Re: [VOTE] Release Apache Tomcat 10.0.21
On Tue, May 10, 2022 at 3:39 PM Mark Thomas wrote: > The proposed Apache Tomcat 10.0.21 release is now available for > voting. > > Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary > package for all the specification APIs has changed from javax.* to > jakarta.* > > Applications that run on Tomcat 9 will not run on Tomcat 10 without > changes. Java EE applications designed for Tomcat 9 and earlier may be > placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will > automatically convert them to Jakarta EE and copy them to the webapps > directory > > The notable changes compared to 10.0.20 are: > > - Provide a property source that sources values from Kubernetes service >bindings. Provided by Sumit Kulhadia and Gareth Evans. > > - The root cause of the Linux kernel duplicate accept bug has been >identified along with the version of the kernel that includes the fix. >The error message displayed when this bug occurs has been updated to >reflect this new information and to advise users to update to a >version of the OS that uses kernel 5.10 or later. Thanks to >Christopher Gual for the research into this issue. > > - Update the packaged version of the Tomcat Native Library to 1.2.33 to >pick up Windows binaries built with OpenSSL 1.1.1o. > > Along with lots of other bug fixes and improvements. > > For full details, see the changelog: > https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html > > It can be obtained from: > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.21/ > > The Maven staging repo is: > https://repository.apache.org/content/repositories/orgapachetomcat-1373 > > The tag is: > https://github.com/apache/tomcat/tree/10.0.21 > feb577944dee2ac7cc9839638e9388d90067f1cb > > The proposed 10.0.21 release is: > [ ] Broken - do not release > [X] Stable - go ahead and release as 10.0.21 (stable) > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Re: [VOTE] Release Apache Tomcat 10.0.21
[x] Stable - go ahead and release as 10.0.21 (stable) On Tue, May 10, 2022 at 6:39 PM Mark Thomas wrote: > The proposed Apache Tomcat 10.0.21 release is now available for > voting. > > Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary > package for all the specification APIs has changed from javax.* to > jakarta.* > > Applications that run on Tomcat 9 will not run on Tomcat 10 without > changes. Java EE applications designed for Tomcat 9 and earlier may be > placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will > automatically convert them to Jakarta EE and copy them to the webapps > directory > > The notable changes compared to 10.0.20 are: > > - Provide a property source that sources values from Kubernetes service >bindings. Provided by Sumit Kulhadia and Gareth Evans. > > - The root cause of the Linux kernel duplicate accept bug has been >identified along with the version of the kernel that includes the fix. >The error message displayed when this bug occurs has been updated to >reflect this new information and to advise users to update to a >version of the OS that uses kernel 5.10 or later. Thanks to >Christopher Gual for the research into this issue. > > - Update the packaged version of the Tomcat Native Library to 1.2.33 to >pick up Windows binaries built with OpenSSL 1.1.1o. > > Along with lots of other bug fixes and improvements. > > For full details, see the changelog: > https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html > > It can be obtained from: > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.21/ > > The Maven staging repo is: > https://repository.apache.org/content/repositories/orgapachetomcat-1373 > > The tag is: > https://github.com/apache/tomcat/tree/10.0.21 > feb577944dee2ac7cc9839638e9388d90067f1cb > > The proposed 10.0.21 release is: > [ ] Broken - do not release > [ ] Stable - go ahead and release as 10.0.21 (stable) > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > -- *Raymond Augé* (@rotty3000) Senior Software Architect *Liferay, Inc.* (@Liferay) OSGi Fellow, Java Champion
Re: [VOTE] Release Apache Tomcat 10.1.0-M15
On Tue, May 10, 2022 at 1:24 PM Mark Thomas wrote: > The proposed Apache Tomcat 10.1.0-M15 release is now available for > voting. > > Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 > without changes. Java EE applications designed for Tomcat 9 and earlier > may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat > will automatically convert them to Jakarta EE and copy them to the > webapps directory. > > The notable changes compared to 10.1.0-M14 are: > > - Provide a property source that sources values from Kubernetes service >bindings. Provided by Sumit Kulhadia and Gareth Evans. > > - The root cause of the Linux kernel duplicate accept bug has been >identified along with the version of the kernel that includes the fix. >The error message displayed when this bug occurs has been updated to >reflect this new information and to advise users to update to a >version of the OS that uses kernel 5.10 or later. Thanks to >Christopher Gual for the research into this issue. > > - Update the packaged version of the Tomcat Native Library to 1.2.33 to >pick up Windows binaries built with OpenSSL 1.1.1o. > > For full details, see the change log: > https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html > > It can be obtained from: > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M15/ > > The Maven staging repo is: > https://repository.apache.org/content/repositories/orgapachetomcat-1371 > > The tag is: > https://github.com/apache/tomcat/tree/10.1.0-M15 > dcf3e81b2e709574971c7a9592614d70c1b55bf7 > > > The proposed 10.1.0-M15 release is: > [ ] Broken - do not release > > [X] Alpha - go ahead and release as 10.1.0-M15 (alpha) > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
[VOTE] Release Apache Tomcat 10.0.21
The proposed Apache Tomcat 10.0.21 release is now available for voting. Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary package for all the specification APIs has changed from javax.* to jakarta.* Applications that run on Tomcat 9 will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory The notable changes compared to 10.0.20 are: - Provide a property source that sources values from Kubernetes service bindings. Provided by Sumit Kulhadia and Gareth Evans. - The root cause of the Linux kernel duplicate accept bug has been identified along with the version of the kernel that includes the fix. The error message displayed when this bug occurs has been updated to reflect this new information and to advise users to update to a version of the OS that uses kernel 5.10 or later. Thanks to Christopher Gual for the research into this issue. - Update the packaged version of the Tomcat Native Library to 1.2.33 to pick up Windows binaries built with OpenSSL 1.1.1o. Along with lots of other bug fixes and improvements. For full details, see the changelog: https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.21/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1373 The tag is: https://github.com/apache/tomcat/tree/10.0.21 feb577944dee2ac7cc9839638e9388d90067f1cb The proposed 10.0.21 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 10.0.21 (stable) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M15
The correct Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1372 Sorry for the change. Mark On 10/05/2022 23:16, Mark Thomas wrote: Hi all, Something went wrong with closing the staging repo and 10.0.21 and 10.1.0-M15 ended up in the same staging repository. I'm going to drop the -1371 repository and upload the Maven artifacts again. I'll update this thread when I have the new repository ID. Mark On 10/05/2022 21:24, Mark Thomas wrote: The proposed Apache Tomcat 10.1.0-M15 release is now available for voting. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. The notable changes compared to 10.1.0-M14 are: - Provide a property source that sources values from Kubernetes service bindings. Provided by Sumit Kulhadia and Gareth Evans. - The root cause of the Linux kernel duplicate accept bug has been identified along with the version of the kernel that includes the fix. The error message displayed when this bug occurs has been updated to reflect this new information and to advise users to update to a version of the OS that uses kernel 5.10 or later. Thanks to Christopher Gual for the research into this issue. - Update the packaged version of the Tomcat Native Library to 1.2.33 to pick up Windows binaries built with OpenSSL 1.1.1o. For full details, see the change log: https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M15/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1371 The tag is: https://github.com/apache/tomcat/tree/10.1.0-M15 dcf3e81b2e709574971c7a9592614d70c1b55bf7 The proposed 10.1.0-M15 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 10.1.0-M15 (alpha) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M15
Hi all, Something went wrong with closing the staging repo and 10.0.21 and 10.1.0-M15 ended up in the same staging repository. I'm going to drop the -1371 repository and upload the Maven artifacts again. I'll update this thread when I have the new repository ID. Mark On 10/05/2022 21:24, Mark Thomas wrote: The proposed Apache Tomcat 10.1.0-M15 release is now available for voting. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. The notable changes compared to 10.1.0-M14 are: - Provide a property source that sources values from Kubernetes service bindings. Provided by Sumit Kulhadia and Gareth Evans. - The root cause of the Linux kernel duplicate accept bug has been identified along with the version of the kernel that includes the fix. The error message displayed when this bug occurs has been updated to reflect this new information and to advise users to update to a version of the OS that uses kernel 5.10 or later. Thanks to Christopher Gual for the research into this issue. - Update the packaged version of the Tomcat Native Library to 1.2.33 to pick up Windows binaries built with OpenSSL 1.1.1o. For full details, see the change log: https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M15/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1371 The tag is: https://github.com/apache/tomcat/tree/10.1.0-M15 dcf3e81b2e709574971c7a9592614d70c1b55bf7 The proposed 10.1.0-M15 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 10.1.0-M15 (alpha) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M15
[x] Alpha - go ahead and release as 10.1.0-M15 (alpha) On Tue, May 10, 2022 at 4:24 PM Mark Thomas wrote: > The proposed Apache Tomcat 10.1.0-M15 release is now available for > voting. > > Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 > without changes. Java EE applications designed for Tomcat 9 and earlier > may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat > will automatically convert them to Jakarta EE and copy them to the > webapps directory. > > The notable changes compared to 10.1.0-M14 are: > > - Provide a property source that sources values from Kubernetes service >bindings. Provided by Sumit Kulhadia and Gareth Evans. > > - The root cause of the Linux kernel duplicate accept bug has been >identified along with the version of the kernel that includes the fix. >The error message displayed when this bug occurs has been updated to >reflect this new information and to advise users to update to a >version of the OS that uses kernel 5.10 or later. Thanks to >Christopher Gual for the research into this issue. > > - Update the packaged version of the Tomcat Native Library to 1.2.33 to >pick up Windows binaries built with OpenSSL 1.1.1o. > > For full details, see the change log: > https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html > > It can be obtained from: > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M15/ > > The Maven staging repo is: > https://repository.apache.org/content/repositories/orgapachetomcat-1371 > > The tag is: > https://github.com/apache/tomcat/tree/10.1.0-M15 > dcf3e81b2e709574971c7a9592614d70c1b55bf7 > > > The proposed 10.1.0-M15 release is: > [ ] Broken - do not release > [ ] Alpha - go ahead and release as 10.1.0-M15 (alpha) > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > -- *Raymond Augé* (@rotty3000) Senior Software Architect *Liferay, Inc.* (@Liferay) OSGi Fellow, Java Champion
svn commit: r54423 - in /dev/tomcat/tomcat-10/v10.0.21: ./ bin/ bin/embed/ src/
Author: markt Date: Tue May 10 22:07:15 2022 New Revision: 54423 Log: Upload Apache Tomcat 10.0.21 for voting Added: dev/tomcat/tomcat-10/v10.0.21/ dev/tomcat/tomcat-10/v10.0.21/KEYS dev/tomcat/tomcat-10/v10.0.21/README.html dev/tomcat/tomcat-10/v10.0.21/RELEASE-NOTES dev/tomcat/tomcat-10/v10.0.21/bin/ dev/tomcat/tomcat-10/v10.0.21/bin/README.html dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-deployer.tar.gz (with props) dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-deployer.tar.gz.asc dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-deployer.tar.gz.sha512 dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-deployer.zip (with props) dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-deployer.zip.asc dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-deployer.zip.sha512 dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-fulldocs.tar.gz (with props) dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-fulldocs.tar.gz.asc dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-fulldocs.tar.gz.sha512 dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-windows-x64.zip (with props) dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-windows-x64.zip.asc dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-windows-x64.zip.sha512 dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-windows-x86.zip (with props) dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-windows-x86.zip.asc dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21-windows-x86.zip.sha512 dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21.exe (with props) dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21.exe.asc dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21.exe.sha512 dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21.tar.gz (with props) dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21.tar.gz.asc dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21.tar.gz.sha512 dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21.zip (with props) dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21.zip.asc dev/tomcat/tomcat-10/v10.0.21/bin/apache-tomcat-10.0.21.zip.sha512 dev/tomcat/tomcat-10/v10.0.21/bin/embed/ dev/tomcat/tomcat-10/v10.0.21/bin/embed/apache-tomcat-10.0.21-embed.tar.gz (with props) dev/tomcat/tomcat-10/v10.0.21/bin/embed/apache-tomcat-10.0.21-embed.tar.gz.asc dev/tomcat/tomcat-10/v10.0.21/bin/embed/apache-tomcat-10.0.21-embed.tar.gz.sha512 dev/tomcat/tomcat-10/v10.0.21/bin/embed/apache-tomcat-10.0.21-embed.zip (with props) dev/tomcat/tomcat-10/v10.0.21/bin/embed/apache-tomcat-10.0.21-embed.zip.asc dev/tomcat/tomcat-10/v10.0.21/bin/embed/apache-tomcat-10.0.21-embed.zip.sha512 dev/tomcat/tomcat-10/v10.0.21/src/ dev/tomcat/tomcat-10/v10.0.21/src/apache-tomcat-10.0.21-src.tar.gz (with props) dev/tomcat/tomcat-10/v10.0.21/src/apache-tomcat-10.0.21-src.tar.gz.asc dev/tomcat/tomcat-10/v10.0.21/src/apache-tomcat-10.0.21-src.tar.gz.sha512 dev/tomcat/tomcat-10/v10.0.21/src/apache-tomcat-10.0.21-src.zip (with props) dev/tomcat/tomcat-10/v10.0.21/src/apache-tomcat-10.0.21-src.zip.asc dev/tomcat/tomcat-10/v10.0.21/src/apache-tomcat-10.0.21-src.zip.sha512 Added: dev/tomcat/tomcat-10/v10.0.21/KEYS == --- dev/tomcat/tomcat-10/v10.0.21/KEYS (added) +++ dev/tomcat/tomcat-10/v10.0.21/KEYS Tue May 10 22:07:15 2022 @@ -0,0 +1,453 @@ +This file contains the PGP keys of various Apache developers. +Please don't use them for email unless you have to. Their main +purpose is code signing. + +Apache users: pgp < KEYS +Apache developers: +(pgpk -ll && pgpk -xa ) >> this file. + or +(gpg --fingerprint --list-sigs + && gpg --armor --export ) >> this file. + +Apache developers: please ensure that your key is also available via the +PGP keyservers (such as pgpkeys.mit.edu). + + +pub 4096R/2F6059E7 2009-09-18 + Key fingerprint = A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60 59E7 +uid Mark E D Thomas +sub 4096R/5E763BEC 2009-09-18 + +-BEGIN PGP PUBLIC KEY BLOCK- +Comment: GPGTools - http://gpgtools.org + +mQINBEq0DukBEAD4jovHOPJDxoD+JnO1Go2kiwpgRULasGlrVKuSUdP6wzcaqWmX +pqtOJKKwW2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7WzTCz2S6vxC4zxKck4t +6RZBq2dJsYKF0CEh6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m335/6K +GH59oysn1NE7a2a+kZzjBSEgv23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz +4yvDOZItqDURP24zWOodxgboldV6Y88C3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7M +UVviQcy29y/RlLSDTTYoVlCZ1ni14qFU7Hpw43KJtgXmcUwq31T1+SlXdYjNJ1aF +kUi8BjCHDcSgE/IReKUanjHzm4XSymKDTeqqzidi4k6PDD4jyHb8k8vxi6qT6Udn +lcfo5NBkkUT1TauhEy8ktHhbl9k60BvvMBP9l6cURiJg1WS77egI4P/82oPbzzFi +GFqXyJKULVgxtdQ3JikCpodp3f1fh6PlYZwkW4xCJLJucJ5MiQp07HAkMVW5w+k8
[tomcat] 01/01: Tag 10.0.21
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to tag 10.0.21 in repository https://gitbox.apache.org/repos/asf/tomcat.git commit feb577944dee2ac7cc9839638e9388d90067f1cb Author: Mark Thomas AuthorDate: Tue May 10 22:49:24 2022 +0100 Tag 10.0.21 --- build.properties.default | 2 +- webapps/docs/changelog.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.properties.default b/build.properties.default index be5bc260c5..8d0910777d 100644 --- a/build.properties.default +++ b/build.properties.default @@ -33,7 +33,7 @@ version.major=10 version.minor=0 version.build=21 version.patch=0 -version.suffix=-dev +version.suffix= # - Reproducible builds - # Uncomment and set to current time for reproducible builds diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index a6e153b3ed..f7714da986 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -104,7 +104,7 @@ They eventually become mixed with the numbered issues (i.e., numbered issues do not "pop up" wrt. others). --> - + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] tag 10.0.21 created (now feb577944d)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to tag 10.0.21 in repository https://gitbox.apache.org/repos/asf/tomcat.git at feb577944d (commit) This tag includes the following new commits: new feb577944d Tag 10.0.21 The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[VOTE] Release Apache Tomcat 10.1.0-M15
