Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Mark Thomas
Maik Jablonski wrote: Hi, I've just encountered that Cookies seem to be a little bit broken in 6.0.16. If you want to read a cookie which ends on one or more equals-sign (=), the equals-signs are removed by Tomcat when the cookie is read. Is it a bug or a "undocumented" change? It is neither.

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Pid
Mark Thomas wrote: Maik Jablonski wrote: Hi, I've just encountered that Cookies seem to be a little bit broken in 6.0.16. If you want to read a cookie which ends on one or more equals-sign (=), the equals-signs are removed by Tomcat when the cookie is read. Is it a bug or a "undocumented" chan

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Maik Jablonski
On Feb 9, 2008 2:03 PM, Mark Thomas <[EMAIL PROTECTED]> wrote: > It is neither. The changes are documented in the change log. As a result of > a couple of minor security issues (see > http://tomcat.apache.org/security-6.html) the cookie handling code has been > tightened up to make it spec complian

svn commit: r620157 - /tomcat/connectors/tags/other/TOMCAT_NATIVE_1_1_13/

2008-02-09 Thread jfclere
Author: jfclere Date: Sat Feb 9 09:16:39 2008 New Revision: 620157 URL: http://svn.apache.org/viewvc?rev=620157&view=rev Log: tag 1.1.13 tc-native. Added: tomcat/connectors/tags/other/TOMCAT_NATIVE_1_1_13/ - copied from r620156, tomcat/connectors/trunk/ --

svn commit: r620156 - /tomcat/connectors/trunk/jni/jnirelease.sh

2008-02-09 Thread jfclere
Author: jfclere Date: Sat Feb 9 09:15:01 2008 New Revision: 620156 URL: http://svn.apache.org/viewvc?rev=620156&view=rev Log: Ready for tag ;-) Modified: tomcat/connectors/trunk/jni/jnirelease.sh Modified: tomcat/connectors/trunk/jni/jnirelease.sh URL: http://svn.apache.org/viewvc/tomcat/c

tomcat native documentation

2008-02-09 Thread jean-frederic clere
Hi, I have prepared a doc for the tomcat native library. http://people.apache.org/~jfclere/tc-native-docs/ The idea is to add it like http://tomcat.apache.org/tc-native-docs Comments? Cheers Jean-Frederic - To unsubscribe,

[VOTE] Release tc-native 1.1.13

2008-02-09 Thread jean-frederic clere
The candidates binaries are available here: http://people.apache.org/~jfclere/tcnative/v1.1.13/ According to the release process, the 1.1.13 tag is: [ ] Broken [ ] Alpha [ ] Beta [ ] Stable Cheers Jean-Frederic - To unsubscri

Re: [VOTE] Release tc-native 1.1.13

2008-02-09 Thread Filip Hanik - Dev Lists
According to the release process, the 1.1.13 tag is: [ ] Broken [ ] Alpha [ ] Beta [X] Stable Filip - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 44383] - Possible leak: tomcat does not release Jasper compilation contexts

2008-02-09 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Pid
Pid wrote: Mark Thomas wrote: Maik Jablonski wrote: Hi, I've just encountered that Cookies seem to be a little bit broken in 6.0.16. If you want to read a cookie which ends on one or more equals-sign (=), the equals-signs are removed by Tomcat when the cookie is read. Is it a bug or a "undocu

svn commit: r620173 - in /tomcat: container/branches/tc4.1.x/ container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/core/ container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/

2008-02-09 Thread markt
Author: markt Date: Sat Feb 9 10:45:05 2008 New Revision: 620173 URL: http://svn.apache.org/viewvc?rev=620173&view=rev Log: Add support for system property replacement. Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt tomcat/container/branches/tc4.1.x/catalina/src/share

svn commit: r620171 - /tomcat/tc6.0.x/trunk/STATUS.txt

2008-02-09 Thread markt
Author: markt Date: Sat Feb 9 10:35:15 2008 New Revision: 620171 URL: http://svn.apache.org/viewvc?rev=620171&view=rev Log: vote Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=620171&

Re: tomcat native documentation

2008-02-09 Thread Henri Gomez
Good. Just a point : INFO: Loaded APR based Apache Tomcat Native library 1.1.12. ==> INFO: Loaded APR based Apache Tomcat Native library 1.1.13. :-) 2008/2/9, jean-frederic clere <[EMAIL PROTECTED]>: > Hi, > > I have prepared a doc for the tomcat native library. > > http://people.apache.org/~

