svn commit: r587013 - /tomcat/current/tc4.1.x/STATUS

Author: rjung Date: Sun Oct 21 23:59:47 2007 New Revision: 587013 URL: http://svn.apache.org/viewvc?rev=587013&view=rev Log: Propose patch to expand system properties in server.xml. Modified: tomcat/current/tc4.1.x/STATUS Modified: tomcat/current/tc4.1.x/STATUS URL: http://svn.apache.org/vi

Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]

jkew wrote: > Mark Thomas wrote: >> William L. Thomson Jr. wrote: >> >>> I take it down streams should run with the first patches to work around >>> this vulnerability till next release. I already applied the one liner, >>> kinda glad I did not apply the other last night ;) Please advise, >>> tha

svn commit: r587018 - /tomcat/tc6.0.x/trunk/STATUS

Author: jfclere Date: Mon Oct 22 00:18:49 2007 New Revision: 587018 URL: http://svn.apache.org/viewvc?rev=587018&view=rev Log: Add the Cookies tests patch. Modified: tomcat/tc6.0.x/trunk/STATUS Modified: tomcat/tc6.0.x/trunk/STATUS URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STAT

svn commit: r587043 - /tomcat/tc6.0.x/trunk/STATUS

Author: jfclere Date: Mon Oct 22 02:05:37 2007 New Revision: 587043 URL: http://svn.apache.org/viewvc?rev=587043&view=rev Log: Propose a better patch for IcedTea support. Modified: tomcat/tc6.0.x/trunk/STATUS Modified: tomcat/tc6.0.x/trunk/STATUS URL: http://svn.apache.org/viewvc/tomcat/tc

svn commit: r587045 - /tomcat/tc6.0.x/trunk/STATUS

Author: jfclere Date: Mon Oct 22 02:07:39 2007 New Revision: 587045 URL: http://svn.apache.org/viewvc?rev=587045&view=rev Log: It also improve the fix for 37284. Modified: tomcat/tc6.0.x/trunk/STATUS Modified: tomcat/tc6.0.x/trunk/STATUS URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trun

DO NOT REPLY [Bug 43671] New: - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 43671] - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 43671] - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

svn commit: r587062 - /tomcat/tc6.0.x/trunk/STATUS

Author: remm Date: Mon Oct 22 04:38:28 2007 New Revision: 587062 URL: http://svn.apache.org/viewvc?rev=587062&view=rev Log: - Vote. Modified: tomcat/tc6.0.x/trunk/STATUS Modified: tomcat/tc6.0.x/trunk/STATUS URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?rev=587062&r1=587061&

DO NOT REPLY [Bug 43671] - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

svn commit: r587082 - in /tomcat/tc6.0.x/trunk: STATUS java/org/apache/catalina/servlets/LocalStrings.properties java/org/apache/catalina/servlets/WebdavServlet.java webapps/docs/changelog.xml

Author: markt Date: Mon Oct 22 06:19:05 2007 New Revision: 587082 URL: http://svn.apache.org/viewvc?rev=587082&view=rev Log: Improve patch for WebDAV issue. Modified: tomcat/tc6.0.x/trunk/STATUS tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/LocalStrings.properties tomcat/tc6

DO NOT REPLY [Bug 43668] - ApplicationDispatcher.doForward for non-HTTP request is always NULL

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

svn commit: r587115 - in /tomcat/tc6.0.x/trunk: STATUS dist.xml webapps/docs/changelog.xml

Author: fhanik Date: Mon Oct 22 07:46:04 2007 New Revision: 587115 URL: http://svn.apache.org/viewvc?rev=587115&view=rev Log: Add in MD5 fix Modified: tomcat/tc6.0.x/trunk/STATUS tomcat/tc6.0.x/trunk/dist.xml tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc6.0.x/tr

Executing user code in Poller Thread for NIO connector on timeout (executor is specified in server.xml)

Hi all, I noticed that user code gets executed inside NIO Poller thread in case of timeout error, if the executor is specified in server.xml. Since there is very few poller threads, I guess it is not really a good idea that the user code run in case of timeouts is run within the Poller thread. He

Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]

What is apache doing ? Better be consistent, both sides (log or no log) have value. ( log - good to know it's happening, no-log - don't want to fill the logs with garbage if they do it from lots of machines / drones ) Costin What is On 10/21/07, Rémy Maucherat <[EMAIL PROTECTED]> wrote: > > On

Re: Executing user code in Poller Thread for NIO connector on timeout (executor is specified in server.xml)

absolutely, the other place that issues a timeout, does a dispatch, this one should do it too. Filip Christophe Pierret wrote: Hi all, I noticed that user code gets executed inside NIO Poller thread in case of timeout error, if the executor is specified in server.xml. Since there is very few p

Re: Executing user code in Poller Thread for NIO connector on timeout (executor is specified in server.xml)

looking at the code, I'm gonna hold off with the fix until after we tag, there is much cleanup to be done on this particular section Filip Filip Hanik - Dev Lists wrote: absolutely, the other place that issues a timeout, does a dispatch, this one should do it too. Filip Christophe Pierret w

DO NOT REPLY [Bug 43671] - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]

