[Bug 66541] CachedResource for OSGi URL resources changes URL hashing behavior & exacerbates DNS issues
https://bz.apache.org/bugzilla/show_bug.cgi?id=66541 --- Comment #1 from Tom Whitmore --- To clarify: * The OSGi URLs are now having CachedResourceURLStreamHandler (which inherits from java.net.URLStreamHandler) hash them; this attempts to resolve their Hostnames, where the OSGi (Equinox) handler did not. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66541] New: CachedResource for OSGi URL resources changes URL hashing behavior & exacerbates DNS issues
https://bz.apache.org/bugzilla/show_bug.cgi?id=66541 Bug ID: 66541 Summary: CachedResource for OSGi URL resources changes URL hashing behavior & exacerbates DNS issues Product: Tomcat 8 Version: 8.5.x-trunk Hardware: PC OS: Linux Status: NEW Severity: minor Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: tom.whitm...@lyniate.com Target Milestone: We run Tomcat with resources mounted from OSGi bundles. The OSGi URLs are of the form 'bundleentry://203.fwk668849042/META-INF/output.tld' and have a custom 'handler' assigned to handle them. In Tomcat 8.5.48, changes were made to CachedResource (to fix "Intermittent JSP Caching/Compiling Issue while under load", 2b0aaedd76d8) which introduce CachedResourceURLStreamHandler & bypass the OSGi-supplied hashCode() behavior of the OSGi URLs. Several of our end-users have now reported large delays (up to 40 minutes) in Tomcat startup. The problem is: * TldScanner hashing URLs of TLDs -- about 150 of these -- to build its tldResourcePathTaglibXmlMap. * The OSGi URLs are now having java.net.URLStreamHandler hash them & this attempts to resolve their Hostnames, where the OSGi (Equinox) handler did not. * In the case of DNS misconfiguration on some platforms, which seems to be not uncommon amongst our end-users, Tomcat thus has to wait for 150 failed lookups (of OSGi bundle names) at 15 seconds each before starting. Proposed solution approach: * Consider making CachedResourceURLStreamHandler delegate 'hashCode()' and 'equals()' to the underlying 'resourceURL'. * This will preserve handler behaviors from the underlying URL and avoid introducing spurious DNS lookups for OSGi-loaded resources. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch dependabot/maven/modules/openssl-java17/org.apache.tomcat-tomcat-catalina-9.0.72 created (now 505b0aa65c)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/maven/modules/openssl-java17/org.apache.tomcat-tomcat-catalina-9.0.72 in repository https://gitbox.apache.org/repos/asf/tomcat.git at 505b0aa65c Bump tomcat-catalina from 9.0.68 to 9.0.72 in /modules/openssl-java17 No new revisions were added by this update. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] dependabot[bot] opened a new pull request, #602: Bump tomcat-catalina from 9.0.68 to 9.0.72 in /modules/openssl-foreign
dependabot[bot] opened a new pull request, #602: URL: https://github.com/apache/tomcat/pull/602 Bumps tomcat-catalina from 9.0.68 to 9.0.72. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.tomcat:tomcat-catalina=maven=9.0.68=9.0.72)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/tomcat/network/alerts). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch dependabot/maven/modules/openssl-foreign/org.apache.tomcat-tomcat-catalina-9.0.72 created (now af2eba2840)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/maven/modules/openssl-foreign/org.apache.tomcat-tomcat-catalina-9.0.72 in repository https://gitbox.apache.org/repos/asf/tomcat.git at af2eba2840 Bump tomcat-catalina from 9.0.68 to 9.0.72 in /modules/openssl-foreign No new revisions were added by this update. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] dependabot[bot] opened a new pull request, #603: Bump tomcat-catalina from 9.0.68 to 9.0.72 in /modules/openssl-java17
dependabot[bot] opened a new pull request, #603: URL: https://github.com/apache/tomcat/pull/603 Bumps tomcat-catalina from 9.0.68 to 9.0.72. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.tomcat:tomcat-catalina=maven=9.0.68=9.0.72)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/tomcat/network/alerts). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Buildbot failure in on tomcat-10.1.x
