVE-2024-21733
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr..
https://bz.apache.org/bugzilla/show_bug.cgi?id=69504
Bug ID: 69504
Summary: CoyoteAdapter recycle request/response objects in
"log()" method even if they are came from outside.
Product: Tomcat 10
Version: 10.1.34
ing the JVM.
> Next request/response cycle will not able to obtains context of previous
> service round.
ByteBuffer.limit(0) already does this.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To un
https://bz.apache.org/bugzilla/show_bug.cgi?id=69486
--- Comment #4 from Chen Jp ---
For those reusable resources, when the current request processing is completed
or abnormally interrupted, if possible, intermediate data (which were serving
for current service lifecycle) purging in the resource
Chenjp commented on PR #791:
URL: https://github.com/apache/tomcat/pull/791#issuecomment-2522898421
Got it. If possible, send me those examples to study the scenario. thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and
https://bz.apache.org/bugzilla/show_bug.cgi?id=69486
--- Comment #3 from Christopher Schultz ---
Setting the length of the buffer to 0 should be enough (e.g. limit(0)). If
there are data-leakage bugs in ByteBuffer, they should be fixed.
Writing zeros to the buffer may or may not happen, dependin
rmaucher commented on PR #791:
URL: https://github.com/apache/tomcat/pull/791#issuecomment-2516870493
Konstantin has provided examples of requests out there with these kind of
ranges. Rejecting them provides no value to Tomcat, so the change was reverted.
--
This is an automated message f
Chenjp commented on PR #791:
URL: https://github.com/apache/tomcat/pull/791#issuecomment-2516821173
> Yes. This change has been reverted. It is not RFC 9110 compliant.
It is not rfc required, remove this detector if reasonable cases endorse.
Rfc uses term MAY, not MUST: A server
markt-asf commented on PR #790:
URL: https://github.com/apache/tomcat/pull/790#issuecomment-2516715364
Look at the history of the code. You'll need to go back a long way. There is
definitely an argument for deprecating this option and removing it in Tomcat 12.
--
This is an automated mess
markt-asf commented on PR #791:
URL: https://github.com/apache/tomcat/pull/791#issuecomment-2516693987
Yes. This change has been reverted. It is not RFC 9110 compliant.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use t
Chenjp commented on PR #791:
URL: https://github.com/apache/tomcat/pull/791#issuecomment-2516674415
@markt-asf any issue?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
T
https://bz.apache.org/bugzilla/show_bug.cgi?id=69486
--- Comment #2 from Mark Thomas ---
Even with those caveats, I'm not sure I'd be in favour of this. I'm leaning
towards "won't fix".
--
You are receiving this mail because:
You are the assignee for the bug.
---
https://bz.apache.org/bugzilla/show_bug.cgi?id=69486
Remy Maucherat changed:
What|Removed |Added
OS||All
--- Comment #1 from Remy Mauchera
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new b3b3f57ffc Revert "Reject Range-Request if
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 1edf8e7c54 Revert "Reject Range-Request if
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 0f13daffbf Revert "Reject Range-Request if
eject Range-Request if those ranges are not strictly in ascending
order (#791)"
This reverts commit 19efe70c8732f78803b9cff9be0a63c8f6202a8a.
---
.../apache/catalina/servlets/DefaultServlet.java | 22 +++---
.../servlets/TestDefaultServletRangeRequests.java | 3 --
Chenjp commented on PR #790:
URL: https://github.com/apache/tomcat/pull/790#issuecomment-2516346283
> No.
If server enable Range-Requests feature and the target resource also support
it, I think no good reason for the absence of ```Accept-Ranges: bytes```
response header.
--
This
Chenjp commented on PR #790:
URL: https://github.com/apache/tomcat/pull/790#issuecomment-2516095894
Since the ***Range Requests*** feature is optional, may a reason stand there.