The proposed Apache Tomcat 10.1.0-M15 release is now available for voting. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. The notable changes compared to 10.1.0-M14 are: - Provide a property source that sources values from Kubernetes service bindings. Provided by Sumit Kulhadia and Gareth Evans. - The root cause of the Linux kernel duplicate accept bug has been identified along with the version of the kernel that includes the fix. The error message displayed when this bug occurs has been updated to reflect this new information and to advise users to update to a version of the OS that uses kernel 5.10 or later. Thanks to Christopher Gual for the research into this issue. - Update the packaged version of the Tomcat Native Library to 1.2.33 to pick up Windows binaries built with OpenSSL 1.1.1o. For full details, see the change log: https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M15/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1371 The tag is: https://github.com/apache/tomcat/tree/10.1.0-M15 dcf3e81b2e709574971c7a9592614d70c1b55bf7 The proposed 10.1.0-M15 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 10.1.0-M15 (alpha) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r54420 - in /dev/tomcat/tomcat-10/v10.1.0-M15: ./ bin/ bin/embed/ src/
Author: markt Date: Tue May 10 20:18:16 2022 New Revision: 54420 Log: Upload Apache Tomcat 10.1.0-M15 for voting Added: dev/tomcat/tomcat-10/v10.1.0-M15/ dev/tomcat/tomcat-10/v10.1.0-M15/KEYS dev/tomcat/tomcat-10/v10.1.0-M15/README.html dev/tomcat/tomcat-10/v10.1.0-M15/RELEASE-NOTES dev/tomcat/tomcat-10/v10.1.0-M15/bin/ dev/tomcat/tomcat-10/v10.1.0-M15/bin/README.html dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-deployer.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-deployer.tar.gz.asc dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-deployer.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-deployer.zip (with props) dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-deployer.zip.asc dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-deployer.zip.sha512 dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-fulldocs.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-fulldocs.tar.gz.asc dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-fulldocs.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-windows-x64.zip (with props) dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-windows-x64.zip.asc dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-windows-x64.zip.sha512 dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-windows-x86.zip (with props) dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-windows-x86.zip.asc dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15-windows-x86.zip.sha512 dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15.exe (with props) dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15.exe.asc dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15.exe.sha512 dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15.tar.gz.asc dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15.zip (with props) dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15.zip.asc dev/tomcat/tomcat-10/v10.1.0-M15/bin/apache-tomcat-10.1.0-M15.zip.sha512 dev/tomcat/tomcat-10/v10.1.0-M15/bin/embed/ dev/tomcat/tomcat-10/v10.1.0-M15/bin/embed/apache-tomcat-10.1.0-M15-embed.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.0-M15/bin/embed/apache-tomcat-10.1.0-M15-embed.tar.gz.asc dev/tomcat/tomcat-10/v10.1.0-M15/bin/embed/apache-tomcat-10.1.0-M15-embed.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.0-M15/bin/embed/apache-tomcat-10.1.0-M15-embed.zip (with props) dev/tomcat/tomcat-10/v10.1.0-M15/bin/embed/apache-tomcat-10.1.0-M15-embed.zip.asc dev/tomcat/tomcat-10/v10.1.0-M15/bin/embed/apache-tomcat-10.1.0-M15-embed.zip.sha512 dev/tomcat/tomcat-10/v10.1.0-M15/src/ dev/tomcat/tomcat-10/v10.1.0-M15/src/apache-tomcat-10.1.0-M15-src.tar.gz (with props) dev/tomcat/tomcat-10/v10.1.0-M15/src/apache-tomcat-10.1.0-M15-src.tar.gz.asc dev/tomcat/tomcat-10/v10.1.0-M15/src/apache-tomcat-10.1.0-M15-src.tar.gz.sha512 dev/tomcat/tomcat-10/v10.1.0-M15/src/apache-tomcat-10.1.0-M15-src.zip (with props) dev/tomcat/tomcat-10/v10.1.0-M15/src/apache-tomcat-10.1.0-M15-src.zip.asc dev/tomcat/tomcat-10/v10.1.0-M15/src/apache-tomcat-10.1.0-M15-src.zip.sha512 Added: dev/tomcat/tomcat-10/v10.1.0-M15/KEYS == --- dev/tomcat/tomcat-10/v10.1.0-M15/KEYS (added) +++ dev/tomcat/tomcat-10/v10.1.0-M15/KEYS Tue May 10 20:18:16 2022 @@ -0,0 +1,453 @@ +This file contains the PGP keys of various Apache developers. +Please don't use them for email unless you have to. Their main +purpose is code signing. + +Apache users: pgp < KEYS +Apache developers: +(pgpk -ll && pgpk -xa ) >> this file. + or +(gpg --fingerprint --list-sigs + && gpg --armor --export ) >> this file. + +Apache developers: please ensure that your key is also available via the +PGP keyservers (such as pgpkeys.mit.edu). + + +pub 4096R/2F6059E7 2009-09-18 + Key fingerprint = A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60 59E7 +uid Mark E D Thomas +sub 4096R/5E763BEC 2009-09-18 + +-BEGIN PGP PUBLIC KEY BLOCK- +Comment: GPGTools - http://gpgtools.org + +mQINBEq0DukBEAD4jovHOPJDxoD+JnO1Go2kiwpgRULasGlrVKuSUdP6wzcaqWmX +pqtOJKKwW2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7WzTCz2S6vxC4zxKck4t +6RZBq2dJsYKF0CEh6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m335/6K +GH59oysn1NE7a2a+kZzjBSEgv23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz +4yvDOZItqDURP24zWOodxgboldV6Y88C3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7M
[tomcat] 01/01: Tag 10.1.0-M15
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to tag 10.1.0-M15 in repository https://gitbox.apache.org/repos/asf/tomcat.git commit dcf3e81b2e709574971c7a9592614d70c1b55bf7 Author: Mark Thomas AuthorDate: Tue May 10 20:54:06 2022 +0100 Tag 10.1.0-M15 --- build.properties.default | 2 +- webapps/docs/changelog.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.properties.default b/build.properties.default index 238150411e..167bafb3ea 100644 --- a/build.properties.default +++ b/build.properties.default @@ -33,7 +33,7 @@ version.major=10 version.minor=1 version.build=0 version.patch=0 -version.suffix=-M15-dev +version.suffix=-M15 # - Reproducible builds - # Uncomment and set to current time for reproducible builds diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index a41dedfd5c..8972377261 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -104,7 +104,7 @@ They eventually become mixed with the numbered issues (i.e., numbered issues do not "pop up" wrt. others). --> - + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] tag 10.1.0-M15 created (now dcf3e81b2e)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to tag 10.1.0-M15 in repository https://gitbox.apache.org/repos/asf/tomcat.git at dcf3e81b2e (commit) This tag includes the following new commits: new dcf3e81b2e Tag 10.1.0-M15 The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Fix failure on Java 17 - spotted by unit tests
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new cc02e48d92 Fix failure on Java 17 - spotted by unit tests cc02e48d92 is described below commit cc02e48d92c71c4316d5a9a79cf6418fb3fa4bb2 Author: Mark Thomas AuthorDate: Tue May 10 19:58:27 2022 +0100 Fix failure on Java 17 - spotted by unit tests --- java/org/apache/tomcat/util/net/jsse/PEMFile.java | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java b/java/org/apache/tomcat/util/net/jsse/PEMFile.java index ab02cc8f7d..80c585d3b8 100644 --- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java +++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java @@ -66,6 +66,7 @@ public class PEMFile { new byte[] { 0x06, 0x07, 0x2A, (byte) 0x86, 0x48, (byte) 0xCE, 0x3D, 0x02, 0x01 }; private static final String OID_PKCS5_PBES2 = "1.2.840.113549.1.5.13"; +private static final String PBES2 = "PBES2"; public static String toPEM(X509Certificate certificate) throws CertificateEncodingException { StringBuilder result = new StringBuilder(); @@ -277,7 +278,10 @@ public class PEMFile { private String getPBEAlgorithm(EncryptedPrivateKeyInfo privateKeyInfo) { AlgorithmParameters parameters = privateKeyInfo.getAlgParameters(); -if (parameters != null && OID_PKCS5_PBES2.equals(privateKeyInfo.getAlgName())) { +String algName = privateKeyInfo.getAlgName(); +// Java 11 returns OID_PKCS5_PBES2 +// Java 17 returns PBES2 +if (parameters != null && (OID_PKCS5_PBES2.equals(algName) || PBES2.equals(algName))) { /* * This should be "PBEWithAnd". * Relying on the toString() implementation is potentially - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix failure on Java 17 - spotted by unit tests
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 2bd94154ff Fix failure on Java 17 - spotted by unit tests 2bd94154ff is described below commit 2bd94154ffa742672b1f470f41534b0fe8bae94c Author: Mark Thomas AuthorDate: Tue May 10 19:58:27 2022 +0100 Fix failure on Java 17 - spotted by unit tests --- java/org/apache/tomcat/util/net/jsse/PEMFile.java | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java b/java/org/apache/tomcat/util/net/jsse/PEMFile.java index ab02cc8f7d..80c585d3b8 100644 --- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java +++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java @@ -66,6 +66,7 @@ public class PEMFile { new byte[] { 0x06, 0x07, 0x2A, (byte) 0x86, 0x48, (byte) 0xCE, 0x3D, 0x02, 0x01 }; private static final String OID_PKCS5_PBES2 = "1.2.840.113549.1.5.13"; +private static final String PBES2 = "PBES2"; public static String toPEM(X509Certificate certificate) throws CertificateEncodingException { StringBuilder result = new StringBuilder(); @@ -277,7 +278,10 @@ public class PEMFile { private String getPBEAlgorithm(EncryptedPrivateKeyInfo privateKeyInfo) { AlgorithmParameters parameters = privateKeyInfo.getAlgParameters(); -if (parameters != null && OID_PKCS5_PBES2.equals(privateKeyInfo.getAlgName())) { +String algName = privateKeyInfo.getAlgName(); +// Java 11 returns OID_PKCS5_PBES2 +// Java 17 returns PBES2 +if (parameters != null && (OID_PKCS5_PBES2.equals(algName) || PBES2.equals(algName))) { /* * This should be "PBEWithAnd". * Relying on the toString() implementation is potentially - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix failure on Java 17 - spotted by unit tests
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new e21fff2a15 Fix failure on Java 17 - spotted by unit tests e21fff2a15 is described below commit e21fff2a150bee69f30cb9683ba94c8df2ed756c Author: Mark Thomas AuthorDate: Tue May 10 19:58:27 2022 +0100 Fix failure on Java 17 - spotted by unit tests --- java/org/apache/tomcat/util/net/jsse/PEMFile.java | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java b/java/org/apache/tomcat/util/net/jsse/PEMFile.java index 4a6185a520..d758bf43e8 100644 --- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java +++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java @@ -66,6 +66,7 @@ public class PEMFile { new byte[] { 0x06, 0x07, 0x2A, (byte) 0x86, 0x48, (byte) 0xCE, 0x3D, 0x02, 0x01 }; private static final String OID_PKCS5_PBES2 = "1.2.840.113549.1.5.13"; +private static final String PBES2 = "PBES2"; public static String toPEM(X509Certificate certificate) throws CertificateEncodingException { StringBuilder result = new StringBuilder(); @@ -277,7 +278,10 @@ public class PEMFile { private String getPBEAlgorithm(EncryptedPrivateKeyInfo privateKeyInfo) { AlgorithmParameters parameters = privateKeyInfo.getAlgParameters(); -if (parameters != null && OID_PKCS5_PBES2.equals(privateKeyInfo.getAlgName())) { +String algName = privateKeyInfo.getAlgName(); +// Java 11 returns OID_PKCS5_PBES2 +// Java 17 returns PBES2 +if (parameters != null && (OID_PKCS5_PBES2.equals(algName) || PBES2.equals(algName))) { /* * This should be "PBEWithAnd". * Relying on the toString() implementation is potentially - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix failure on Java 17 - spotted by unit tests
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new b260b8968b Fix failure on Java 17 - spotted by unit tests b260b8968b is described below commit b260b8968bc2f98b1eada10a5b1bf7ba84599d9d Author: Mark Thomas AuthorDate: Tue May 10 19:58:27 2022 +0100 Fix failure on Java 17 - spotted by unit tests --- java/org/apache/tomcat/util/net/jsse/PEMFile.java | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java b/java/org/apache/tomcat/util/net/jsse/PEMFile.java index ab02cc8f7d..80c585d3b8 100644 --- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java +++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java @@ -66,6 +66,7 @@ public class PEMFile { new byte[] { 0x06, 0x07, 0x2A, (byte) 0x86, 0x48, (byte) 0xCE, 0x3D, 0x02, 0x01 }; private static final String OID_PKCS5_PBES2 = "1.2.840.113549.1.5.13"; +private static final String PBES2 = "PBES2"; public static String toPEM(X509Certificate certificate) throws CertificateEncodingException { StringBuilder result = new StringBuilder(); @@ -277,7 +278,10 @@ public class PEMFile { private String getPBEAlgorithm(EncryptedPrivateKeyInfo privateKeyInfo) { AlgorithmParameters parameters = privateKeyInfo.getAlgParameters(); -if (parameters != null && OID_PKCS5_PBES2.equals(privateKeyInfo.getAlgName())) { +String algName = privateKeyInfo.getAlgName(); +// Java 11 returns OID_PKCS5_PBES2 +// Java 17 returns PBES2 +if (parameters != null && (OID_PKCS5_PBES2.equals(algName) || PBES2.equals(algName))) { /* * This should be "PBEWithAnd". * Relying on the toString() implementation is potentially - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: This works on Linux and Windows
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 3c3ad31dc1 This works on Linux and Windows 3c3ad31dc1 is described below commit 3c3ad31dc17abfc33acbeed9140d5980abeaecdb Author: Mark Thomas AuthorDate: Tue May 10 19:44:22 2022 +0100 This works on Linux and Windows --- test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java index 5ff2ef358d..bfce46067b 100644 --- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java +++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java @@ -79,7 +79,7 @@ public class TestPEMFile { private String getPath(String file) throws URISyntaxException, IOException { String packageName = this.getClass().getPackage().getName(); -String path = packageName.replaceAll("\\.", File.separator); +String path = packageName.replace(".", File.separator); File f = new File("test" + File.separator + path + File.separator + file); return f.getCanonicalPath(); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: This works on Linux and Windows
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new cdf358f066 This works on Linux and Windows cdf358f066 is described below commit cdf358f066600db892f97bc673cfa1f3a7ded5e2 Author: Mark Thomas AuthorDate: Tue May 10 19:44:22 2022 +0100 This works on Linux and Windows --- test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java index 5ff2ef358d..bfce46067b 100644 --- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java +++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java @@ -79,7 +79,7 @@ public class TestPEMFile { private String getPath(String file) throws URISyntaxException, IOException { String packageName = this.getClass().getPackage().getName(); -String path = packageName.replaceAll("\\.", File.separator); +String path = packageName.replace(".", File.separator); File f = new File("test" + File.separator + path + File.separator + file); return f.getCanonicalPath(); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: This works on Linux and Windows
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new 75146202a1 This works on Linux and Windows 75146202a1 is described below commit 75146202a1a2a8368d2f590a862a90e480d9505f Author: Mark Thomas AuthorDate: Tue May 10 19:44:22 2022 +0100 This works on Linux and Windows --- test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java index 5ff2ef358d..bfce46067b 100644 --- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java +++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java @@ -79,7 +79,7 @@ public class TestPEMFile { private String getPath(String file) throws URISyntaxException, IOException { String packageName = this.getClass().getPackage().getName(); -String path = packageName.replaceAll("\\.", File.separator); +String path = packageName.replace(".", File.separator); File f = new File("test" + File.separator + path + File.separator + file); return f.getCanonicalPath(); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: This works on Linux and Windows
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 136f86744c This works on Linux and Windows 136f86744c is described below commit 136f86744ce087d3418b6dd3aa8aecca73f277a7 Author: Mark Thomas AuthorDate: Tue May 10 19:44:22 2022 +0100 This works on Linux and Windows --- test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java index 620d16947e..31afc954c6 100644 --- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java +++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java @@ -79,7 +79,7 @@ public class TestPEMFile { private String getPath(String file) throws URISyntaxException, IOException { String packageName = this.getClass().getPackageName(); -String path = packageName.replaceAll("\\.", File.separator); +String path = packageName.replace(".", File.separator); File f = new File("test" + File.separator + path + File.separator + file); return f.getCanonicalPath(); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix backport
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new c1a34719ce Fix backport c1a34719ce is described below commit c1a34719ce8ce4e67f75cbf36e9c1719f3c1d11a Author: Mark Thomas AuthorDate: Tue May 10 18:21:05 2022 +0100 Fix backport --- test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java index 620d16947e..5ff2ef358d 100644 --- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java +++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java @@ -78,7 +78,7 @@ public class TestPEMFile { private String getPath(String file) throws URISyntaxException, IOException { -String packageName = this.getClass().getPackageName(); +String packageName = this.getClass().getPackage().getName(); String path = packageName.replaceAll("\\.", File.separator); File f = new File("test" + File.separator + path + File.separator + file); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix backport