FYI, this was a failure to receive a response from https://jakarta.ee/specifications/platform/10/apidocs/ Nothing to see here. Move along... Mark On 22/03/2023 18:42, build...@apache.org wrote: Build status: BUILD FAILED: compile (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/44/builds/729 Blamelist: Mark Thomas Build Text: compile (failure) Status Detected: new failure Build Source Stamp: [branch 10.1.x] afd98cc8f36be9cbe92d6960344676d947f6087c Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 2 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot failure in on tomcat-10.1.x
Build status: BUILD FAILED: compile (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/44/builds/729 Blamelist: Mark Thomas Build Text: compile (failure) Status Detected: new failure Build Source Stamp: [branch 10.1.x] afd98cc8f36be9cbe92d6960344676d947f6087c Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 2 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66535] FarmWarDeployer will fail to deploy a WAR file when maxvalidtime is less than the time it takes to transfer
https://bz.apache.org/bugzilla/show_bug.cgi?id=66535 --- Comment #3 from Mark Thomas --- This is the commit that introduced maxValidTime https://github.com/apache/tomcat/commit/4364cbc8d1f5cc6dbe9be0132d92e593ef67346c Having looked at the commit, I think the intention could be taken to be either possibility. On balance, it does seem odd to remove the FileMessageFactory while messages are still being written. Therefore, I intend to look at the possibility of making this truly an idle time with the code and documentation updated/clarified accordingly. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Code clean-up. Reformatting. No functional change.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 079aff3eab Code clean-up. Reformatting. No functional change. 079aff3eab is described below commit 079aff3eaba471e0811e01f4d7495785b9a90e96 Author: Mark Thomas AuthorDate: Wed Mar 22 17:37:28 2023 + Code clean-up. Reformatting. No functional change. --- .../apache/catalina/ha/deploy/FarmWarDeployer.java | 247 + .../catalina/ha/deploy/FileChangeListener.java | 2 + .../org/apache/catalina/ha/deploy/FileMessage.java | 21 +- .../catalina/ha/deploy/FileMessageFactory.java | 157 ++--- .../apache/catalina/ha/deploy/UndeployMessage.java | 9 +- java/org/apache/catalina/ha/deploy/WarWatcher.java | 45 ++-- 6 files changed, 203 insertions(+), 278 deletions(-) diff --git a/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java b/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java index 89ca086cd0..53adb34d39 100644 --- a/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java +++ b/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java @@ -41,23 +41,19 @@ import org.apache.tomcat.util.res.StringManager; /** * - * A farm war deployer is a class that is able to deploy/undeploy web - * applications in WAR from within the cluster. + * A farm war deployer is a class that is able to deploy/undeploy web applications in WAR from within the cluster. * * Any host can act as the admin, and will have three directories * * watchDir - the directory where we watch for changes * deployDir - the directory where we install applications - * tempDir - a temporaryDirectory to store binary data when downloading a - * war from the cluster + * tempDir - a temporaryDirectory to store binary data when downloading a war from the cluster * - * Currently we only support deployment of WAR files since they are easier to - * send across the wire. + * Currently we only support deployment of WAR files since they are easier to send across the wire. * * @author Peter Rossbach */ -public class FarmWarDeployer extends ClusterListener -implements ClusterDeployer, FileChangeListener { +public class FarmWarDeployer extends ClusterListener implements ClusterDeployer, FileChangeListener { /*--Static Variables*/ private static final Log log = LogFactory.getLog(FarmWarDeployer.class); private static final StringManager sm = StringManager.getManager(FarmWarDeployer.class); @@ -65,8 +61,7 @@ public class FarmWarDeployer extends ClusterListener /*--Instance Variables--*/ protected boolean started = false; -protected final HashMap fileFactories = -new HashMap<>(); +protected final HashMap fileFactories = new