This feature affects the "Accept-Range" header of responses, and server
behavior for requests (with "Range“, "I
https://bz.apache.org/bugzilla/show_bug.cgi?id=69486
Bug ID: 69486
Summary: Destroy data in memory completely after the
request-response service is finished
Product: Tomcat 10
Version: 10.1.33
Hardware: PC
repos/asf/tomcat.git
> >
> >
> > The following commit(s) were added to refs/heads/main by this push:
> > new 19efe70c87 Reject Range-Request if those ranges are not strictly
> > in ascending order (#791)
> > 19efe70c87 is described below
> >
> > com
by this push:
> new 19efe70c87 Reject Range-Request if those ranges are not strictly in
> ascending order (#791)
> 19efe70c87 is described below
>
> commit 19efe70c8732f78803b9cff9be0a63c8f6202a8a
> Author: Chenjp
> AuthorDate: Tue Dec 3 23:44:32 2024 +0800
>
> Rejec
markt-asf commented on PR #790:
URL: https://github.com/apache/tomcat/pull/790#issuecomment-2515112985
If they really want to do that - and I can't think of a valid reason they
would - they can write a Filter (or Valve) to remove the Range header.
--
This is an automated message from the
Chenjp commented on PR #790:
URL: https://github.com/apache/tomcat/pull/790#issuecomment-2515107111
If app developer decide to disable ***Range Requests*** feature, how to?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and u
markt-asf commented on PR #790:
URL: https://github.com/apache/tomcat/pull/790#issuecomment-2515073630
No.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e
Chenjp commented on PR #790:
URL: https://github.com/apache/tomcat/pull/790#issuecomment-2515063984
> Note: It is not required for a server to send `Accept-Ranges` for it to
process a request with `Range`.
Does value of ```useAcceptRanges``` determine the server enable / disa
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new ef730de75f Reject Range-Request if those ranges
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 51a498285d Reject Range-Request if those ranges
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 71cc25669d Reject Range-Request if those ranges
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 19efe70c87 Reject Range-Request if those ranges are
markt-asf merged PR #791:
URL: https://github.com/apache/tomcat/pull/791
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.o
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 591b439b13 fix incomplete chunked request body
markt-asf merged PR #792:
URL: https://github.com/apache/tomcat/pull/792
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.o
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 08cbff9e97 fix incomplete chunked request body in
markt-asf commented on PR #790:
URL: https://github.com/apache/tomcat/pull/790#issuecomment-2514678141
Note: It is not required for a server to send `Accept-Ranges` for it to
process a request with `Range`.
--
This is an automated message from the Apache Git Service.
To respond to the
markt-asf commented on PR #790:
URL: https://github.com/apache/tomcat/pull/790#issuecomment-2514634738
Needs some small changes but I'll do that after merging but before
back-porting.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to
markt-asf merged PR #790:
URL: https://github.com/apache/tomcat/pull/790
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.o
and code links when request URI has a pathInfo
---
webapps/docs/changelog.xml | 4
.../WEB-INF/classes/RequestInfoExample.java| 25 +++---
2 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs
and code links when request URI has a pathInfo
---
webapps/docs/changelog.xml | 4
.../WEB-INF/classes/RequestInfoExample.java| 25 +++---
2 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs
code links when request URI has a pathInfo
---
.../WEB-INF/classes/RequestInfoExample.java| 25 +++---
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/webapps/examples/WEB-INF/classes/RequestInfoExample.java
b/webapps/examples/WEB-INF/classes
and code links when request URI has a pathInfo
---
webapps/docs/changelog.xml | 4
.../WEB-INF/classes/RequestInfoExample.java| 25 +++---
2 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs
Chenjp opened a new pull request, #792:
URL: https://github.com/apache/tomcat/pull/792
add CRLF after the last-chunk to build a valid chunked request body.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above
Chenjp commented on PR #791:
URL: https://github.com/apache/tomcat/pull/791#issuecomment-2508272217
simpler and elegant logic to detect both overlap and ASC order in same time.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub a
Chenjp opened a new pull request, #791:
URL: https://github.com/apache/tomcat/pull/791
Request that ranges are not strictly in ascending order, indicates either a
broken client or a deliberate denial-of-service attack.