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 18dd6259a9 Fix backport 18dd6259a9 is described below commit 18dd6259a931d5f70034a812c38607248f1302e7 Author: Mark Thomas AuthorDate: Tue May 10 18:21:05 2022 +0100 Fix backport --- test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java index 620d16947e..5ff2ef358d 100644 --- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java +++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java @@ -78,7 +78,7 @@ public class TestPEMFile { private String getPath(String file) throws URISyntaxException, IOException { -String packageName = this.getClass().getPackageName(); +String packageName = this.getClass().getPackage().getName(); String path = packageName.replaceAll("\\.", File.separator); File f = new File("test" + File.separator + path + File.separator + file); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Fix backport
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new fd30e16f37 Fix backport fd30e16f37 is described below commit fd30e16f376349567396f07866f5d52914f41fb9 Author: Mark Thomas AuthorDate: Tue May 10 18:21:05 2022 +0100 Fix backport --- test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java index 620d16947e..5ff2ef358d 100644 --- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java +++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java @@ -78,7 +78,7 @@ public class TestPEMFile { private String getPath(String file) throws URISyntaxException, IOException { -String packageName = this.getClass().getPackageName(); +String packageName = this.getClass().getPackage().getName(); String path = packageName.replaceAll("\\.", File.separator); File f = new File("test" + File.separator + path + File.separator + file); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2022-29885 Apache Tomcat EncryptInterceptor DoS
CVE-2022-29885 Apache Tomcat EncryptInterceptor Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M14 Apache Tomcat 10.0.0-M1 to 10.0.20 Apache Tomcat 9.0.13 to 9.0.62 Apache Tomcat 8.5.38 to 8.5.78 Description: The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. Mitigation: Users running clustering over an untrusted network who require full protection should switch to an alternative solution such as running the clustering communication over a VPN. History: 2022-05-10 Original advisory Credit: This issue was reported to the Apache Tomcat Security team by 4ra1n. References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1900790 - in /tomcat/site/trunk: docs/security-10.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-8.xml xdocs/security-9.xml
Author: markt Date: Tue May 10 17:06:42 2022 New Revision: 1900790 URL: http://svn.apache.org/viewvc?rev=1900790=rev Log: Add CVE-2022-29885 Modified: tomcat/site/trunk/docs/security-10.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-10.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-10.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-10.html?rev=1900790=1900789=1900790=diff == --- tomcat/site/trunk/docs/security-10.html (original) +++ tomcat/site/trunk/docs/security-10.html Tue May 10 17:06:42 2022 @@ -36,7 +36,45 @@ Table of Contents -Fixed in Apache Tomcat 10.0.16Fixed in Apache Tomcat 10.1.0-M10Fixed in Apache Tomcat 10.0.12Fixed in Apache Tomcat 10.1.0-M6Fixed in Apache Tomcat 10.0.7Fixed in Apache Tomcat 10.0.6Fixed in Apache Tomcat 10.0.5Fixed in Apache Tomcat 10.0.4Fixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10Fixed in Apache Tomcat 10.0.0-M8Fixed in Apache Tomcat 10.0.0-M7Fixed in Apache Tomcat 10.0.0-M6Fixed in Apache Tomcat 10.0.0-M5Not a vulnerability in Tomcat +Fixed in Apache Tomcat 10.0.21Fixed in Apache Tomcat 10.1.0-M15Fixed in Apache Tomcat 10.0.16Fixed in Apache Tomcat 10.1.0-M10Fixed in Apache Tomcat 10.0.12Fixed in Apache Tomcat 10.1.0-M6Fixed in Apache Tomcat 10.0.7Fixed in Apache Tomcat 10.0.6Fixed in Apache Tomcat 10.0.5Fixed in Apache Tomcat 10.0.4Fixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10href="#Fixed_in_Apache_Tomcat_10.0.0-M8">Fixed in Apache Tomcat >10.0.0-M8Fixed in >Apache Tomcat 10.0.0-M7href="#Fixed_in_Apache_Tomcat_10.0.0-M6">Fixed in Apache Tomcat >10.0.0-M6Fixed in >Apache Tomcat 10.0.0-M5href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in >Tomcat + not yet released Fixed in Apache Tomcat 10.0.21 + +Low: Apache Tomcat EncryptInterceptor DoS + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29885; rel="nofollow">CVE-2022-29885 + +The documentation for the EncryptInterceptor incorrectly stated it +enabled Tomcat clustering to run over an untrusted network. This was not +correct. While the EncryptInterceptor does provide confidentiality and +integrity protection, it does not protect against all risks associated +with running over any untrusted network, particularly DoS risks. + +This was fixed with commit + https://github.com/apache/tomcat/commit/36826ea638457d7e17876a70f89cb435b6db0d91;>36826ea6. + +This issue was reported to the Apache Tomcat Security team by 4ra1n on 17 + April 2022. The issue was made public on 10 May 2022. + +Affects: 10.0.0-M1 to 10.0.20 + + not yet released Fixed in Apache Tomcat 10.1.0-M15 + +Low: Apache Tomcat EncryptInterceptor DoS + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29885; rel="nofollow">CVE-2022-29885 + +The documentation for the EncryptInterceptor incorrectly stated it +enabled Tomcat clustering to run over an untrusted network. This was not +correct. While the EncryptInterceptor does provide confidentiality and +integrity protection, it does not protect against all risks associated +with running over any untrusted network, particularly DoS risks. + +This was fixed with commit + https://github.com/apache/tomcat/commit/0fa7721f11d565a2cd2e44366c388ad6a3e6357d;>0fa7721f. + +This issue was reported to the Apache Tomcat Security team by 4ra1n on 17 + April 2022. The issue was made public on 10 May 2022. + +Affects: 10.1.0-M1 to 10.1.0-M14 + 20 January 2022 Fixed in Apache Tomcat 10.0.16 Note: The issue below was fixed in Apache Tomcat 10.0.15 but the Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1900790=1900789=1900790=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Tue May 10 17:06:42 2022 @@ -42,7 +42,26 @@ Table of Contents -Fixed in Apache Tomcat 8.5.75Fixed in Apache Tomcat 8.5.72Fixed in Apache Tomcat 8.5.68Fixed in Apache Tomcat 8.5.66Fixed in Apache Tomcat 8.5.65Fixed in Apache Tomcat 8.5.64Fixed in Apache Tomcat 8.5.63Fixed in Apache Tomcat 8.5.60Fixed in Apache Tomcat 8.5.58Fixed in Apache Tomcat 8.5.57Fixed in Apache Tomcat 8.5.56Fixed in Apache Tomcat 8.5.55Fixed in Apache Tomcat 8.5.51Fixed in Apache Tomcat 8.5.50Fixed in Apache Tomcat 8.5.49Fixed in Apache Tomcat 8.5.41Fixed in Apache Tomcat 8.5.40Fixed in Apache Tomcat 8.5.38Fixed in Apache Tomcat 8.5.34Fixed in Apache Tomcat 8.0.53Fixed in Apache Tomcat 8.5.32Fixed in
[tomcat] branch 8.5.x updated: EncryptInterceptor only provides partial protection on untrusted network
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new b679bc627f EncryptInterceptor only provides partial protection on untrusted network b679bc627f is described below commit b679bc627f5a4ea6510af95adfb7476b07eba890 Author: Mark Thomas AuthorDate: Tue May 10 17:59:05 2022 +0100 EncryptInterceptor only provides partial protection on untrusted network This is CVE-2022-29885 --- webapps/docs/changelog.xml | 6 ++ webapps/docs/cluster-howto.xml | 6 +- webapps/docs/config/cluster.xml | 6 +- webapps/docs/security-howto.xml | 8 +--- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 2e5194e254..5a277c3084 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -183,6 +183,12 @@ recommendation for the use the trimSpaces option for Jasper in production environments. (markt) + +Update the documentation web application to state that the +EncryptInterceptor does not provide sufficient protection +to run Tomcat clustering over an untrusted network. This is +CVE-2022-29885. (markt) + diff --git a/webapps/docs/cluster-howto.xml b/webapps/docs/cluster-howto.xml index 076ef93e3a..2edaf71d35 100644 --- a/webapps/docs/cluster-howto.xml +++ b/webapps/docs/cluster-howto.xml @@ -127,9 +127,13 @@ Tomcat cluster. These include: private LAN a Virtual Private Network (VPN) IPSEC - Encrypt cluster traffic using the EncryptInterceptor +The EncryptInterceptor +provides confidentiality and integrity protection but it does not protect +against all risks associated with running a Tomcat cluster on an untrusted +network, particularly DoS attacks. + diff --git a/webapps/docs/config/cluster.xml b/webapps/docs/config/cluster.xml index 9211edd972..21d0fe5f47 100644 --- a/webapps/docs/config/cluster.xml +++ b/webapps/docs/config/cluster.xml @@ -52,12 +52,16 @@ to run a cluster on a insecure, untrusted network. There are many options for providing a secure, trusted network for use by a Tomcat cluster. These include: - EncryptInterceptor private LAN a Virtual Private Network (VPN) IPSEC +The EncryptInterceptor +provides confidentiality and integrity protection but it does not protect +against all risks associated with running a Tomcat cluster on an untrusted +network, particularly DoS attacks. + diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 046a2ecc70..b0278e40cf 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -469,10 +469,12 @@ trusted network is used for all of the cluster related network traffic. It is not safe to run a cluster on a insecure, untrusted network. - If you are operating on an untrusted network or would prefer to - exercise an over-abundance of caution, you can use the + If you require confidentiality and/or integrity protection then you can + use the EncryptInterceptor - to encrypt traffic between nodes. + to encrypt traffic between nodes. This interceptor does not protect + against all the risks of running on an untrusted network, particularly + DoS attacks. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: EncryptInterceptor only provides partial protection on untrusted network
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new eaafd28296 EncryptInterceptor only provides partial protection on untrusted network eaafd28296 is described below commit eaafd28296c54d983e28a47953c1f5cb2c334f48 Author: Mark Thomas AuthorDate: Tue May 10 17:59:05 2022 +0100 EncryptInterceptor only provides partial protection on untrusted network This is CVE-2022-29885 --- webapps/docs/changelog.xml | 6 ++ webapps/docs/cluster-howto.xml | 6 +- webapps/docs/config/cluster.xml | 6 +- webapps/docs/security-howto.xml | 8 +--- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 85f9ed8f6c..f64f181e65 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -183,6 +183,12 @@ recommendation for the use the trimSpaces option for Jasper in production environments. (markt) + +Update the documentation web application to state that the +EncryptInterceptor does not provide sufficient protection +to run Tomcat clustering over an untrusted network. This is +CVE-2022-29885. (markt) + diff --git a/webapps/docs/cluster-howto.xml b/webapps/docs/cluster-howto.xml index 076ef93e3a..2edaf71d35 100644 --- a/webapps/docs/cluster-howto.xml +++ b/webapps/docs/cluster-howto.xml @@ -127,9 +127,13 @@ Tomcat cluster. These include: private LAN a Virtual Private Network (VPN) IPSEC - Encrypt cluster traffic using the EncryptInterceptor +The EncryptInterceptor +provides confidentiality and integrity protection but it does not protect +against all risks associated with running a Tomcat cluster on an untrusted +network, particularly DoS attacks. + diff --git a/webapps/docs/config/cluster.xml b/webapps/docs/config/cluster.xml index 0535b4a4d4..03dbf4b693 100644 --- a/webapps/docs/config/cluster.xml +++ b/webapps/docs/config/cluster.xml @@ -52,12 +52,16 @@ to run a cluster on a insecure, untrusted network. There are many options for providing a secure, trusted network for use by a Tomcat cluster. These include: - EncryptInterceptor private LAN a Virtual Private Network (VPN) IPSEC +The EncryptInterceptor +provides confidentiality and integrity protection but it does not protect +against all risks associated with running a Tomcat cluster on an untrusted +network, particularly DoS attacks. + diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 566a62233c..3ef294dbce 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -469,10 +469,12 @@ trusted network is used for all of the cluster related network traffic. It is not safe to run a cluster on a insecure, untrusted network. - If you are operating on an untrusted network or would prefer to - exercise an over-abundance of caution, you can use the + If you require confidentiality and/or integrity protection then you can + use the EncryptInterceptor - to encrypt traffic between nodes. + to encrypt traffic between nodes. This interceptor does not protect + against all the risks of running on an untrusted network, particularly + DoS attacks. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: EncryptInterceptor only provides partial protection on untrusted network
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new 36826ea638 EncryptInterceptor only provides partial protection on untrusted network 36826ea638 is described below commit 36826ea638457d7e17876a70f89cb435b6db0d91 Author: Mark Thomas AuthorDate: Tue May 10 17:59:05 2022 +0100 EncryptInterceptor only provides partial protection on untrusted network This is CVE-2022-29885 --- webapps/docs/changelog.xml | 6 ++ webapps/docs/cluster-howto.xml | 6 +- webapps/docs/config/cluster.xml | 6 +- webapps/docs/security-howto.xml | 8 +--- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index cb9050b243..a6e153b3ed 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -191,6 +191,12 @@ recommendation for the use the trimSpaces option for Jasper in production environments. (markt) + +Update the documentation web application to state that the +EncryptInterceptor does not provide sufficient protection +to run Tomcat clustering over an untrusted network. This is +CVE-2022-29885. (markt) + diff --git a/webapps/docs/cluster-howto.xml b/webapps/docs/cluster-howto.xml index 076ef93e3a..2edaf71d35 100644 --- a/webapps/docs/cluster-howto.xml +++ b/webapps/docs/cluster-howto.xml @@ -127,9 +127,13 @@ Tomcat cluster. These include: private LAN a Virtual Private Network (VPN) IPSEC - Encrypt cluster traffic using the EncryptInterceptor +The EncryptInterceptor +provides confidentiality and integrity protection but it does not protect +against all risks associated with running a Tomcat cluster on an untrusted +network, particularly DoS attacks. + diff --git a/webapps/docs/config/cluster.xml b/webapps/docs/config/cluster.xml index 0535b4a4d4..03dbf4b693 100644 --- a/webapps/docs/config/cluster.xml +++ b/webapps/docs/config/cluster.xml @@ -52,12 +52,16 @@ to run a cluster on a insecure, untrusted network. There are many options for providing a secure, trusted network for use by a Tomcat cluster. These include: - EncryptInterceptor private LAN a Virtual Private Network (VPN) IPSEC +The EncryptInterceptor +provides confidentiality and integrity protection but it does not protect +against all risks associated with running a Tomcat cluster on an untrusted +network, particularly DoS attacks. + diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index bd60acb4c2..c437558f11 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -477,10 +477,12 @@ trusted network is used for all of the cluster related network traffic. It is not safe to run a cluster on a insecure, untrusted network. - If you are operating on an untrusted network or would prefer to - exercise an over-abundance of caution, you can use the + If you require confidentiality and/or integrity protection then you can + use the EncryptInterceptor - to encrypt traffic between nodes. + to encrypt traffic between nodes. This interceptor does not protect + against all the risks of running on an untrusted network, particularly + DoS attacks. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: EncryptInterceptor only provides partial protection on untrusted network
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 0fa7721f11 EncryptInterceptor only provides partial protection on untrusted network 0fa7721f11 is described below commit 0fa7721f11d565a2cd2e44366c388ad6a3e6357d Author: Mark Thomas AuthorDate: Tue May 10 17:59:05 2022 +0100 EncryptInterceptor only provides partial protection on untrusted network This is CVE-2022-29885 --- webapps/docs/changelog.xml | 6 ++ webapps/docs/cluster-howto.xml | 6 +- webapps/docs/config/cluster.xml | 6 +- webapps/docs/security-howto.xml | 8 +--- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 99c8bd0bc4..a41dedfd5c 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -203,6 +203,12 @@ recommendation for the use the trimSpaces option for Jasper in production environments. (markt) + +Update the documentation web application to state that the +EncryptInterceptor does not provide sufficient protection +to run Tomcat clustering over an untrusted network. This is +CVE-2022-29885. (markt) + diff --git a/webapps/docs/cluster-howto.xml b/webapps/docs/cluster-howto.xml index 076ef93e3a..2edaf71d35 100644 --- a/webapps/docs/cluster-howto.xml +++ b/webapps/docs/cluster-howto.xml @@ -127,9 +127,13 @@ Tomcat cluster. These include: private LAN a Virtual Private Network (VPN) IPSEC - Encrypt cluster traffic using the EncryptInterceptor +The EncryptInterceptor +provides confidentiality and integrity protection but it does not protect +against all risks associated with running a Tomcat cluster on an untrusted +network, particularly DoS attacks. + diff --git a/webapps/docs/config/cluster.xml b/webapps/docs/config/cluster.xml index 0535b4a4d4..03dbf4b693 100644 --- a/webapps/docs/config/cluster.xml +++ b/webapps/docs/config/cluster.xml @@ -52,12 +52,16 @@ to run a cluster on a insecure, untrusted network. There are many options for providing a secure, trusted network for use by a Tomcat cluster. These include: - EncryptInterceptor private LAN a Virtual Private Network (VPN) IPSEC +The EncryptInterceptor +provides confidentiality and integrity protection but it does not protect +against all risks associated with running a Tomcat cluster on an untrusted +network, particularly DoS attacks. + diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index bd60acb4c2..c437558f11 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -477,10 +477,12 @@ trusted network is used for all of the cluster related network traffic. It is not safe to run a cluster on a insecure, untrusted network. - If you are operating on an untrusted network or would prefer to - exercise an over-abundance of caution, you can use the + If you require confidentiality and/or integrity protection then you can + use the EncryptInterceptor - to encrypt traffic between nodes. + to encrypt traffic between nodes. This interceptor does not protect + against all the risks of running on an untrusted network, particularly + DoS attacks. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Adding a ServiceBindingPropertySource