HashMap<>(); /** * Deployment directory. @@ -96,9 +91,8 @@ public class FarmWarDeployer extends ClusterListener private int count = 0; /** - * Frequency of the Farm watchDir check. Cluster wide deployment will be - * done once for the specified amount of backgroundProcess calls (ie, the - * lower the amount, the most often the checks will occur). + * Frequency of the Farm watchDir check. Cluster wide deployment will be done once for the specified amount of + * backgroundProcess calls (ie, the lower the amount, the most often the checks will occur). */ protected int processDeployFrequency = 2; @@ -138,35 +132,31 @@ public class FarmWarDeployer extends ClusterListener return; } Container hcontainer = getCluster().getContainer(); -if(!(hcontainer instanceof Host)) { +if (!(hcontainer instanceof Host)) { log.error(sm.getString("farmWarDeployer.hostOnly")); -return ; +return; } host = (Host) hcontainer; // Check to correct engine and host setup Container econtainer = host.getParent(); -if(!(econtainer instanceof Engine)) { -log.error(sm.getString("farmWarDeployer.hostParentEngine", -host.getName())); -return ; +if (!(econtainer instanceof Engine)) { +log.error(sm.getString("farmWarDeployer.hostParentEngine", host.getName())); +return; } Engine engine = (Engine) econtainer; String hostname = null; hostname = host.getName(); try { -oname = new ObjectName(engine.getName() + ":type=Deployer,host=" -+ hostname); +oname = new ObjectName(engine.getName() + ":type=Deployer,host=" + hostname); } catch (Exception e) { -log.error(sm.getString("farmWarDeployer.mbeanNameFail", -engine.getName(), hostname),e); +
[tomcat] branch 9.0.x updated: Code clean-up. Reformatting. No functional change.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new aeed29e58a Code clean-up. Reformatting. No functional change. aeed29e58a is described below commit aeed29e58ab539bbd89071f15b53eda8d2c372b2 Author: Mark Thomas AuthorDate: Wed Mar 22 17:37:12 2023 + Code clean-up. Reformatting. No functional change. --- .../apache/catalina/ha/deploy/FarmWarDeployer.java | 247 + .../catalina/ha/deploy/FileChangeListener.java | 2 + .../org/apache/catalina/ha/deploy/FileMessage.java | 21 +- .../catalina/ha/deploy/FileMessageFactory.java | 158 ++--- .../apache/catalina/ha/deploy/UndeployMessage.java | 9 +- java/org/apache/catalina/ha/deploy/WarWatcher.java | 45 ++-- 6 files changed, 204 insertions(+), 278 deletions(-) diff --git a/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java b/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java index a2ad8d3c3d..bb1b9a02a9 100644 --- a/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java +++ b/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java @@ -41,23 +41,19 @@ import org.apache.tomcat.util.res.StringManager; /** * - * A farm war deployer is a class that is able to deploy/undeploy web - * applications in WAR from within the cluster. + * A farm war deployer is a class that is able to deploy/undeploy web applications in WAR from within the cluster. * * Any host can act as the admin, and will have three directories * * watchDir - the directory where we watch for changes * deployDir - the directory where we install applications - * tempDir - a temporaryDirectory to store binary data when downloading a - * war from the cluster + * tempDir - a temporaryDirectory to store binary data when downloading a war from the cluster * - * Currently we only support deployment of WAR files since they are easier to - * send across the wire. + * Currently we only support deployment of WAR files since they are easier to send across the wire. * * @author Peter Rossbach */ -public class FarmWarDeployer extends ClusterListener -implements ClusterDeployer, FileChangeListener { +public class FarmWarDeployer extends ClusterListener implements ClusterDeployer, FileChangeListener { /*--Static Variables*/ private static final Log log = LogFactory.getLog(FarmWarDeployer.class); private static final StringManager sm = StringManager.getManager(FarmWarDeployer.class); @@ -65,8 +61,7 @@ public class FarmWarDeployer extends ClusterListener /*--Instance Variables--*/ protected boolean started = false; -protected final HashMap fileFactories = -new HashMap<>(); +protected final HashMap fileFactories = new