--
This is an automated message from the Apache Git Service.
To
Chenjp opened a new pull request, #790:
URL: https://github.com/apache/tomcat/pull/790
- Bug: incorrect partial content response to HEAD request with-Range-header
***Tomcat*** - 206:
```
C:\Users\chenjp>curl http://localhost:55263/index.html -i -H "Range:
bytes=
markt-asf closed pull request #782: send 416 error to overlapping ranges request
URL: https://github.com/apache/tomcat/pull/782
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment
markt-asf commented on PR #782:
URL: https://github.com/apache/tomcat/pull/782#issuecomment-2504291618
Tx. Applied a variation manually.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specif
Chenjp commented on code in PR #782:
URL: https://github.com/apache/tomcat/pull/782#discussion_r1857791659
##
java/org/apache/catalina/servlets/DefaultServlet.java:
##
@@ -1231,10 +1231,25 @@ private static boolean validate(ContentRange range) {
(range.getEnd()
Chenjp commented on code in PR #782:
URL: https://github.com/apache/tomcat/pull/782#discussion_r1857791659
##
java/org/apache/catalina/servlets/DefaultServlet.java:
##
@@ -1231,10 +1231,25 @@ private static boolean validate(ContentRange range) {
(range.getEnd()
Chenjp commented on PR #782:
URL: https://github.com/apache/tomcat/pull/782#issuecomment-2495275038
> I'd like to see similar protection for `Content-Range` when used with
partial `PUT`.
@markt-asf done with PR #778
--
This is an automated message from the Apache Git Service.
To r
Chenjp commented on PR #782:
URL: https://github.com/apache/tomcat/pull/782#issuecomment-2495274861
> I'd like to see similar protection for `Content-Range` when used with
partial `PUT`.
@markt-asf done with PR #778
--
This is an automated message from the Apache Git Service.
To r
markt-asf commented on code in PR #782:
URL: https://github.com/apache/tomcat/pull/782#discussion_r1854564015
##
java/org/apache/catalina/servlets/DefaultServlet.java:
##
@@ -1231,10 +1231,25 @@ private static boolean validate(ContentRange range) {
(range.getEnd
https://bz.apache.org/bugzilla/show_bug.cgi?id=69444
--- Comment #7 from Paolo B. ---
Thanks!
I've reported this to Mojarra project
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-
gmshake commented on PR #782:
URL: https://github.com/apache/tomcat/pull/782#issuecomment-2485163715
Nice catch!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscr
Chenjp opened a new pull request, #782:
URL: https://github.com/apache/tomcat/pull/782
request ranges validation - overlap detection added.
* invalid ranges - overlapping:
```
D:\git\github.com>curl http://localhost:55464/index.html -i -H "Range:
bytes=10-40,35-50"
https://bz.apache.org/bugzilla/show_bug.cgi?id=69444
Mark Thomas changed:
What|Removed |Added
Resolution|--- |FIXED
Status|NEW
Note: Correction to 10.1.x affected versions
CVE-2024-52317 Apache Tomcat - Request and/or response mix-up
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M23 to 11.0.0-M26
Apache Tomcat 10.1.27 to 10.1.30
Apache Tomcat 9.0.92 to 9.0.95
CVE-2024-52317 Apache Tomcat - Request and/or response mix-up
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M23 to 11.0.0-M26
Apache Tomcat 10.1.7 to 10.1.30
Apache Tomcat 9.0.92 to 9.0.95
Description:
Incorrect recycling of the request and
https://bz.apache.org/bugzilla/show_bug.cgi?id=69444
--- Comment #5 from Mark Thomas ---
>From the setAttribute() Javadoc:
"If the object passed in is null, the effect is the same as calling {@link
#removeAttribute}."
I think we are going to need to set it explicitly to the empty String.
--
Y
1 - 100 of 2508 matches
Mail list logo