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 038bf486b1 Adding a ServiceBindingPropertySource 038bf486b1 is described below commit 038bf486b13326323057056d0e0c5b1bdec1907b Author: Gareth Evans AuthorDate: Tue May 10 10:26:52 2022 +0100 Adding a ServiceBindingPropertySource The property source allows values in Tomcat's configuration files to be injected directly from a servicebinding.io's Service Binding without having to be converted to an environment variable first. Co-authored-by: Sumit Kulhadia Co-authored-by: Gareth Evans --- .../digester/ServiceBindingPropertySource.java | 120 + webapps/docs/changelog.xml | 5 + webapps/docs/config/systemprops.xml| 5 +- 3 files changed, 129 insertions(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java b/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java new file mode 100644 index 00..c6b7b6ae12 --- /dev/null +++ b/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java @@ -0,0 +1,120 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.digester; + +import java.io.FilePermission; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.Permission; + +import org.apache.tomcat.util.IntrospectionUtils; +import org.apache.tomcat.util.security.PermissionCheck; + +/** + * A {@link org.apache.tomcat.util.IntrospectionUtils.SecurePropertySource} + * that uses Kubernetes service bindings to resolve expressions. + * + * Usage example: + * + * Configure the certificate with a service binding. + * + * When the service binding is constructed as follows: + * + * + *$SERVICE_BINDING_ROOT/ + * /custom-certificate/ + */keyFile + */file + */chainFile + * + * + * {@code + * + * + * } + * + * + * How to configure: + * + * {@code + * echo "org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.ServiceBindingPropertySource" >> conf/catalina.properties} + * + * or add this to {@code CATALINA_OPTS} + * + * + * {@code + * -Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.ServiceBindingPropertySource} + * + * + * NOTE: When configured the PropertySource for resolving expressions + * from system properties is still active. + * + * @see Digester + * + * @see https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html#Property_replacements;>Tomcat + * Configuration Reference System Properties + */ +public class ServiceBindingPropertySource implements IntrospectionUtils.SecurePropertySource { + +private static final String SERVICE_BINDING_ROOT_ENV_VAR = "SERVICE_BINDING_ROOT"; + +@Override +public String getProperty(String key) { +return null; +} + +@Override +public String getProperty(String key, ClassLoader classLoader) { +// can we determine the service binding root +if (classLoader instanceof PermissionCheck) { +Permission p = new RuntimePermission("getenv." + SERVICE_BINDING_ROOT_ENV_VAR, null); +if (!((PermissionCheck) classLoader).check(p)) { +return null; +} +} + +// get the root to search from +String serviceBindingRoot = System.getenv(SERVICE_BINDING_ROOT_ENV_VAR); +if (serviceBindingRoot == null) { +return null; +} + +// we expect the keys to be in the format $SERVICE_BINDING_ROOT// +String[] parts = key.split("\\."); +if (parts.length != 2) { +return null; +} + +Path path = Paths.get(serviceBindingRoot, parts[0], parts[1]); +try {
[tomcat] branch 9.0.x updated: Adding a ServiceBindingPropertySource
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 53d572b93e Adding a ServiceBindingPropertySource 53d572b93e is described below commit 53d572b93e4e038f99200e3e7416125b18fed8d6 Author: Gareth Evans AuthorDate: Tue May 10 10:26:52 2022 +0100 Adding a ServiceBindingPropertySource The property source allows values in Tomcat's configuration files to be injected directly from a servicebinding.io's Service Binding without having to be converted to an environment variable first. Co-authored-by: Sumit Kulhadia Co-authored-by: Gareth Evans --- .../digester/ServiceBindingPropertySource.java | 120 + webapps/docs/changelog.xml | 5 + webapps/docs/config/systemprops.xml| 5 +- 3 files changed, 129 insertions(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java b/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java new file mode 100644 index 00..c6b7b6ae12 --- /dev/null +++ b/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java @@ -0,0 +1,120 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.digester; + +import java.io.FilePermission; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.Permission; + +import org.apache.tomcat.util.IntrospectionUtils; +import org.apache.tomcat.util.security.PermissionCheck; + +/** + * A {@link org.apache.tomcat.util.IntrospectionUtils.SecurePropertySource} + * that uses Kubernetes service bindings to resolve expressions. + * + * Usage example: + * + * Configure the certificate with a service binding. + * + * When the service binding is constructed as follows: + * + * + *$SERVICE_BINDING_ROOT/ + * /custom-certificate/ + */keyFile + */file + */chainFile + * + * + * {@code + * + * + * } + * + * + * How to configure: + * + * {@code + * echo "org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.ServiceBindingPropertySource" >> conf/catalina.properties} + * + * or add this to {@code CATALINA_OPTS} + * + * + * {@code + * -Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.ServiceBindingPropertySource} + * + * + * NOTE: When configured the PropertySource for resolving expressions + * from system properties is still active. + * + * @see Digester + * + * @see https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html#Property_replacements;>Tomcat + * Configuration Reference System Properties + */ +public class ServiceBindingPropertySource implements IntrospectionUtils.SecurePropertySource { + +private static final String SERVICE_BINDING_ROOT_ENV_VAR = "SERVICE_BINDING_ROOT"; + +@Override +public String getProperty(String key) { +return null; +} + +@Override +public String getProperty(String key, ClassLoader classLoader) { +// can we determine the service binding root +if (classLoader instanceof PermissionCheck) { +Permission p = new RuntimePermission("getenv." + SERVICE_BINDING_ROOT_ENV_VAR, null); +if (!((PermissionCheck) classLoader).check(p)) { +return null; +} +} + +// get the root to search from +String serviceBindingRoot = System.getenv(SERVICE_BINDING_ROOT_ENV_VAR); +if (serviceBindingRoot == null) { +return null; +} + +// we expect the keys to be in the format $SERVICE_BINDING_ROOT// +String[] parts = key.split("\\."); +if (parts.length != 2) { +return null; +} + +Path path = Paths.get(serviceBindingRoot, parts[0], parts[1]); +try {
[tomcat] branch 10.0.x updated: Adding a ServiceBindingPropertySource
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new 0b898bfb8e Adding a ServiceBindingPropertySource 0b898bfb8e is described below commit 0b898bfb8e29f8b42364b2612598faecd79a9bb3 Author: Gareth Evans AuthorDate: Tue May 10 10:26:52 2022 +0100 Adding a ServiceBindingPropertySource The property source allows values in Tomcat's configuration files to be injected directly from a servicebinding.io's Service Binding without having to be converted to an environment variable first. Co-authored-by: Sumit Kulhadia Co-authored-by: Gareth Evans --- .../digester/ServiceBindingPropertySource.java | 120 + webapps/docs/changelog.xml | 5 + webapps/docs/config/systemprops.xml| 5 +- 3 files changed, 129 insertions(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java b/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java new file mode 100644 index 00..c6b7b6ae12 --- /dev/null +++ b/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java @@ -0,0 +1,120 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.digester; + +import java.io.FilePermission; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.Permission; + +import org.apache.tomcat.util.IntrospectionUtils; +import org.apache.tomcat.util.security.PermissionCheck; + +/** + * A {@link org.apache.tomcat.util.IntrospectionUtils.SecurePropertySource} + * that uses Kubernetes service bindings to resolve expressions. + * + * Usage example: + * + * Configure the certificate with a service binding. + * + * When the service binding is constructed as follows: + * + * + *$SERVICE_BINDING_ROOT/ + * /custom-certificate/ + */keyFile + */file + */chainFile + * + * + * {@code + * + * + * } + * + * + * How to configure: + * + * {@code + * echo "org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.ServiceBindingPropertySource" >> conf/catalina.properties} + * + * or add this to {@code CATALINA_OPTS} + * + * + * {@code + * -Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.ServiceBindingPropertySource} + * + * + * NOTE: When configured the PropertySource for resolving expressions + * from system properties is still active. + * + * @see Digester + * + * @see https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html#Property_replacements;>Tomcat + * Configuration Reference System Properties + */ +public class ServiceBindingPropertySource implements IntrospectionUtils.SecurePropertySource { + +private static final String SERVICE_BINDING_ROOT_ENV_VAR = "SERVICE_BINDING_ROOT"; + +@Override +public String getProperty(String key) { +return null; +} + +@Override +public String getProperty(String key, ClassLoader classLoader) { +// can we determine the service binding root +if (classLoader instanceof PermissionCheck) { +Permission p = new RuntimePermission("getenv." + SERVICE_BINDING_ROOT_ENV_VAR, null); +if (!((PermissionCheck) classLoader).check(p)) { +return null; +} +} + +// get the root to search from +String serviceBindingRoot = System.getenv(SERVICE_BINDING_ROOT_ENV_VAR); +if (serviceBindingRoot == null) { +return null; +} + +// we expect the keys to be in the format $SERVICE_BINDING_ROOT// +String[] parts = key.split("\\."); +if (parts.length != 2) { +return null; +} + +Path path = Paths.get(serviceBindingRoot, parts[0], parts[1]); +try
[tomcat] branch main updated: Add a change log entry and do some minor clean-up
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new da3012ed27 Add a change log entry and do some minor clean-up da3012ed27 is described below commit da3012ed276fcb194dcbdbd18a5b8fc4a14df97d Author: Mark Thomas AuthorDate: Tue May 10 17:37:06 2022 +0100 Add a change log entry and do some minor clean-up --- .../tomcat/util/digester/ServiceBindingPropertySource.java | 13 +++-- webapps/docs/changelog.xml | 5 + 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java b/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java index 526ad37a1e..c6b7b6ae12 100644 --- a/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java +++ b/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java @@ -16,15 +16,15 @@ */ package org.apache.tomcat.util.digester; -import java.security.Permission; - -import org.apache.tomcat.util.IntrospectionUtils; -import org.apache.tomcat.util.security.PermissionCheck; -import java.io.IOException; import java.io.FilePermission; +import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; +import java.security.Permission; + +import org.apache.tomcat.util.IntrospectionUtils; +import org.apache.tomcat.util.security.PermissionCheck; /** * A {@link org.apache.tomcat.util.IntrospectionUtils.SecurePropertySource} @@ -70,7 +70,8 @@ import java.nio.file.Paths; * * @see Digester * - * @see https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html#Property_replacements;>Tomcat Configuration Reference System Properties + * @see https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html#Property_replacements;>Tomcat + * Configuration Reference System Properties */ public class ServiceBindingPropertySource implements IntrospectionUtils.SecurePropertySource { diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 47b75ef62e..99c8bd0bc4 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -129,6 +129,11 @@ mappings used by ServletResponse.setLocale() as it caused regressions for applications using UTF-8. (markt) + +Provide a property source that sources values from Kubernetes service +bindings. Pull request 512 provided by Sumit Kulhadia and +Gareth Evans. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Adding a ServiceBindingPropertySource
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new ba7f29a0cb Adding a ServiceBindingPropertySource ba7f29a0cb is described below commit ba7f29a0cb916f81df669ad59144f5cd301c4c41 Author: Gareth Evans AuthorDate: Tue May 10 10:26:52 2022 +0100 Adding a ServiceBindingPropertySource The property source allows values in Tomcat's configuration files to be injected directly from a servicebinding.io's Service Binding without having to be converted to an environment variable first. Co-authored-by: Sumit Kulhadia Co-authored-by: Gareth Evans --- .../digester/ServiceBindingPropertySource.java | 119 + webapps/docs/config/systemprops.xml| 5 +- 2 files changed, 123 insertions(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java b/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java new file mode 100644 index 00..526ad37a1e --- /dev/null +++ b/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java @@ -0,0 +1,119 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.digester; + +import java.security.Permission; + +import org.apache.tomcat.util.IntrospectionUtils; +import org.apache.tomcat.util.security.PermissionCheck; +import java.io.IOException; +import java.io.FilePermission; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; + +/** + * A {@link org.apache.tomcat.util.IntrospectionUtils.SecurePropertySource} + * that uses Kubernetes service bindings to resolve expressions. + * + * Usage example: + * + * Configure the certificate with a service binding. + * + * When the service binding is constructed as follows: + * + * + *$SERVICE_BINDING_ROOT/ + * /custom-certificate/ + */keyFile + */file + */chainFile + * + * + * {@code + * + * + * } + * + * + * How to configure: + * + * {@code + * echo "org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.ServiceBindingPropertySource" >> conf/catalina.properties} + * + * or add this to {@code CATALINA_OPTS} + * + * + * {@code + * -Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.ServiceBindingPropertySource} + * + * + * NOTE: When configured the PropertySource for resolving expressions + * from system properties is still active. + * + * @see Digester + * + * @see https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html#Property_replacements;>Tomcat Configuration Reference System Properties + */ +public class ServiceBindingPropertySource implements IntrospectionUtils.SecurePropertySource { + +private static final String SERVICE_BINDING_ROOT_ENV_VAR = "SERVICE_BINDING_ROOT"; + +@Override +public String getProperty(String key) { +return null; +} + +@Override +public String getProperty(String key, ClassLoader classLoader) { +// can we determine the service binding root +if (classLoader instanceof PermissionCheck) { +Permission p = new RuntimePermission("getenv." + SERVICE_BINDING_ROOT_ENV_VAR, null); +if (!((PermissionCheck) classLoader).check(p)) { +return null; +} +} + +// get the root to search from +String serviceBindingRoot = System.getenv(SERVICE_BINDING_ROOT_ENV_VAR); +if (serviceBindingRoot == null) { +return null; +} + +// we expect the keys to be in the format $SERVICE_BINDING_ROOT// +String[] parts = key.split("\\."); +if (parts.length != 2) { +return null; +} + +Path path = Paths.get(serviceBindingRoot, parts[0], parts[1]); +try { +if (classLoader instanceof PermissionCheck) { +
[GitHub] [tomcat] markt-asf merged pull request #512: Adding a ServiceBindingPropertySource
markt-asf merged PR #512: URL: https://github.com/apache/tomcat/pull/512 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on pull request #512: Adding a ServiceBindingPropertySource
markt-asf commented on PR #512: URL: https://github.com/apache/tomcat/pull/512#issuecomment-1122616275 Agreed. I was going to merge this, tidy things up a bit and then back-port. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65853] [CsrfPreventionFilter] Extract evaluation of skipNonceCheck into overridable method
https://bz.apache.org/bugzilla/show_bug.cgi?id=65853 --- Comment #20 from Marvin Fröhlich --- The other reason for extension is to have more flexibility (wildcard support) in entry point handling. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65853] [CsrfPreventionFilter] Extract evaluation of skipNonceCheck into overridable method
https://bz.apache.org/bugzilla/show_bug.cgi?id=65853 --- Comment #19 from Marvin Fröhlich --- (In reply to Mark Thomas from comment #18) > So in your code the call to getNonceCache() will create a cache instance if > none is found? That doesn't seem quite right. I'd expect that method to > return null if the cache doesn't exist rather than the create a new instance. Well, the reason for many of the extensions is, that we need to distinguish between window contexts. The session is the same, but the request might come from another window (popup). Without this distinction the nonce chain will get broken once a popup is opened for a session. And this needs special treatment (separate nonce caches). Actually I think, this feature is missing in your implementation. (In reply to Mark Thomas from comment #18) > I've refactored things a bit more so getNonceCache() is only called when > necessary. Let me know what you think. Yes, this looks fine. Thanks. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] ChristopherSchultz commented on pull request #512: Adding a ServiceBindingPropertySource
ChristopherSchultz commented on PR #512: URL: https://github.com/apache/tomcat/pull/512#issuecomment-1122565867 This looks interesting to me. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Typo on changelog.xml from jsp:pluing to jsp:plugin.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new b0f4bf718a Typo on changelog.xml from jsp:pluing to jsp:plugin. b0f4bf718a is described below commit b0f4bf718a1c24d23f50d5c2b118995f014f37f5 Author: dn121049 AuthorDate: Mon May 9 12:18:59 2022 +0100 Typo on changelog.xml from jsp:pluing to jsp:plugin. --- webapps/docs/changelog.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index f8583c3a8a..47b75ef62e 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -180,8 +180,8 @@ To align with the JSP 3.1 specification, make the -jsp:pluing action a NO-OP. No HTML will be generated as a -result the jsp:pluing action being included in a JSP. This +jsp:plugin action a NO-OP. No HTML will be generated as a +result the jsp:plugin action being included in a JSP. This is be because the associated HTML elements are no longer supported by any major browser. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf merged pull request #513: Typo on changelog.xml, changed from jsp:pluing to jsp:plugin.