HashMap<>(); /** * Deployment directory. @@ -96,9 +91,8 @@ public class FarmWarDeployer extends ClusterListener private int count = 0; /** - * Frequency of the Farm watchDir check. Cluster wide deployment will be - * done once for the specified amount of backgroundProcess calls (ie, the - * lower the amount, the most often the checks will occur). + * Frequency of the Farm watchDir check. Cluster wide deployment will be done once for the specified amount of + * backgroundProcess calls (ie, the lower the amount, the most often the checks will occur). */ protected int processDeployFrequency = 2; @@ -138,35 +132,31 @@ public class FarmWarDeployer extends ClusterListener return; } Container hcontainer = getCluster().getContainer(); -if(!(hcontainer instanceof Host)) { +if (!(hcontainer instanceof Host)) { log.error(sm.getString("farmWarDeployer.hostOnly")); -return ; +return; } host = (Host) hcontainer; // Check to correct engine and host setup Container econtainer = host.getParent(); -if(!(econtainer instanceof Engine)) { -log.error(sm.getString("farmWarDeployer.hostParentEngine", -host.getName())); -return ; +if (!(econtainer instanceof Engine)) { +log.error(sm.getString("farmWarDeployer.hostParentEngine", host.getName())); +return; } Engine engine = (Engine) econtainer; String hostname = null; hostname = host.getName(); try { -oname = new ObjectName(engine.getName() + ":type=Deployer,host=" -+ hostname); +oname = new ObjectName(engine.getName() + ":type=Deployer,host=" + hostname); } catch (Exception e) { -log.error(sm.getString("farmWarDeployer.mbeanNameFail", -engine.getName(), hostname),e); +
[tomcat] branch 10.1.x updated: Code clean-up. Reformatting. No functional change.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new afd98cc8f3 Code clean-up. Reformatting. No functional change. afd98cc8f3 is described below commit afd98cc8f36be9cbe92d6960344676d947f6087c Author: Mark Thomas AuthorDate: Wed Mar 22 17:36:49 2023 + Code clean-up. Reformatting. No functional change. --- .../apache/catalina/ha/deploy/FarmWarDeployer.java | 226 - .../catalina/ha/deploy/FileChangeListener.java | 2 + .../org/apache/catalina/ha/deploy/FileMessage.java | 21 +- .../catalina/ha/deploy/FileMessageFactory.java | 145 ++--- .../apache/catalina/ha/deploy/UndeployMessage.java | 9 +- java/org/apache/catalina/ha/deploy/WarWatcher.java | 45 ++-- 6 files changed, 185 insertions(+), 263 deletions(-) diff --git a/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java b/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java index 90cb979243..0c07a8ac13 100644 --- a/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java +++ b/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java @@ -41,23 +41,19 @@ import org.apache.tomcat.util.res.StringManager; /** * - * A farm war deployer is a class that is able to deploy/undeploy web - * applications in WAR from within the cluster. + * A farm war deployer is a class that is able to deploy/undeploy web applications in WAR from within the cluster. * * Any host can act as the admin, and will have three directories * * watchDir - the directory where we watch for changes * deployDir - the directory where we install applications - * tempDir - a temporaryDirectory to store binary data when downloading a - * war from the cluster + * tempDir - a temporaryDirectory to store binary data when downloading a war from the cluster * - * Currently we only support deployment of WAR files since they are easier to - * send across the wire. + * Currently we only support deployment of WAR files since they are easier to send across the wire. * * @author Peter Rossbach */ -public class FarmWarDeployer extends ClusterListener -implements ClusterDeployer, FileChangeListener { +public class FarmWarDeployer extends ClusterListener implements ClusterDeployer, FileChangeListener { /*--Static Variables*/ private static final Log log = LogFactory.getLog(FarmWarDeployer.class); private static final StringManager sm = StringManager.getManager(FarmWarDeployer.class); @@ -65,8 +61,7 @@ public class FarmWarDeployer extends ClusterListener /*--Instance Variables--*/ protected boolean started = false; -protected final HashMap fileFactories = -new HashMap<>(); +protected final HashMap fileFactories = new