On Sun, 2007-10-21 at 14:03 -0400, William L. Thomson Jr. wrote: > On Sun, 2007-10-21 at 17:41 +0100, Mark Thomas wrote: > > William L. Thomson Jr. wrote: > > > I take it down streams should run with the first patches to work around > > > this vulnerability till next release. I already applied the

Measuring bytes sent and received from and to Tomcat

We have an application that collects data from, and sends data to, remote embedded devices. Traditionally we have used TCP and UDP to send and receive data over satellite. The latest release of our product will be using other communication medium with our devices making HTTP request to our appli

Re: Measuring bytes sent and received from and to Tomcat

Hey, On 10/22/07, Dave Rathnow <[EMAIL PROTECTED]> wrote: > Is there a way we can do the same thing with Tomcat? It's simple for us > to measure the number of byte in the payload of the HTTP > request/response, however that isn't enough. We need to know the total > number of bytes being sent and

[LOBBYING] Final fix for NIO connector

Wanted to make sure you got a chance to vote for this, the fix must include the 100-continue response as well Please vote Filip * Final fix for http://issues.apache.org/bugzilla/show_bug.cgi?id=43653 Fixes the 100 Continue response, that got reversed through byte buffer manipulation last pa

RE: Measuring bytes sent and received from and to Tomcat

We looked at using a valve but we weren't sure if it would work. Correct me if I'm wrong, but it appears as though valves are chained together in a calling sequence and that some valves could change the content of the request or response. This means we may not get an accurate measure of the numbe

Re: Measuring bytes sent and received from and to Tomcat

'bytes' should be counted at a lower level, in connector. I'm not sure this is something generic enough - but you can make some changes to your tomcat, where read() is done from socket. I guess it would be nice to have a JMX graph with bytes/sec in/out. Costin 'bytes' On 10/22/07, Dave Rathnow <

RE: Measuring bytes sent and received from and to Tomcat

I looked at connectors but wasn't sure if this was what I wanted. To avoid anther wild goose chase I decided to ask. Can you point me in the direction of some documentation where I might be able to get started? Dave. -Original Message- From: Costin Manolache [mailto:[EMAIL PROTECTED]

Re: Measuring bytes sent and received from and to Tomcat

Well, if you want absolute byte - connector seems the only place, there are space and tabs beeing skipped when parsing headers, etc. If you are ok with an estimate - the AccessLogValve is ok, add all the header lengths + method + http/1.1. You'll miss bytes for encodings, spaces. Re. where to add

Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]

William L. Thomson Jr. wrote: > Mostly because > to my understanding one must be authorized in webdav or etc to be able > to exploit the vulnerability. To be clear, authorisation is not required for this vulnerability. Of course, if you open up write access without authorisation then you are taki

svn commit: r587315 [4/4] - in /tomcat/site/trunk: docs/ docs/faq/ docs/faq/printer/ xdocs/ xdocs/stylesheets/

Modified: tomcat/site/trunk/docs/security.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=587315&r1=587314&r2=587315&view=diff == --- tomcat/site/trunk/docs/security.html (original) +++ tomc

[ANN] Apache Tomcat 5.0.x no longer supported

The Apache Tomcat team wishes to announce that Tomcat 5.0.x will no longer be supported. Users are encouraged to upgrade to the latest stable 6.x release or, if that is not practical, the latest stable 5.5.x for continued support. Kind regards, The Apache Tomcat team ---

DO NOT REPLY [Bug 38290] - No SESSION_DESTROYED_EVENT sent for existing webapp sessions when webapp is reloaded

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 38291] - Form actions hanging in UDecoder.convert

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 38629] - Classloader not quickly enough available for JSPs

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 38795] - [PATCH] StandardContext doesn't always reset thread's contextClassLoader

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 39358] - tomcat can not support the JAASRealm definition with character "$" in the class name.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

mod_jk 1.2.25, JkEnvVar evaluated too many times

(I've heard this list is a good place to discuss mod_jk code; please redirect me and accept my apologies if it is not.) I think I've found a problem with mod_jk 1.2.25 and Apache 2.x, whereby JkEnvVar directives are effectively evaluated too many times when VirtualHosts are configured. Th

DO NOT REPLY [Bug 43671] - Unclear Contract between Entity expansion and DOM parser validation cause OWASP A2 in WebDAV Servlet

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]

On Tue, 2007-10-23 at 00:39 +0100, Mark Thomas wrote: > William L. Thomson Jr. wrote: > > > Mostly because > > to my understanding one must be authorized in webdav or etc to be able > > to exploit the vulnerability. > > To be clear, authorisation is not required for this vulnerability. Of > cour

Re: Measuring bytes sent and received from and to Tomcat

--- HARBOR: http://coolharbor.100free.com/index.htm Now Tomcat is also a cool application server --- - Original Message - From: "Dave Rathnow" <

Re: mod_jk 1.2.25, JkEnvVar evaluated too many times

Ian Ward Comfort wrote: (I've heard this list is a good place to discuss mod_jk code; please redirect me and accept my apologies if it is not.) No, this is correct place :) containers. By adding some additional instrumentation to the code, I can see that each AJP packet is constructed with