markt-asf merged PR #513: URL: https://github.com/apache/tomcat/pull/513 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/03: Clean up - no functional change
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 1ab3a2ba856bbefc8d3b44263bc3017db5848912 Author: Mark Thomas AuthorDate: Tue May 10 16:13:31 2022 +0100 Clean up - no functional change --- .../catalina/filters/CsrfPreventionFilter.java | 21 ++--- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index bfa65fc99c..dee418ca63 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -123,11 +123,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { NonceCache nonceCache = (session == null) ? null : getNonceCache(req, session); if (!skipNonceCheck(req)) { -String previousNonce = -req.getParameter(nonceRequestParameterName); +String previousNonce = req.getParameter(nonceRequestParameterName); -if(previousNonce == null) { -if(log.isDebugEnabled()) { +if (previousNonce == null) { +if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + (null == session ? "(none)" : session.getId()) @@ -136,8 +135,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; -} else if(nonceCache == null) { -if(log.isDebugEnabled()) { +} else if (nonceCache == null) { +if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + (null == session ? "(none)" : session.getId()) @@ -146,8 +145,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; -} else if(!nonceCache.contains(previousNonce)) { -if(log.isDebugEnabled()) { +} else if (!nonceCache.contains(previousNonce)) { +if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + (null == session ? "(none)" : session.getId()) @@ -157,7 +156,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; } -if(log.isTraceEnabled()) { +if (log.isTraceEnabled()) { log.trace("Allowing request to " + getRequestedPath(req) + " with valid CSRF nonce " + previousNonce); } @@ -165,12 +164,12 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { if (!skipNonceGeneration(req)) { if (nonceCache == null) { -if(log.isDebugEnabled()) { +if (log.isDebugEnabled()) { log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); } if (session == null) { -if(log.isDebugEnabled()) { +if (log.isDebugEnabled()) { log.debug("Creating new session to store CSRF nonce cache"); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/03: Allow sub-class to decide if session being null is an issue or not
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 1fcc216e2a87d5223c5e2be1a2ab43a6851242ef Author: Mark Thomas AuthorDate: Tue May 10 16:14:51 2022 +0100 Allow sub-class to decide if session being null is an issue or not --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index dee418ca63..fca530d6d6 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -120,7 +120,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { HttpSession session = req.getSession(false); -NonceCache nonceCache = (session == null) ? null : getNonceCache(req, session); +NonceCache nonceCache = getNonceCache(req, session); if (!skipNonceCheck(req)) { String previousNonce = req.getParameter(nonceRequestParameterName); @@ -265,6 +265,9 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { * and/or session */ protected NonceCache getNonceCache(HttpServletRequest request, HttpSession session) { +if (session == null) { +return null; +} @SuppressWarnings("unchecked") NonceCache nonceCache = (NonceCache) session.getAttribute(Constants.CSRF_NONCE_SESSION_ATTR_NAME); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 03/03: Refactor calls to getNonceCache() so only called when necessary.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit e7d801b2417662c86e567544f41f1e3873eaeafb Author: Mark Thomas AuthorDate: Tue May 10 16:33:51 2022 +0100 Refactor calls to getNonceCache() so only called when necessary. --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index fca530d6d6..77c0aa3ae1 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -120,9 +120,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { HttpSession session = req.getSession(false); -NonceCache nonceCache = getNonceCache(req, session); +boolean skipNonceCheck = skipNonceCheck(req); +NonceCache nonceCache = null; -if (!skipNonceCheck(req)) { +if (!skipNonceCheck) { String previousNonce = req.getParameter(nonceRequestParameterName); if (previousNonce == null) { @@ -135,7 +136,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; -} else if (nonceCache == null) { +} + +nonceCache = getNonceCache(req, session); +if (nonceCache == null) { if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " @@ -163,6 +167,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { } if (!skipNonceGeneration(req)) { +if (skipNonceCheck) { +// Didn't look up nonce cache earlier so look it up now. +nonceCache = getNonceCache(req, session); +} if (nonceCache == null) { if (log.isDebugEnabled()) { log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated (9dc00acdd0 -> e7d801b241)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from 9dc00acdd0 Fix copy/paste error new 1ab3a2ba85 Clean up - no functional change new 1fcc216e2a Allow sub-class to decide if session being null is an issue or not new e7d801b241 Refactor calls to getNonceCache() so only called when necessary. The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../catalina/filters/CsrfPreventionFilter.java | 36 ++ 1 file changed, 23 insertions(+), 13 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 03/03: Refactor calls to getNonceCache() so only called when necessary.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 1b8041818885d6932d3d48591b28e7f3c1cf0c3a Author: Mark Thomas AuthorDate: Tue May 10 16:33:51 2022 +0100 Refactor calls to getNonceCache() so only called when necessary. --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index fca530d6d6..77c0aa3ae1 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -120,9 +120,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { HttpSession session = req.getSession(false); -NonceCache nonceCache = getNonceCache(req, session); +boolean skipNonceCheck = skipNonceCheck(req); +NonceCache nonceCache = null; -if (!skipNonceCheck(req)) { +if (!skipNonceCheck) { String previousNonce = req.getParameter(nonceRequestParameterName); if (previousNonce == null) { @@ -135,7 +136,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; -} else if (nonceCache == null) { +} + +nonceCache = getNonceCache(req, session); +if (nonceCache == null) { if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " @@ -163,6 +167,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { } if (!skipNonceGeneration(req)) { +if (skipNonceCheck) { +// Didn't look up nonce cache earlier so look it up now. +nonceCache = getNonceCache(req, session); +} if (nonceCache == null) { if (log.isDebugEnabled()) { log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/03: Clean up - no functional change
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit a9e8be066c8a78d65f6ce91ec4d7071fbd80ada8 Author: Mark Thomas AuthorDate: Tue May 10 16:13:31 2022 +0100 Clean up - no functional change --- .../catalina/filters/CsrfPreventionFilter.java | 21 ++--- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index bfa65fc99c..dee418ca63 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -123,11 +123,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { NonceCache nonceCache = (session == null) ? null : getNonceCache(req, session); if (!skipNonceCheck(req)) { -String previousNonce = -req.getParameter(nonceRequestParameterName); +String previousNonce = req.getParameter(nonceRequestParameterName); -if(previousNonce == null) { -if(log.isDebugEnabled()) { +if (previousNonce == null) { +if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + (null == session ? "(none)" : session.getId()) @@ -136,8 +135,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; -} else if(nonceCache == null) { -if(log.isDebugEnabled()) { +} else if (nonceCache == null) { +if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + (null == session ? "(none)" : session.getId()) @@ -146,8 +145,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; -} else if(!nonceCache.contains(previousNonce)) { -if(log.isDebugEnabled()) { +} else if (!nonceCache.contains(previousNonce)) { +if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + (null == session ? "(none)" : session.getId()) @@ -157,7 +156,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; } -if(log.isTraceEnabled()) { +if (log.isTraceEnabled()) { log.trace("Allowing request to " + getRequestedPath(req) + " with valid CSRF nonce " + previousNonce); } @@ -165,12 +164,12 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { if (!skipNonceGeneration(req)) { if (nonceCache == null) { -if(log.isDebugEnabled()) { +if (log.isDebugEnabled()) { log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); } if (session == null) { -if(log.isDebugEnabled()) { +if (log.isDebugEnabled()) { log.debug("Creating new session to store CSRF nonce cache"); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/03: Allow sub-class to decide if session being null is an issue or not
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit e9413ef1ece2a6fead21ddbdbecacebf229a541e Author: Mark Thomas AuthorDate: Tue May 10 16:14:51 2022 +0100 Allow sub-class to decide if session being null is an issue or not --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index dee418ca63..fca530d6d6 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -120,7 +120,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { HttpSession session = req.getSession(false); -NonceCache nonceCache = (session == null) ? null : getNonceCache(req, session); +NonceCache nonceCache = getNonceCache(req, session); if (!skipNonceCheck(req)) { String previousNonce = req.getParameter(nonceRequestParameterName); @@ -265,6 +265,9 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { * and/or session */ protected NonceCache getNonceCache(HttpServletRequest request, HttpSession session) { +if (session == null) { +return null; +} @SuppressWarnings("unchecked") NonceCache nonceCache = (NonceCache) session.getAttribute(Constants.CSRF_NONCE_SESSION_ATTR_NAME); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated (c832fc6498 -> 1b80418188)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from c832fc6498 Fix copy/paste error new a9e8be066c Clean up - no functional change new e9413ef1ec Allow sub-class to decide if session being null is an issue or not new 1b80418188 Refactor calls to getNonceCache() so only called when necessary. The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../catalina/filters/CsrfPreventionFilter.java | 36 ++ 1 file changed, 23 insertions(+), 13 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/03: Allow sub-class to decide if session being null is an issue or not
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 0bc6d80e5a6c34c26582ed2514d1567472ee2253 Author: Mark Thomas AuthorDate: Tue May 10 16:14:51 2022 +0100 Allow sub-class to decide if session being null is an issue or not --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index c2d1c0ab3a..7be53ab8a1 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -120,7 +120,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { HttpSession session = req.getSession(false); -NonceCache nonceCache = (session == null) ? null : getNonceCache(req, session); +NonceCache nonceCache = getNonceCache(req, session); if (!skipNonceCheck(req)) { String previousNonce = req.getParameter(nonceRequestParameterName); @@ -265,6 +265,9 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { * and/or session */ protected NonceCache getNonceCache(HttpServletRequest request, HttpSession session) { +if (session == null) { +return null; +} @SuppressWarnings("unchecked") NonceCache nonceCache = (NonceCache) session.getAttribute(Constants.CSRF_NONCE_SESSION_ATTR_NAME); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 03/03: Refactor calls to getNonceCache() so only called when necessary.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit cb81148dbad77e32cba4b735e06784e9feefcf67 Author: Mark Thomas AuthorDate: Tue May 10 16:33:51 2022 +0100 Refactor calls to getNonceCache() so only called when necessary. --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 7be53ab8a1..7e5143b620 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -120,9 +120,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { HttpSession session = req.getSession(false); -NonceCache nonceCache = getNonceCache(req, session); +boolean skipNonceCheck = skipNonceCheck(req); +NonceCache nonceCache = null; -if (!skipNonceCheck(req)) { +if (!skipNonceCheck) { String previousNonce = req.getParameter(nonceRequestParameterName); if (previousNonce == null) { @@ -135,7 +136,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; -} else if (nonceCache == null) { +} + +nonceCache = getNonceCache(req, session); +if (nonceCache == null) { if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " @@ -163,6 +167,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { } if (!skipNonceGeneration(req)) { +if (skipNonceCheck) { +// Didn't look up nonce cache earlier so look it up now. +nonceCache = getNonceCache(req, session); +} if (nonceCache == null) { if (log.isDebugEnabled()) { log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/03: Clean up - no functional change
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit a6ff8a899b6e6a7a5c1d272c0531742f7df387b3 Author: Mark Thomas AuthorDate: Tue May 10 16:13:31 2022 +0100 Clean up - no functional change --- .../catalina/filters/CsrfPreventionFilter.java | 21 ++--- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 87e10f5fc3..c2d1c0ab3a 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -123,11 +123,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { NonceCache nonceCache = (session == null) ? null : getNonceCache(req, session); if (!skipNonceCheck(req)) { -String previousNonce = -req.getParameter(nonceRequestParameterName); +String previousNonce = req.getParameter(nonceRequestParameterName); -if(previousNonce == null) { -if(log.isDebugEnabled()) { +if (previousNonce == null) { +if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + (null == session ? "(none)" : session.getId()) @@ -136,8 +135,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; -} else if(nonceCache == null) { -if(log.isDebugEnabled()) { +} else if (nonceCache == null) { +if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + (null == session ? "(none)" : session.getId()) @@ -146,8 +145,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; -} else if(!nonceCache.contains(previousNonce)) { -if(log.isDebugEnabled()) { +} else if (!nonceCache.contains(previousNonce)) { +if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + (null == session ? "(none)" : session.getId()) @@ -157,7 +156,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; } -if(log.isTraceEnabled()) { +if (log.isTraceEnabled()) { log.trace("Allowing request to " + getRequestedPath(req) + " with valid CSRF nonce " + previousNonce); } @@ -165,12 +164,12 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { if (!skipNonceGeneration(req)) { if (nonceCache == null) { -if(log.isDebugEnabled()) { +if (log.isDebugEnabled()) { log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); } if (session == null) { -if(log.isDebugEnabled()) { +if (log.isDebugEnabled()) { log.debug("Creating new session to store CSRF nonce cache"); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated (f9e8ef3adf -> cb81148dba)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from f9e8ef3adf Fix copy/paste error new a6ff8a899b Clean up - no functional change new 0bc6d80e5a Allow sub-class to decide if session being null is an issue or not new cb81148dba Refactor calls to getNonceCache() so only called when necessary. The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../catalina/filters/CsrfPreventionFilter.java | 36 ++ 1 file changed, 23 insertions(+), 13 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65853] [CsrfPreventionFilter] Extract evaluation of skipNonceCheck into overridable method
https://bz.apache.org/bugzilla/show_bug.cgi?id=65853 --- Comment #18 from Mark Thomas --- So in your code the call to getNonceCache() will create a cache instance if none is found? That doesn't seem quite right. I'd expect that method to return null if the cache doesn't exist rather than the create a new instance. I've refactored things a bit more so getNonceCache() is only called when necessary. Let me know what you think. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/03: Clean up - no functional change
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 258162cf4b8209060e8d85d2e289feeaad4c726a Author: Mark Thomas AuthorDate: Tue May 10 16:13:31 2022 +0100 Clean up - no functional change --- .../catalina/filters/CsrfPreventionFilter.java | 21 ++--- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 569f583617..fce6a99d96 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -123,11 +123,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { NonceCache nonceCache = (session == null) ? null : getNonceCache(req, session); if (!skipNonceCheck(req)) { -String previousNonce = -req.getParameter(nonceRequestParameterName); +String previousNonce = req.getParameter(nonceRequestParameterName); -if(previousNonce == null) { -if(log.isDebugEnabled()) { +if (previousNonce == null) { +if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + (null == session ? "(none)" : session.getId()) @@ -136,8 +135,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; -} else if(nonceCache == null) { -if(log.isDebugEnabled()) { +} else if (nonceCache == null) { +if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + (null == session ? "(none)" : session.getId()) @@ -146,8 +145,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; -} else if(!nonceCache.contains(previousNonce)) { -if(log.isDebugEnabled()) { +} else if (!nonceCache.contains(previousNonce)) { +if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " + (null == session ? "(none)" : session.getId()) @@ -157,7 +156,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; } -if(log.isTraceEnabled()) { +if (log.isTraceEnabled()) { log.trace("Allowing request to " + getRequestedPath(req) + " with valid CSRF nonce " + previousNonce); } @@ -165,12 +164,12 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { if (!skipNonceGeneration(req)) { if (nonceCache == null) { -if(log.isDebugEnabled()) { +if (log.isDebugEnabled()) { log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); } if (session == null) { -if(log.isDebugEnabled()) { +if (log.isDebugEnabled()) { log.debug("Creating new session to store CSRF nonce cache"); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 03/03: Refactor calls to getNonceCache() so only called when necessary.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit d0971c3f0781b37c2f3b3e0092587c69dd4e6fbd Author: Mark Thomas AuthorDate: Tue May 10 16:33:51 2022 +0100 Refactor calls to getNonceCache() so only called when necessary. --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 26c0fe3a5c..cde762e76b 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -120,9 +120,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { HttpSession session = req.getSession(false); -NonceCache nonceCache = getNonceCache(req, session); +boolean skipNonceCheck = skipNonceCheck(req); +NonceCache nonceCache = null; -if (!skipNonceCheck(req)) { +if (!skipNonceCheck) { String previousNonce = req.getParameter(nonceRequestParameterName); if (previousNonce == null) { @@ -135,7 +136,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { res.sendError(getDenyStatus()); return; -} else if (nonceCache == null) { +} + +nonceCache = getNonceCache(req, session); +if (nonceCache == null) { if (log.isDebugEnabled()) { log.debug("Rejecting request for " + getRequestedPath(req) + ", session " @@ -163,6 +167,10 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { } if (!skipNonceGeneration(req)) { +if (skipNonceCheck) { +// Didn't look up nonce cache earlier so look it up now. +nonceCache = getNonceCache(req, session); +} if (nonceCache == null) { if (log.isDebugEnabled()) { log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/03: Allow sub-class to decide if session being null is an issue or not
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit cc36dd4bb334a86d5624892236e16adab0307900 Author: Mark Thomas AuthorDate: Tue May 10 16:14:51 2022 +0100 Allow sub-class to decide if session being null is an issue or not --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index fce6a99d96..26c0fe3a5c 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -120,7 +120,7 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { HttpSession session = req.getSession(false); -NonceCache nonceCache = (session == null) ? null : getNonceCache(req, session); +NonceCache nonceCache = getNonceCache(req, session); if (!skipNonceCheck(req)) { String previousNonce = req.getParameter(nonceRequestParameterName); @@ -265,6 +265,9 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { * and/or session */ protected NonceCache getNonceCache(HttpServletRequest request, HttpSession session) { +if (session == null) { +return null; +} @SuppressWarnings("unchecked") NonceCache nonceCache = (NonceCache) session.getAttribute(Constants.CSRF_NONCE_SESSION_ATTR_NAME); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated (352a55934b -> d0971c3f07)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from 352a55934b Fix copy/paste error new 258162cf4b Clean up - no functional change new cc36dd4bb3 Allow sub-class to decide if session being null is an issue or not new d0971c3f07 Refactor calls to getNonceCache() so only called when necessary. The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../catalina/filters/CsrfPreventionFilter.java | 36 ++ 1 file changed, 23 insertions(+), 13 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] ChristopherSchultz commented on pull request #511: Allow to decrypt PEM keys.