HashMap<>(); /** * Deployment directory. @@ -96,9 +91,8 @@ public class FarmWarDeployer extends ClusterListener private int count = 0; /** - * Frequency of the Farm watchDir check. Cluster wide deployment will be - * done once for the specified amount of backgroundProcess calls (ie, the - * lower the amount, the most often the checks will occur). + * Frequency of the Farm watchDir check. Cluster wide deployment will be done once for the specified amount of + * backgroundProcess calls (ie, the lower the amount, the most often the checks will occur). */ protected int processDeployFrequency = 2; @@ -138,35 +132,31 @@ public class FarmWarDeployer extends ClusterListener return; } Container hcontainer = getCluster().getContainer(); -if(!(hcontainer instanceof Host)) { +if (!(hcontainer instanceof Host)) { log.error(sm.getString("farmWarDeployer.hostOnly")); -return ; +return; } host = (Host) hcontainer; // Check to correct engine and host setup Container econtainer = host.getParent(); -if(!(econtainer instanceof Engine)) { -log.error(sm.getString("farmWarDeployer.hostParentEngine", -host.getName())); -return ; +if (!(econtainer instanceof Engine)) { +log.error(sm.getString("farmWarDeployer.hostParentEngine", host.getName())); +return; } Engine engine = (Engine) econtainer; String hostname = null; hostname = host.getName(); try { -oname = new ObjectName(engine.getName() + ":type=Deployer,host=" -+ hostname); +oname = new ObjectName(engine.getName() + ":type=Deployer,host=" + hostname); } catch (Exception e) { -log.error(sm.getString("farmWarDeployer.mbeanNameFail", -engine.getName(), hostname),e); +
[tomcat] branch main updated: Code clean-up. Reformatting. No functional change.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new e7cd552c75 Code clean-up. Reformatting. No functional change. e7cd552c75 is described below commit e7cd552c75ea3ffa393749a9ff60bfd35437a2fa Author: Mark Thomas AuthorDate: Wed Mar 22 17:36:02 2023 + Code clean-up. Reformatting. No functional change. --- .../apache/catalina/ha/deploy/FarmWarDeployer.java | 226 - .../catalina/ha/deploy/FileChangeListener.java | 2 + .../org/apache/catalina/ha/deploy/FileMessage.java | 21 +- .../catalina/ha/deploy/FileMessageFactory.java | 145 ++--- .../apache/catalina/ha/deploy/UndeployMessage.java | 9 +- java/org/apache/catalina/ha/deploy/WarWatcher.java | 45 ++-- 6 files changed, 185 insertions(+), 263 deletions(-) diff --git a/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java b/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java index 90cb979243..0c07a8ac13 100644 --- a/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java +++ b/java/org/apache/catalina/ha/deploy/FarmWarDeployer.java @@ -41,23 +41,19 @@ import org.apache.tomcat.util.res.StringManager; /** * - * A farm war deployer is a class that is able to deploy/undeploy web - * applications in WAR from within the cluster. + * A farm war deployer is a class that is able to deploy/undeploy web applications in WAR from within the cluster. * * Any host can act as the admin, and will have three directories * * watchDir - the directory where we watch for changes * deployDir - the directory where we install applications - * tempDir - a temporaryDirectory to store binary data when downloading a - * war from the cluster + * tempDir - a temporaryDirectory to store binary data when downloading a war from the cluster * - * Currently we only support deployment of WAR files since they are easier to - * send across the wire. + * Currently we only support deployment of WAR files since they are easier to send across the wire. * * @author Peter Rossbach */ -public class FarmWarDeployer extends ClusterListener -implements ClusterDeployer, FileChangeListener { +public class FarmWarDeployer extends ClusterListener implements ClusterDeployer, FileChangeListener { /*--Static Variables*/ private static final Log log = LogFactory.getLog(FarmWarDeployer.class); private static final StringManager sm = StringManager.getManager(FarmWarDeployer.class); @@ -65,8 +61,7 @@ public class FarmWarDeployer extends ClusterListener /*--Instance Variables--*/ protected boolean started = false; -protected final HashMap fileFactories = -new HashMap<>(); +protected final HashMap fileFactories = new