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Remy Maucherat
On Sat, 2008-02-09 at 13:03 +, Mark Thomas wrote: > Maik Jablonski wrote: > > Hi, > > > > I've just encountered that Cookies seem to be a little bit broken in > > 6.0.16. If you want to read a cookie which ends on one or more > > equals-sign (=), the equals-signs are removed by Tomcat when the

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Jim Manico
> response.addCookie(new Cookie("test_cookie3", "123===")) looks like something which should be working. Honestly, this is not user driven - it's only server programmer driven. I would dare to say this is either absolutely horrible server side programming or a possible attempt at a hack/atta

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Filip Hanik - Dev Lists
no regression, if you do this c = new javax.servlet.http.Cookie("abcv1","123=="); c.setVersion(1); response.addCookie(c); then it works just fine. however, if you do c = new javax.servlet.http.Cookie("abcv0","123=="); response.addCookie(c); then it doesn't. if we encode it, (which we did

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Jim Manico
Filip, Would you consider auto-encoding only = and ; in the cookie value, but leaving everything else alone for v0 cookies? Would this possibly pass TCK? - Jim no regression, if you do this c = new javax.servlet.http.Cookie("abcv1","123=="); c.setVersion(1); response.addCookie(c); then i

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Filip Hanik - Dev Lists
actually not, in previous version, we double quoted v0 cookies, and so browsers treated them as v1 in terms of value any sort of encoding attempt we made was miserable between different browsers. filip Jim Manico wrote: Filip, Would you consider auto-encoding only = and ; in the cookie value,

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Remy Maucherat
On Sat, 2008-02-09 at 16:14 -0700, Filip Hanik - Dev Lists wrote: > no regression, if you do this > > c = new javax.servlet.http.Cookie("abcv1","123=="); > c.setVersion(1); > response.addCookie(c); > > then it works just fine. > > however, if you do > c = new javax.servlet.http.Cookie("a

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Jim Manico
What about making //cookies v0 c = new javax.servlet.http.Cookie("abcv0","123=="); response.addCookie(c); At least throw some kind of malformedCookieData exception instead of just "failing gracefully" to accelerate programmers ability to upgrade legacy systems? - Jim On Sat, 2008-02-09 at

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Filip Hanik - Dev Lists
Remy Maucherat wrote: On Sat, 2008-02-09 at 16:14 -0700, Filip Hanik - Dev Lists wrote: no regression, if you do this c = new javax.servlet.http.Cookie("abcv1","123=="); c.setVersion(1); response.addCookie(c); then it works just fine. however, if you do c = new javax.servlet.http.C

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Filip Hanik - Dev Lists
Remy Maucherat wrote: On Sat, 2008-02-09 at 16:14 -0700, Filip Hanik - Dev Lists wrote: no regression, if you do this c = new javax.servlet.http.Cookie("abcv1","123=="); c.setVersion(1); response.addCookie(c); then it works just fine. however, if you do c = new javax.servlet.http.C

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Jim Manico
> I guess we could throw a run time exception if the value contained any of those. other than that, I'm not sure how to behave I think this is the best case scenario for v0 cookies. Perhaps, if you really want to get fancy, you can add a flag to let legacy solutions roll back to the old/non-st

DO NOT REPLY [Bug 44383] - Possible leak: tomcat does not release Jasper compilation contexts

2008-02-09 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Filip Hanik - Dev Lists
Jim Manico wrote: > I guess we could throw a run time exception if the value contained any of those. other than that, I'm not sure how to behave I think this is the best case scenario for v0 cookies. Perhaps, if you really want to get fancy, you can add a flag to let legacy solutions roll bac

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Jim Manico
> we fixed the cookie behavior in this release due to security issues filed against the old parsing. Gotchya, Filip. Makes sense. What about the Runtime exception? That might at least allow legacy systems to debug this problem fast. "Fail Quietly" doesn't seem like a good solution. - Jim J

Re: Cookies are broken in 6.0.16?

2008-02-09 Thread Jess Holle
Or log a really noisy, loud error so you know what's going on at least Jim Manico wrote: > we fixed the cookie behavior in this release due to security issues filed against the old parsing. Gotchya, Filip. Makes sense. What about the Runtime exception? That might at least allow legacy