ChristopherSchultz commented on PR #511: URL: https://github.com/apache/tomcat/pull/511#issuecomment-1122525000 > Mostly done but I'm looking at trying to make the support for encrypted PKCS1 files more generic rather than just supporting the one cipher. I had the same problem: https://github.com/ChristopherSchultz/pem-utils/blob/main/src/main/java/net/christopherschultz/pemutils/PEMFile.java#L404 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix copy/paste error
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 9dc00acdd0 Fix copy/paste error 9dc00acdd0 is described below commit 9dc00acdd04be9554954e5400d6c5f7650512c3d Author: Mark Thomas AuthorDate: Tue May 10 16:09:38 2022 +0100 Fix copy/paste error --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 2f811c226b..bfa65fc99c 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -262,7 +262,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { * cache. Unused by the default implementation. * @param session The session associated with the request. * - * @return A newly created {@link NonceCache} + * @return The {@link NonceCache} currently associated with the request + * and/or session */ protected NonceCache getNonceCache(HttpServletRequest request, HttpSession session) { @SuppressWarnings("unchecked") - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix copy/paste error
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new c832fc6498 Fix copy/paste error c832fc6498 is described below commit c832fc6498be5a384240e14384974e6162d183e2 Author: Mark Thomas AuthorDate: Tue May 10 16:09:38 2022 +0100 Fix copy/paste error --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 2f811c226b..bfa65fc99c 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -262,7 +262,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { * cache. Unused by the default implementation. * @param session The session associated with the request. * - * @return A newly created {@link NonceCache} + * @return The {@link NonceCache} currently associated with the request + * and/or session */ protected NonceCache getNonceCache(HttpServletRequest request, HttpSession session) { @SuppressWarnings("unchecked") - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Fix copy/paste error
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new f9e8ef3adf Fix copy/paste error f9e8ef3adf is described below commit f9e8ef3adf62d7586dafc675107ecd44cdf38889 Author: Mark Thomas AuthorDate: Tue May 10 16:09:38 2022 +0100 Fix copy/paste error --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 575c7a4fe6..87e10f5fc3 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -262,7 +262,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { * cache. Unused by the default implementation. * @param session The session associated with the request. * - * @return A newly created {@link NonceCache} + * @return The {@link NonceCache} currently associated with the request + * and/or session */ protected NonceCache getNonceCache(HttpServletRequest request, HttpSession session) { @SuppressWarnings("unchecked") - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix copy/paste error
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 352a55934b Fix copy/paste error 352a55934b is described below commit 352a55934bb8198db7249fde6f9cfb2a8053b285 Author: Mark Thomas AuthorDate: Tue May 10 16:09:38 2022 +0100 Fix copy/paste error --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index c4bab4818f..569f583617 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -262,7 +262,8 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { * cache. Unused by the default implementation. * @param session The session associated with the request. * - * @return A newly created {@link NonceCache} + * @return The {@link NonceCache} currently associated with the request + * and/or session */ protected NonceCache getNonceCache(HttpServletRequest request, HttpSession session) { @SuppressWarnings("unchecked") - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix PEM file lookup so it works with Ant and IDEs
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new c28a437b85 Fix PEM file lookup so it works with Ant and IDEs c28a437b85 is described below commit c28a437b852641290294e6e22f7650051b15f079 Author: Mark Thomas AuthorDate: Tue May 10 15:50:39 2022 +0100 Fix PEM file lookup so it works with Ant and IDEs --- test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java index 1be9419d58..620d16947e 100644 --- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java +++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java @@ -18,9 +18,7 @@ package org.apache.tomcat.util.net.jsse; import java.io.File; import java.io.IOException; -import java.net.URI; import java.net.URISyntaxException; -import java.net.URL; import java.security.PrivateKey; import org.junit.Assert; @@ -80,9 +78,9 @@ public class TestPEMFile { private String getPath(String file) throws URISyntaxException, IOException { -URL url = this.getClass().getResource(file); -URI uri = url.toURI(); -File f = new File(uri); +String packageName = this.getClass().getPackageName(); +String path = packageName.replaceAll("\\.", File.separator); +File f = new File("test" + File.separator + path + File.separator + file); return f.getCanonicalPath(); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix PEM file lookup so it works with Ant and IDEs
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 4d0e54e3b6 Fix PEM file lookup so it works with Ant and IDEs 4d0e54e3b6 is described below commit 4d0e54e3b6af7cc8bb32706c388fc1d851bca7c3 Author: Mark Thomas AuthorDate: Tue May 10 15:50:39 2022 +0100 Fix PEM file lookup so it works with Ant and IDEs --- test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java index 1be9419d58..620d16947e 100644 --- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java +++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java @@ -18,9 +18,7 @@ package org.apache.tomcat.util.net.jsse; import java.io.File; import java.io.IOException; -import java.net.URI; import java.net.URISyntaxException; -import java.net.URL; import java.security.PrivateKey; import org.junit.Assert; @@ -80,9 +78,9 @@ public class TestPEMFile { private String getPath(String file) throws URISyntaxException, IOException { -URL url = this.getClass().getResource(file); -URI uri = url.toURI(); -File f = new File(uri); +String packageName = this.getClass().getPackageName(); +String path = packageName.replaceAll("\\.", File.separator); +File f = new File("test" + File.separator + path + File.separator + file); return f.getCanonicalPath(); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Fix PEM file lookup so it works with Ant and IDEs
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new b2d13a1265 Fix PEM file lookup so it works with Ant and IDEs b2d13a1265 is described below commit b2d13a1265b4e20332f8e739ad66a303f890b9ae Author: Mark Thomas AuthorDate: Tue May 10 15:50:39 2022 +0100 Fix PEM file lookup so it works with Ant and IDEs --- test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java index 1be9419d58..620d16947e 100644 --- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java +++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java @@ -18,9 +18,7 @@ package org.apache.tomcat.util.net.jsse; import java.io.File; import java.io.IOException; -import java.net.URI; import java.net.URISyntaxException; -import java.net.URL; import java.security.PrivateKey; import org.junit.Assert; @@ -80,9 +78,9 @@ public class TestPEMFile { private String getPath(String file) throws URISyntaxException, IOException { -URL url = this.getClass().getResource(file); -URI uri = url.toURI(); -File f = new File(uri); +String packageName = this.getClass().getPackageName(); +String path = packageName.replaceAll("\\.", File.separator); +File f = new File("test" + File.separator + path + File.separator + file); return f.getCanonicalPath(); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix PEM file lookup so it works with Ant and IDEs
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 13f3e971f2 Fix PEM file lookup so it works with Ant and IDEs 13f3e971f2 is described below commit 13f3e971f2afe5c20248eb5d80a2f0e1913200c4 Author: Mark Thomas AuthorDate: Tue May 10 15:50:39 2022 +0100 Fix PEM file lookup so it works with Ant and IDEs --- test/org/apache/tomcat/util/net/jsse/TestPEMFile.java | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java index 1be9419d58..620d16947e 100644 --- a/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java +++ b/test/org/apache/tomcat/util/net/jsse/TestPEMFile.java @@ -18,9 +18,7 @@ package org.apache.tomcat.util.net.jsse; import java.io.File; import java.io.IOException; -import java.net.URI; import java.net.URISyntaxException; -import java.net.URL; import java.security.PrivateKey; import org.junit.Assert; @@ -80,9 +78,9 @@ public class TestPEMFile { private String getPath(String file) throws URISyntaxException, IOException { -URL url = this.getClass().getResource(file); -URI uri = url.toURI(); -File f = new File(uri); +String packageName = this.getClass().getPackageName(); +String path = packageName.replaceAll("\\.", File.separator); +File f = new File("test" + File.separator + path + File.separator + file); return f.getCanonicalPath(); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Remove meaningless code
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new a6fc970985 Remove meaningless code a6fc970985 is described below commit a6fc97098579e308346ac08ca8f7c67382b6b056 Author: lihan AuthorDate: Sun May 8 19:32:59 2022 +0800 Remove meaningless code --- .../org/apache/catalina/core/StandardThreadExecutor.java | 16 java/org/apache/catalina/core/mbeans-descriptors.xml | 4 webapps/docs/changelog.xml | 6 ++ webapps/docs/config/executor.xml | 4 4 files changed, 6 insertions(+), 24 deletions(-) diff --git a/java/org/apache/catalina/core/StandardThreadExecutor.java b/java/org/apache/catalina/core/StandardThreadExecutor.java index 2f8aaf4d2c..6e18c61852 100644 --- a/java/org/apache/catalina/core/StandardThreadExecutor.java +++ b/java/org/apache/catalina/core/StandardThreadExecutor.java @@ -74,11 +74,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase */ protected String name; -/** - * prestart threads? - */ -protected boolean prestartminSpareThreads = false; - /** * The maximum number of elements that can queue up before we reject them */ @@ -121,9 +116,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase TaskThreadFactory tf = new TaskThreadFactory(namePrefix,daemon,getThreadPriority()); executor = new ThreadPoolExecutor(getMinSpareThreads(), getMaxThreads(), maxIdleTime, TimeUnit.MILLISECONDS,taskqueue, tf); executor.setThreadRenewalDelay(threadRenewalDelay); -if (prestartminSpareThreads) { -executor.prestartAllCoreThreads(); -} taskqueue.setParent(executor); setState(LifecycleState.STARTING); @@ -214,10 +206,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase return name; } -public boolean isPrestartminSpareThreads() { - -return prestartminSpareThreads; -} public void setThreadPriority(int threadPriority) { this.threadPriority = threadPriority; } @@ -251,10 +239,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase } } -public void setPrestartminSpareThreads(boolean prestartminSpareThreads) { -this.prestartminSpareThreads = prestartminSpareThreads; -} - public void setName(String name) { this.name = name; } diff --git a/java/org/apache/catalina/core/mbeans-descriptors.xml b/java/org/apache/catalina/core/mbeans-descriptors.xml index a64137b2b9..b329a0331a 100644 --- a/java/org/apache/catalina/core/mbeans-descriptors.xml +++ b/java/org/apache/catalina/core/mbeans-descriptors.xml @@ -1520,10 +1520,6 @@ type="int" writeable="false" /> - 511. (jfclere/markt) + +Remove the prestartminSpareThreads attribute of the +StandardThreadExecutor since all core threads are always +started by default making this attribute meaningless. Pull request +510 provided by Aooohan. (markt) + diff --git a/webapps/docs/config/executor.xml b/webapps/docs/config/executor.xml index b896a91587..05b1420b8e 100644 --- a/webapps/docs/config/executor.xml +++ b/webapps/docs/config/executor.xml @@ -107,10 +107,6 @@ (int) The maximum number of runnable tasks that can queue up awaiting execution before we reject them. Default value is Integer.MAX_VALUE - - (boolean) Whether minSpareThreads should be started when starting the Executor or not, - the default is false - (long) If a ThreadLocalLeakPreventionListener is configured, it will notify this executor about stopped contexts. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Remove meaningless code
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 7957a1d52a Remove meaningless code 7957a1d52a is described below commit 7957a1d52a53685187a58129dc683f1b128b43dc Author: lihan AuthorDate: Sun May 8 19:32:59 2022 +0800 Remove meaningless code --- .../org/apache/catalina/core/StandardThreadExecutor.java | 16 java/org/apache/catalina/core/mbeans-descriptors.xml | 4 webapps/docs/changelog.xml | 6 ++ webapps/docs/config/executor.xml | 4 4 files changed, 6 insertions(+), 24 deletions(-) diff --git a/java/org/apache/catalina/core/StandardThreadExecutor.java b/java/org/apache/catalina/core/StandardThreadExecutor.java index 2f8aaf4d2c..6e18c61852 100644 --- a/java/org/apache/catalina/core/StandardThreadExecutor.java +++ b/java/org/apache/catalina/core/StandardThreadExecutor.java @@ -74,11 +74,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase */ protected String name; -/** - * prestart threads? - */ -protected boolean prestartminSpareThreads = false; - /** * The maximum number of elements that can queue up before we reject them */ @@ -121,9 +116,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase TaskThreadFactory tf = new TaskThreadFactory(namePrefix,daemon,getThreadPriority()); executor = new ThreadPoolExecutor(getMinSpareThreads(), getMaxThreads(), maxIdleTime, TimeUnit.MILLISECONDS,taskqueue, tf); executor.setThreadRenewalDelay(threadRenewalDelay); -if (prestartminSpareThreads) { -executor.prestartAllCoreThreads(); -} taskqueue.setParent(executor); setState(LifecycleState.STARTING); @@ -214,10 +206,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase return name; } -public boolean isPrestartminSpareThreads() { - -return prestartminSpareThreads; -} public void setThreadPriority(int threadPriority) { this.threadPriority = threadPriority; } @@ -251,10 +239,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase } } -public void setPrestartminSpareThreads(boolean prestartminSpareThreads) { -this.prestartminSpareThreads = prestartminSpareThreads; -} - public void setName(String name) { this.name = name; } diff --git a/java/org/apache/catalina/core/mbeans-descriptors.xml b/java/org/apache/catalina/core/mbeans-descriptors.xml index e99ab0e173..6eade84f52 100644 --- a/java/org/apache/catalina/core/mbeans-descriptors.xml +++ b/java/org/apache/catalina/core/mbeans-descriptors.xml @@ -1512,10 +1512,6 @@ type="int" writeable="false" /> - 511. (jfclere/markt) + +Remove the prestartminSpareThreads attribute of the +StandardThreadExecutor since all core threads are always +started by default making this attribute meaningless. Pull request +510 provided by Aooohan. (markt) + diff --git a/webapps/docs/config/executor.xml b/webapps/docs/config/executor.xml index b896a91587..05b1420b8e 100644 --- a/webapps/docs/config/executor.xml +++ b/webapps/docs/config/executor.xml @@ -107,10 +107,6 @@ (int) The maximum number of runnable tasks that can queue up awaiting execution before we reject them. Default value is Integer.MAX_VALUE - - (boolean) Whether minSpareThreads should be started when starting the Executor or not, - the default is false - (long) If a ThreadLocalLeakPreventionListener is configured, it will notify this executor about stopped contexts. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Remove meaningless code
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new 9317827f7a Remove meaningless code 9317827f7a is described below commit 9317827f7acaead4b203183c31526da331288f92 Author: lihan AuthorDate: Sun May 8 19:32:59 2022 +0800 Remove meaningless code --- .../org/apache/catalina/core/StandardThreadExecutor.java | 16 java/org/apache/catalina/core/mbeans-descriptors.xml | 4 webapps/docs/changelog.xml | 6 ++ webapps/docs/config/executor.xml | 4 4 files changed, 6 insertions(+), 24 deletions(-) diff --git a/java/org/apache/catalina/core/StandardThreadExecutor.java b/java/org/apache/catalina/core/StandardThreadExecutor.java index 2f8aaf4d2c..6e18c61852 100644 --- a/java/org/apache/catalina/core/StandardThreadExecutor.java +++ b/java/org/apache/catalina/core/StandardThreadExecutor.java @@ -74,11 +74,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase */ protected String name; -/** - * prestart threads? - */ -protected boolean prestartminSpareThreads = false; - /** * The maximum number of elements that can queue up before we reject them */ @@ -121,9 +116,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase TaskThreadFactory tf = new TaskThreadFactory(namePrefix,daemon,getThreadPriority()); executor = new ThreadPoolExecutor(getMinSpareThreads(), getMaxThreads(), maxIdleTime, TimeUnit.MILLISECONDS,taskqueue, tf); executor.setThreadRenewalDelay(threadRenewalDelay); -if (prestartminSpareThreads) { -executor.prestartAllCoreThreads(); -} taskqueue.setParent(executor); setState(LifecycleState.STARTING); @@ -214,10 +206,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase return name; } -public boolean isPrestartminSpareThreads() { - -return prestartminSpareThreads; -} public void setThreadPriority(int threadPriority) { this.threadPriority = threadPriority; } @@ -251,10 +239,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase } } -public void setPrestartminSpareThreads(boolean prestartminSpareThreads) { -this.prestartminSpareThreads = prestartminSpareThreads; -} - public void setName(String name) { this.name = name; } diff --git a/java/org/apache/catalina/core/mbeans-descriptors.xml b/java/org/apache/catalina/core/mbeans-descriptors.xml index a04ccbe4af..6fa6a85a02 100644 --- a/java/org/apache/catalina/core/mbeans-descriptors.xml +++ b/java/org/apache/catalina/core/mbeans-descriptors.xml @@ -1524,10 +1524,6 @@ type="int" writeable="false" /> - 511. (jfclere/markt) + +Remove the prestartminSpareThreads attribute of the +StandardThreadExecutor since all core threads are always +started by default making this attribute meaningless. Pull request +510 provided by Aooohan. (markt) + diff --git a/webapps/docs/config/executor.xml b/webapps/docs/config/executor.xml index b896a91587..05b1420b8e 100644 --- a/webapps/docs/config/executor.xml +++ b/webapps/docs/config/executor.xml @@ -107,10 +107,6 @@ (int) The maximum number of runnable tasks that can queue up awaiting execution before we reject them. Default value is Integer.MAX_VALUE - - (boolean) Whether minSpareThreads should be started when starting the Executor or not, - the default is false - (long) If a ThreadLocalLeakPreventionListener is configured, it will notify this executor about stopped contexts. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Update change log
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 85a4325284 Update change log 85a4325284 is described below commit 85a4325284625fb700b2f35599057519185e3e8d Author: Mark Thomas AuthorDate: Tue May 10 15:44:45 2022 +0100 Update change log --- webapps/docs/changelog.xml | 6 ++ 1 file changed, 6 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index c259287aa4..f8583c3a8a 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -168,6 +168,12 @@ the internal, in memory key store. Based on 511. (jfclere/markt) + +Remove the prestartminSpareThreads attribute of the +StandardThreadExecutor since all core threads are always +started by default making this attribute meaningless. Pull request +510 provided by Aooohan. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Remove meaningless code
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 366bb95af80b65ce288de094b632546ef3f06839 Author: lihan AuthorDate: Sun May 8 20:13:35 2022 +0800 Remove meaningless code --- java/org/apache/catalina/core/mbeans-descriptors.xml | 4 1 file changed, 4 deletions(-) diff --git a/java/org/apache/catalina/core/mbeans-descriptors.xml b/java/org/apache/catalina/core/mbeans-descriptors.xml index db0d6ca38e..a86207780f 100644 --- a/java/org/apache/catalina/core/mbeans-descriptors.xml +++ b/java/org/apache/catalina/core/mbeans-descriptors.xml @@ -1524,10 +1524,6 @@ type="int" writeable="false" /> -
[tomcat] 01/02: Remove meaningless code
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 4a7722a90dca22c6113907ecb2420cd9fa0a4678 Author: lihan AuthorDate: Sun May 8 19:32:59 2022 +0800 Remove meaningless code --- .../org/apache/catalina/core/StandardThreadExecutor.java | 16 webapps/docs/config/executor.xml | 4 2 files changed, 20 deletions(-) diff --git a/java/org/apache/catalina/core/StandardThreadExecutor.java b/java/org/apache/catalina/core/StandardThreadExecutor.java index 2c714efedc..7f926108c8 100644 --- a/java/org/apache/catalina/core/StandardThreadExecutor.java +++ b/java/org/apache/catalina/core/StandardThreadExecutor.java @@ -74,11 +74,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase */ protected String name; -/** - * prestart threads? - */ -protected boolean prestartminSpareThreads = false; - /** * The maximum number of elements that can queue up before we reject them */ @@ -121,9 +116,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase TaskThreadFactory tf = new TaskThreadFactory(namePrefix,daemon,getThreadPriority()); executor = new ThreadPoolExecutor(getMinSpareThreads(), getMaxThreads(), maxIdleTime, TimeUnit.MILLISECONDS,taskqueue, tf); executor.setThreadRenewalDelay(threadRenewalDelay); -if (prestartminSpareThreads) { -executor.prestartAllCoreThreads(); -} taskqueue.setParent(executor); setState(LifecycleState.STARTING); @@ -203,10 +195,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase return name; } -public boolean isPrestartminSpareThreads() { - -return prestartminSpareThreads; -} public void setThreadPriority(int threadPriority) { this.threadPriority = threadPriority; } @@ -240,10 +228,6 @@ public class StandardThreadExecutor extends LifecycleMBeanBase } } -public void setPrestartminSpareThreads(boolean prestartminSpareThreads) { -this.prestartminSpareThreads = prestartminSpareThreads; -} - public void setName(String name) { this.name = name; } diff --git a/webapps/docs/config/executor.xml b/webapps/docs/config/executor.xml index b896a91587..05b1420b8e 100644 --- a/webapps/docs/config/executor.xml +++ b/webapps/docs/config/executor.xml @@ -107,10 +107,6 @@ (int) The maximum number of runnable tasks that can queue up awaiting execution before we reject them. Default value is Integer.MAX_VALUE - - (boolean) Whether minSpareThreads should be started when starting the Executor or not, - the default is false - (long) If a ThreadLocalLeakPreventionListener is configured, it will notify this executor about stopped contexts. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated (957133f838 -> 366bb95af8)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from 957133f838 No need to create a nonce cache if you aren't going to create a nonce new 4a7722a90d Remove meaningless code new 366bb95af8 Remove meaningless code The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../org/apache/catalina/core/StandardThreadExecutor.java | 16 java/org/apache/catalina/core/mbeans-descriptors.xml | 4 webapps/docs/config/executor.xml | 4 3 files changed, 24 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf merged pull request #510: Remove the prestartminSpareThreads field from StandardThreadExecutor
markt-asf merged PR #510: URL: https://github.com/apache/tomcat/pull/510 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65853] [CsrfPreventionFilter] Extract evaluation of skipNonceCheck into overridable method
https://bz.apache.org/bugzilla/show_bug.cgi?id=65853 --- Comment #17 from Marvin Fröhlich --- (In reply to Mark Thomas from comment #16) > Done. Thanks a lot. (In reply to Mark Thomas from comment #16) > Do you mean there is no need to call createNoneCache() since that is what > happens in lines 166-180? > I think it is sufficient to make the test at line 166 > if (nonceCache == null && !skipNonceGeneration(req)) > > If skipNonceCheck(req) is false and nonceCache is null the method will have > already exited so there is no need to check it at line 166. I see, I wasn't clear enough. I suggest this code for current 123-125: ## boolean skipNonceCheck = skipNonceCheck(req); boolean skipNonceGeneration = skipNonceGeneration(req); NonceCache nonceCache = ((session == null) || (skipNonceCheck && skipNonceGeneration)) ? null : getNonceCache(req, session); if (!skipNonceCheck) { ## This way the call to getNonceCache(req, session) is skipped, if both skipNonceCheck and skipNonceGeneration are true (or no session is available) and hence nonce handling is skipped at all for this request. This is, what I meant by "there's no neede to call getNonceCache(req)". You're right with your suggestion about 166. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] druizdeazua opened a new pull request, #513: Typo on changelog.xml, changed from jsp:pluing to jsp:plugin.
druizdeazua opened a new pull request, #513: URL: https://github.com/apache/tomcat/pull/513 While going through changelog.xml file found small typo, just providing small correction. from jsp:pluing to jsp:plugin, below impacted section: To align with the JSP 3.1 specification, make the jsp:pluing action a NO-OP. No HTML will be generated as a result the jsp:pluing action being included in a JSP. This is be because the associated HTML elements are no longer supported by any major browser. (markt) https://github.com/apache/tomcat/compare/main...druizdeazua:main#diff-57d2f0a72170743f6c3687a48997b2aa37d8d209efe200f00a0b9dc51fc7e572 Please reject pull request if required, I just wanted the team to be aware. Thanks. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: No need to create a nonce cache if you aren't going to create a nonce
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 84fa8914b9 No need to create a nonce cache if you aren't going to create a nonce 84fa8914b9 is described below commit 84fa8914b9b24cf526b757163c8b9d60ff2ec24a Author: Mark Thomas AuthorDate: Tue May 10 14:47:13 2022 +0100 No need to create a nonce cache if you aren't going to create a nonce --- .../catalina/filters/CsrfPreventionFilter.java | 24 +++--- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 4e179d1c18..2f811c226b 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -163,23 +163,23 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { } } -if (nonceCache == null) { -if(log.isDebugEnabled()) { -log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); -} - -if (session == null) { +if (!skipNonceGeneration(req)) { +if (nonceCache == null) { if(log.isDebugEnabled()) { - log.debug("Creating new session to store CSRF nonce cache"); +log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); } -session = req.getSession(true); -} +if (session == null) { +if(log.isDebugEnabled()) { + log.debug("Creating new session to store CSRF nonce cache"); +} -nonceCache = createNonceCache(req, session); -} +session = req.getSession(true); +} + +nonceCache = createNonceCache(req, session); +} -if (!skipNonceGeneration(req)) { String newNonce = generateNonce(req); nonceCache.add(newNonce); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: No need to create a nonce cache if you aren't going to create a nonce
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 9ce3e28e53 No need to create a nonce cache if you aren't going to create a nonce 9ce3e28e53 is described below commit 9ce3e28e53cfb9904d4f9a75341b2740c70d24df Author: Mark Thomas AuthorDate: Tue May 10 14:47:13 2022 +0100 No need to create a nonce cache if you aren't going to create a nonce --- .../catalina/filters/CsrfPreventionFilter.java | 24 +++--- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 4e179d1c18..2f811c226b 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -163,23 +163,23 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { } } -if (nonceCache == null) { -if(log.isDebugEnabled()) { -log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); -} - -if (session == null) { +if (!skipNonceGeneration(req)) { +if (nonceCache == null) { if(log.isDebugEnabled()) { - log.debug("Creating new session to store CSRF nonce cache"); +log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); } -session = req.getSession(true); -} +if (session == null) { +if(log.isDebugEnabled()) { + log.debug("Creating new session to store CSRF nonce cache"); +} -nonceCache = createNonceCache(req, session); -} +session = req.getSession(true); +} + +nonceCache = createNonceCache(req, session); +} -if (!skipNonceGeneration(req)) { String newNonce = generateNonce(req); nonceCache.add(newNonce); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: No need to create a nonce cache if you aren't going to create a nonce
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new dc0fe4 No need to create a nonce cache if you aren't going to create a nonce dc0fe4 is described below commit dc0fe439e88767d1e893fc553d600929b401 Author: Mark Thomas AuthorDate: Tue May 10 14:47:13 2022 +0100 No need to create a nonce cache if you aren't going to create a nonce --- .../catalina/filters/CsrfPreventionFilter.java | 24 +++--- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index f4f170b9e6..575c7a4fe6 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -163,23 +163,23 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { } } -if (nonceCache == null) { -if(log.isDebugEnabled()) { -log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); -} - -if (session == null) { +if (!skipNonceGeneration(req)) { +if (nonceCache == null) { if(log.isDebugEnabled()) { - log.debug("Creating new session to store CSRF nonce cache"); +log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); } -session = req.getSession(true); -} +if (session == null) { +if(log.isDebugEnabled()) { + log.debug("Creating new session to store CSRF nonce cache"); +} -nonceCache = createNonceCache(req, session); -} +session = req.getSession(true); +} + +nonceCache = createNonceCache(req, session); +} -if (!skipNonceGeneration(req)) { String newNonce = generateNonce(req); nonceCache.add(newNonce); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: No need to create a nonce cache if you aren't going to create a nonce
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 957133f838 No need to create a nonce cache if you aren't going to create a nonce 957133f838 is described below commit 957133f83878ca9d948fd9cd477294a7318963de Author: Mark Thomas AuthorDate: Tue May 10 14:47:13 2022 +0100 No need to create a nonce cache if you aren't going to create a nonce --- .../catalina/filters/CsrfPreventionFilter.java | 24 +++--- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 26279400a3..c4bab4818f 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -163,23 +163,23 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { } } -if (nonceCache == null) { -if(log.isDebugEnabled()) { -log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); -} - -if (session == null) { +if (!skipNonceGeneration(req)) { +if (nonceCache == null) { if(log.isDebugEnabled()) { - log.debug("Creating new session to store CSRF nonce cache"); +log.debug("Creating new CSRF nonce cache with size=" + nonceCacheSize + " for session " + (null == session ? "(will create)" : session.getId())); } -session = req.getSession(true); -} +if (session == null) { +if(log.isDebugEnabled()) { + log.debug("Creating new session to store CSRF nonce cache"); +} -nonceCache = createNonceCache(req, session); -} +session = req.getSession(true); +} + +nonceCache = createNonceCache(req, session); +} -if (!skipNonceGeneration(req)) { String newNonce = generateNonce(req); nonceCache.add(newNonce); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65853] [CsrfPreventionFilter] Extract evaluation of skipNonceCheck into overridable method
https://bz.apache.org/bugzilla/show_bug.cgi?id=65853 --- Comment #16 from Mark Thomas --- (In reply to Marvin Fröhlich from comment #15) > For one there is no need to call getNonceCache(req), if both > skipNonceCheck(req) and skipNonceGeneration(req) return true. For us is is > actually malicious, because in these cases a new cache instance is created, > that hurts later. I suggest to skip the block 166 to 180, if both extension > points return true. Do you mean there is no need to call createNoneCache() since that is what happens in lines 166-180? I think it is sufficient to make the test at line 166 if (nonceCache == null && !skipNonceGeneration(req)) If skipNonceCheck(req) is false and nonceCache is null the method will have already exited so there is no need to check it at line 166. > And much less minor: If skipNonceGeneration(req) is true, wRequest remains > null and is later passed into chain.doFilter(request, wRequest). It must > fallback to response in this case. > > Maybe it wouldn't hurt to change line 204 like this: > > chain.doFilter(request, wResponse != null ? wResponse : response); Done. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Avoid null response
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new eb1a95ac47 Avoid null response eb1a95ac47 is described below commit eb1a95ac47ca4862bb3ae1c6b9f60766c3e3d3f0 Author: Mark Thomas AuthorDate: Tue May 10 14:17:06 2022 +0100 Avoid null response --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 159d8ed318..4e179d1c18 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -191,11 +191,9 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { wResponse = new CsrfResponseWrapper(res, nonceRequestParameterName, newNonce); } -} else { -wResponse = response; } -chain.doFilter(request, wResponse); +chain.doFilter(request, wResponse == null ? response : wResponse); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Avoid null response
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 0cd7fad07f Avoid null response 0cd7fad07f is described below commit 0cd7fad07f448c335c5b5014ecdc5036f5af36ef Author: Mark Thomas AuthorDate: Tue May 10 14:17:06 2022 +0100 Avoid null response --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 159d8ed318..4e179d1c18 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -191,11 +191,9 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { wResponse = new CsrfResponseWrapper(res, nonceRequestParameterName, newNonce); } -} else { -wResponse = response; } -chain.doFilter(request, wResponse); +chain.doFilter(request, wResponse == null ? response : wResponse); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Avoid null response
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new 1768355a1e Avoid null response 1768355a1e is described below commit 1768355a1ef3fe77adf5c5900db5da9893d77926 Author: Mark Thomas AuthorDate: Tue May 10 14:17:06 2022 +0100 Avoid null response --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 6a54693856..f4f170b9e6 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -191,11 +191,9 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { wResponse = new CsrfResponseWrapper(res, nonceRequestParameterName, newNonce); } -} else { -wResponse = response; } -chain.doFilter(request, wResponse); +chain.doFilter(request, wResponse == null ? response : wResponse); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Avoid null response
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 5af33624a2 Avoid null response 5af33624a2 is described below commit 5af33624a27d987a59e4cc0d2bc1d3880d1aeb9d Author: Mark Thomas AuthorDate: Tue May 10 14:17:06 2022 +0100 Avoid null response --- java/org/apache/catalina/filters/CsrfPreventionFilter.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index e3f50cd491..26279400a3 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -191,11 +191,9 @@ public class CsrfPreventionFilter extends CsrfPreventionFilterBase { wResponse = new CsrfResponseWrapper(res, nonceRequestParameterName, newNonce); } -} else { -wResponse = response; } -chain.doFilter(request, wResponse); +chain.doFilter(request, wResponse == null ? response : wResponse); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] garethjevans opened a new pull request, #512: Adding a ServiceBindingPropertySource
garethjevans opened a new pull request, #512: URL: https://github.com/apache/tomcat/pull/512 The property source allows values in Tomcat's configuration files to be injected directly from a servicebinding.io's Service Binding without having to be converted to an environment variable first. Co-authored-by: Sumit Kulhadia Co-authored-by: Gareth Evans -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Change name from java17 to foreign
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new b56714efb3 Change name from java17 to foreign b56714efb3 is described below commit b56714efb33571fa0ccc315ce8753e15ce3bfc37 Author: remm AuthorDate: Tue May 10 14:47:41 2022 +0200 Change name from java17 to foreign After looking at SSL due to the PEMFile changes. --- java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java b/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java index d988095b1e..d8241a6bac 100644 --- a/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java +++ b/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java @@ -40,7 +40,7 @@ public abstract class AbstractHttp11JsseProtocol } if (getSslImplementationName() != null && getSslImplementationName().endsWith(".panama.OpenSSLImplementation")) { -return "openssljava17"; +return "opensslforeign"; } return "jsse"; } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Change name from java17 to foreign
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 8dac6661e3 Change name from java17 to foreign 8dac6661e3 is described below commit 8dac6661e3402d1bdece1de8117d8410a8ca7f81 Author: remm AuthorDate: Tue May 10 14:47:41 2022 +0200 Change name from java17 to foreign After looking at SSL due to the PEMFile changes. --- java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java b/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java index d988095b1e..d8241a6bac 100644 --- a/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java +++ b/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java @@ -40,7 +40,7 @@ public abstract class AbstractHttp11JsseProtocol } if (getSslImplementationName() != null && getSslImplementationName().endsWith(".panama.OpenSSLImplementation")) { -return "openssljava17"; +return "opensslforeign"; } return "jsse"; } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.0.x updated: Change name from java17 to foreign
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new 74617c9bec Change name from java17 to foreign 74617c9bec is described below commit 74617c9becd5613f8adb0c6c5f5d58f364193dd8 Author: remm AuthorDate: Tue May 10 14:47:41 2022 +0200 Change name from java17 to foreign After looking at SSL due to the PEMFile changes. --- java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java b/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java index d988095b1e..d8241a6bac 100644 --- a/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java +++ b/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java @@ -40,7 +40,7 @@ public abstract class AbstractHttp11JsseProtocol } if (getSslImplementationName() != null && getSslImplementationName().endsWith(".panama.OpenSSLImplementation")) { -return "openssljava17"; +return "opensslforeign"; } return "jsse"; } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated (1709d67737 -> 04811bb640)
This is an automated email from the ASF dual-hosted git repository. remm pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from 1709d67737 Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere add 04811bb640 Change name from java17 to foreign No new revisions were added by this update. Summary of changes: java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 48d8df33c1 Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere 48d8df33c1 is described below commit 48d8df33c1e02dd9c6c06b8caaf4b3949987642d Author: Mark Thomas AuthorDate: Tue May 10 13:02:01 2022 +0100 Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere --- java/org/apache/tomcat/util/net/jsse/PEMFile.java | 115 +++-- .../apache/tomcat/util/net/jsse/TestPEMFile.java | 89 .../util/net/jsse/key-encrypted-pkcs1-aes256.pem | 18 .../util/net/jsse/key-encrypted-pkcs1-des-cbc.pem | 18 .../net/jsse/key-encrypted-pkcs1-des-ede3-cbc.pem | 18 .../tomcat/util/net/jsse/key-encrypted-pkcs8.pem | 18 test/org/apache/tomcat/util/net/jsse/key-pkcs1.pem | 15 +++ webapps/docs/changelog.xml | 5 + 8 files changed, 286 insertions(+), 10 deletions(-) diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java b/java/org/apache/tomcat/util/net/jsse/PEMFile.java index ca030cfa00..4a6185a520 100644 --- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java +++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java @@ -27,6 +27,8 @@ import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; import java.security.InvalidKeyException; import java.security.KeyFactory; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; @@ -43,7 +45,9 @@ import javax.crypto.Cipher; import javax.crypto.EncryptedPrivateKeyInfo; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; import org.apache.tomcat.util.buf.Asn1Parser; import org.apache.tomcat.util.buf.Asn1Writer; @@ -113,7 +117,16 @@ public class PEMFile { part = null; } else if (part != null && !line.contains(":") && !line.startsWith(" ")) { part.content += line; -} +} else if (part != null && line.contains(":") && !line.startsWith(" ")) { +/* Something like DEK-Info: DES-EDE3-CBC,B5A53CB8B7E50064 */ +if (line.startsWith("DEK-Info: ")) { +String[] pieces = line.split(" "); +pieces = pieces[1].split(","); +if (pieces.length == 2) { +part.algorithm = pieces[0]; +part.ivHex = pieces[1]; +} +}} } } @@ -129,7 +142,7 @@ public class PEMFile { privateKey = part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break; case Part.RSA_PRIVATE_KEY: -privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS1); +privateKey = part.toPrivateKey(password, keyAlgorithm, Format.PKCS1); break; case Part.CERTIFICATE: case Part.X509_CERTIFICATE: @@ -153,6 +166,8 @@ public class PEMFile { public String type; public String content = ""; +public String algorithm = null; +public String ivHex = null; private byte[] decode() { return Base64.decodeBase64(content); @@ -183,15 +198,60 @@ public class PEMFile { } } } else { -EncryptedPrivateKeyInfo privateKeyInfo = new EncryptedPrivateKeyInfo(decode()); -String pbeAlgorithm = getPBEAlgorithm(privateKeyInfo); -SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(pbeAlgorithm); -SecretKey secretKey = secretKeyFactory.generateSecret(new PBEKeySpec(password.toCharArray())); - -Cipher cipher = Cipher.getInstance(pbeAlgorithm); -cipher.init(Cipher.DECRYPT_MODE, secretKey, privateKeyInfo.getAlgParameters()); +if (algorithm == null) { +// PKCS 8 +EncryptedPrivateKeyInfo privateKeyInfo = new EncryptedPrivateKeyInfo(decode()); +String pbeAlgorithm = getPBEAlgorithm(privateKeyInfo); +SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(pbeAlgorithm); +SecretKey secretKey = secretKeyFactory.generateSecret(new PBEKeySpec(password.toCharArray())); + +Cipher cipher =
[tomcat] branch 9.0.x updated: Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 6341ae6e73 Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere 6341ae6e73 is described below commit 6341ae6e7363e8f90711673ab1de27c9e8a2efee Author: Mark Thomas AuthorDate: Tue May 10 13:02:01 2022 +0100 Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere --- java/org/apache/tomcat/util/net/jsse/PEMFile.java | 115 +++-- .../apache/tomcat/util/net/jsse/TestPEMFile.java | 89 .../util/net/jsse/key-encrypted-pkcs1-aes256.pem | 18 .../util/net/jsse/key-encrypted-pkcs1-des-cbc.pem | 18 .../net/jsse/key-encrypted-pkcs1-des-ede3-cbc.pem | 18 .../tomcat/util/net/jsse/key-encrypted-pkcs8.pem | 18 test/org/apache/tomcat/util/net/jsse/key-pkcs1.pem | 15 +++ webapps/docs/changelog.xml | 5 + 8 files changed, 286 insertions(+), 10 deletions(-) diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java b/java/org/apache/tomcat/util/net/jsse/PEMFile.java index 5db30d9e19..ab02cc8f7d 100644 --- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java +++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java @@ -27,6 +27,8 @@ import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; import java.security.InvalidKeyException; import java.security.KeyFactory; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; @@ -43,7 +45,9 @@ import javax.crypto.Cipher; import javax.crypto.EncryptedPrivateKeyInfo; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; import org.apache.tomcat.util.buf.Asn1Parser; import org.apache.tomcat.util.buf.Asn1Writer; @@ -113,7 +117,16 @@ public class PEMFile { part = null; } else if (part != null && !line.contains(":") && !line.startsWith(" ")) { part.content += line; -} +} else if (part != null && line.contains(":") && !line.startsWith(" ")) { +/* Something like DEK-Info: DES-EDE3-CBC,B5A53CB8B7E50064 */ +if (line.startsWith("DEK-Info: ")) { +String[] pieces = line.split(" "); +pieces = pieces[1].split(","); +if (pieces.length == 2) { +part.algorithm = pieces[0]; +part.ivHex = pieces[1]; +} +}} } } @@ -129,7 +142,7 @@ public class PEMFile { privateKey = part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break; case Part.RSA_PRIVATE_KEY: -privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS1); +privateKey = part.toPrivateKey(password, keyAlgorithm, Format.PKCS1); break; case Part.CERTIFICATE: case Part.X509_CERTIFICATE: @@ -153,6 +166,8 @@ public class PEMFile { public String type; public String content = ""; +public String algorithm = null; +public String ivHex = null; private byte[] decode() { return Base64.decodeBase64(content); @@ -183,15 +198,60 @@ public class PEMFile { } } } else { -EncryptedPrivateKeyInfo privateKeyInfo = new EncryptedPrivateKeyInfo(decode()); -String pbeAlgorithm = getPBEAlgorithm(privateKeyInfo); -SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(pbeAlgorithm); -SecretKey secretKey = secretKeyFactory.generateSecret(new PBEKeySpec(password.toCharArray())); - -Cipher cipher = Cipher.getInstance(pbeAlgorithm); -cipher.init(Cipher.DECRYPT_MODE, secretKey, privateKeyInfo.getAlgParameters()); +if (algorithm == null) { +// PKCS 8 +EncryptedPrivateKeyInfo privateKeyInfo = new EncryptedPrivateKeyInfo(decode()); +String pbeAlgorithm = getPBEAlgorithm(privateKeyInfo); +SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(pbeAlgorithm); +SecretKey secretKey = secretKeyFactory.generateSecret(new PBEKeySpec(password.toCharArray())); + +Cipher cipher =
[tomcat] branch 10.0.x updated: Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.0.x by this push: new b1b84bdd77 Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere b1b84bdd77 is described below commit b1b84bdd77f6db756e2ac2823309dad7878a4985 Author: Mark Thomas AuthorDate: Tue May 10 13:02:01 2022 +0100 Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere --- java/org/apache/tomcat/util/net/jsse/PEMFile.java | 115 +++-- .../apache/tomcat/util/net/jsse/TestPEMFile.java | 89 .../util/net/jsse/key-encrypted-pkcs1-aes256.pem | 18 .../util/net/jsse/key-encrypted-pkcs1-des-cbc.pem | 18 .../net/jsse/key-encrypted-pkcs1-des-ede3-cbc.pem | 18 .../tomcat/util/net/jsse/key-encrypted-pkcs8.pem | 18 test/org/apache/tomcat/util/net/jsse/key-pkcs1.pem | 15 +++ webapps/docs/changelog.xml | 5 + 8 files changed, 286 insertions(+), 10 deletions(-) diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java b/java/org/apache/tomcat/util/net/jsse/PEMFile.java index 5db30d9e19..ab02cc8f7d 100644 --- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java +++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java @@ -27,6 +27,8 @@ import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; import java.security.InvalidKeyException; import java.security.KeyFactory; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; @@ -43,7 +45,9 @@ import javax.crypto.Cipher; import javax.crypto.EncryptedPrivateKeyInfo; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; import org.apache.tomcat.util.buf.Asn1Parser; import org.apache.tomcat.util.buf.Asn1Writer; @@ -113,7 +117,16 @@ public class PEMFile { part = null; } else if (part != null && !line.contains(":") && !line.startsWith(" ")) { part.content += line; -} +} else if (part != null && line.contains(":") && !line.startsWith(" ")) { +/* Something like DEK-Info: DES-EDE3-CBC,B5A53CB8B7E50064 */ +if (line.startsWith("DEK-Info: ")) { +String[] pieces = line.split(" "); +pieces = pieces[1].split(","); +if (pieces.length == 2) { +part.algorithm = pieces[0]; +part.ivHex = pieces[1]; +} +}} } } @@ -129,7 +142,7 @@ public class PEMFile { privateKey = part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break; case Part.RSA_PRIVATE_KEY: -privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS1); +privateKey = part.toPrivateKey(password, keyAlgorithm, Format.PKCS1); break; case Part.CERTIFICATE: case Part.X509_CERTIFICATE: @@ -153,6 +166,8 @@ public class PEMFile { public String type; public String content = ""; +public String algorithm = null; +public String ivHex = null; private byte[] decode() { return Base64.decodeBase64(content); @@ -183,15 +198,60 @@ public class PEMFile { } } } else { -EncryptedPrivateKeyInfo privateKeyInfo = new EncryptedPrivateKeyInfo(decode()); -String pbeAlgorithm = getPBEAlgorithm(privateKeyInfo); -SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(pbeAlgorithm); -SecretKey secretKey = secretKeyFactory.generateSecret(new PBEKeySpec(password.toCharArray())); - -Cipher cipher = Cipher.getInstance(pbeAlgorithm); -cipher.init(Cipher.DECRYPT_MODE, secretKey, privateKeyInfo.getAlgParameters()); +if (algorithm == null) { +// PKCS 8 +EncryptedPrivateKeyInfo privateKeyInfo = new EncryptedPrivateKeyInfo(decode()); +String pbeAlgorithm = getPBEAlgorithm(privateKeyInfo); +SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(pbeAlgorithm); +SecretKey secretKey = secretKeyFactory.generateSecret(new PBEKeySpec(password.toCharArray())); + +Cipher cipher =
[GitHub] [tomcat] markt-asf closed pull request #511: Allow to decrypt PEM keys.
markt-asf closed pull request #511: Allow to decrypt PEM keys. URL: https://github.com/apache/tomcat/pull/511 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on pull request #511: Allow to decrypt PEM keys.
markt-asf commented on PR #511: URL: https://github.com/apache/tomcat/pull/511#issuecomment-1122302040 Done. Not quite as generic as I would like but I couldn't figure out how to get from DEK-Info to JSSE standard names without a manual lookup. Thanks for doing all the hard work on this. I just did a little refactoring -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65853] [CsrfPreventionFilter] Extract evaluation of skipNonceCheck into overridable method
https://bz.apache.org/bugzilla/show_bug.cgi?id=65853 --- Comment #15 from Marvin Fröhlich --- I have now integrated your new version of CsrfPreventionFilter as base to our filter class. And it tuned out, that there are some minor things missing, that will prevent us from using the class as it is now. For one there is no need to call getNonceCache(req), if both skipNonceCheck(req) and skipNonceGeneration(req) return true. For us is is actually malicious, because in these cases a new cache instance is created, that hurts later. I suggest to skip the block 166 to 180, if both extension points return true. And much less minor: If skipNonceGeneration(req) is true, wRequest remains null and is later passed into chain.doFilter(request, wRequest). It must fallback to response in this case. Maybe it wouldn't hurt to change line 204 like this: chain.doFilter(request, wResponse != null ? wResponse : response); Or, if you have some standard ifNull() of ours, use that. Then of course current 200-201 could be dropped. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 1709d67737 Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere 1709d67737 is described below commit 1709d6773799afb12a7421d0b1bd3bd766540faa Author: Mark Thomas AuthorDate: Tue May 10 13:02:01 2022 +0100 Add support for encrypted PKCS#1 keys. Based on #511. Thanks to jfclere --- java/org/apache/tomcat/util/net/jsse/PEMFile.java | 115 +++-- .../apache/tomcat/util/net/jsse/TestPEMFile.java | 89 .../util/net/jsse/key-encrypted-pkcs1-aes256.pem | 18 .../util/net/jsse/key-encrypted-pkcs1-des-cbc.pem | 18 .../net/jsse/key-encrypted-pkcs1-des-ede3-cbc.pem | 18 .../tomcat/util/net/jsse/key-encrypted-pkcs8.pem | 18 test/org/apache/tomcat/util/net/jsse/key-pkcs1.pem | 15 +++ webapps/docs/changelog.xml | 5 + 8 files changed, 286 insertions(+), 10 deletions(-) diff --git a/java/org/apache/tomcat/util/net/jsse/PEMFile.java b/java/org/apache/tomcat/util/net/jsse/PEMFile.java index 5db30d9e19..ab02cc8f7d 100644 --- a/java/org/apache/tomcat/util/net/jsse/PEMFile.java +++ b/java/org/apache/tomcat/util/net/jsse/PEMFile.java @@ -27,6 +27,8 @@ import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; import java.security.InvalidKeyException; import java.security.KeyFactory; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; @@ -43,7 +45,9 @@ import javax.crypto.Cipher; import javax.crypto.EncryptedPrivateKeyInfo; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; import org.apache.tomcat.util.buf.Asn1Parser; import org.apache.tomcat.util.buf.Asn1Writer; @@ -113,7 +117,16 @@ public class PEMFile { part = null; } else if (part != null && !line.contains(":") && !line.startsWith(" ")) { part.content += line; -} +} else if (part != null && line.contains(":") && !line.startsWith(" ")) { +/* Something like DEK-Info: DES-EDE3-CBC,B5A53CB8B7E50064 */ +if (line.startsWith("DEK-Info: ")) { +String[] pieces = line.split(" "); +pieces = pieces[1].split(","); +if (pieces.length == 2) { +part.algorithm = pieces[0]; +part.ivHex = pieces[1]; +} +}} } } @@ -129,7 +142,7 @@ public class PEMFile { privateKey = part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break; case Part.RSA_PRIVATE_KEY: -privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS1); +privateKey = part.toPrivateKey(password, keyAlgorithm, Format.PKCS1); break; case Part.CERTIFICATE: case Part.X509_CERTIFICATE: @@ -153,6 +166,8 @@ public class PEMFile { public String type; public String content = ""; +public String algorithm = null; +public String ivHex = null; private byte[] decode() { return Base64.decodeBase64(content); @@ -183,15 +198,60 @@ public class PEMFile { } } } else { -EncryptedPrivateKeyInfo privateKeyInfo = new EncryptedPrivateKeyInfo(decode()); -String pbeAlgorithm = getPBEAlgorithm(privateKeyInfo); -SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(pbeAlgorithm); -SecretKey secretKey = secretKeyFactory.generateSecret(new PBEKeySpec(password.toCharArray())); - -Cipher cipher = Cipher.getInstance(pbeAlgorithm); -cipher.init(Cipher.DECRYPT_MODE, secretKey, privateKeyInfo.getAlgParameters()); +if (algorithm == null) { +// PKCS 8 +EncryptedPrivateKeyInfo privateKeyInfo = new EncryptedPrivateKeyInfo(decode()); +String pbeAlgorithm = getPBEAlgorithm(privateKeyInfo); +SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(pbeAlgorithm); +SecretKey secretKey = secretKeyFactory.generateSecret(new PBEKeySpec(password.toCharArray())); + +Cipher cipher =