HashMap<>(); /** * Deployment directory. @@ -96,9 +91,8 @@ public class FarmWarDeployer extends ClusterListener private int count = 0; /** - * Frequency of the Farm watchDir check. Cluster wide deployment will be - * done once for the specified amount of backgroundProcess calls (ie, the - * lower the amount, the most often the checks will occur). + * Frequency of the Farm watchDir check. Cluster wide deployment will be done once for the specified amount of + * backgroundProcess calls (ie, the lower the amount, the most often the checks will occur). */ protected int processDeployFrequency = 2; @@ -138,35 +132,31 @@ public class FarmWarDeployer extends ClusterListener return; } Container hcontainer = getCluster().getContainer(); -if(!(hcontainer instanceof Host)) { +if (!(hcontainer instanceof Host)) { log.error(sm.getString("farmWarDeployer.hostOnly")); -return ; +return; } host = (Host) hcontainer; // Check to correct engine and host setup Container econtainer = host.getParent(); -if(!(econtainer instanceof Engine)) { -log.error(sm.getString("farmWarDeployer.hostParentEngine", -host.getName())); -return ; +if (!(econtainer instanceof Engine)) { +log.error(sm.getString("farmWarDeployer.hostParentEngine", host.getName())); +return; } Engine engine = (Engine) econtainer; String hostname = null; hostname = host.getName(); try { -oname = new ObjectName(engine.getName() + ":type=Deployer,host=" -+ hostname); +oname = new ObjectName(engine.getName() + ":type=Deployer,host=" + hostname); } catch (Exception e) { -log.error(sm.getString("farmWarDeployer.mbeanNameFail", -engine.getName(), hostname),e); +
[Bug 66536] tagsfiles seem to be compiled with the wrong source encoding
https://bz.apache.org/bugzilla/show_bug.cgi?id=66536 Mark Thomas changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #1 from Mark Thomas --- Thanks for the report. I can confirm that this is a Tomcat bug. Fixed in: - 11.0.x for 11.0.0-M5 onwards - 10.1.x for 10.1.8 onwards - 9.0.x for 9.0.74 onwards - 8.5.x for 8.5.88 onwards It you want a short-term work-around, add a single space character after <%@tag and before the newline. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix BZ 66536 - tag directives could be ignored for some pages
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 1d29e7940b Fix BZ 66536 - tag directives could be ignored for some pages 1d29e7940b is described below commit 1d29e7940b2bc7a2eb6cf173d4cc4451091074d0 Author: Mark Thomas AuthorDate: Wed Mar 22 17:14:32 2023 + Fix BZ 66536 - tag directives could be ignored for some pages https://bz.apache.org/bugzilla/show_bug.cgi?id=66536 --- java/org/apache/jasper/compiler/ParserController.java | 4 ++-- webapps/docs/changelog.xml| 8 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/java/org/apache/jasper/compiler/ParserController.java b/java/org/apache/jasper/compiler/ParserController.java index 3992454195..67e75fc07f 100644 --- a/java/org/apache/jasper/compiler/ParserController.java +++ b/java/org/apache/jasper/compiler/ParserController.java @@ -453,8 +453,8 @@ class ParserController implements TagConstants { continue; } -// compare for "tag ", so we don't match "taglib" -if (jspReader.matches("tag ") || jspReader.matches("page")) { +// Want to match tag and page but not taglib +if (jspReader.matches("tag") && !jspReader.matches("lib") || jspReader.matches("page")) { jspReader.skipSpaces(); Attributes attrs = Parser.parseAttributes(this, jspReader); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index c2423794f4..361b5a9b45 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -173,6 +173,14 @@ + + + +66536: Fix parsing of tag files that meant that tag +directives could be ignored for some tag files. (markt) + + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix BZ 66536 - tag directives could be ignored for some pages
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new d7d4ea51af Fix BZ 66536 - tag directives could be ignored for some pages d7d4ea51af is described below commit d7d4ea51affb4e994ed521d229eaedd204605a69 Author: Mark Thomas AuthorDate: Wed Mar 22 17:14:32 2023 + Fix BZ 66536 - tag directives could be ignored for some pages https://bz.apache.org/bugzilla/show_bug.cgi?id=66536 --- java/org/apache/jasper/compiler/ParserController.java | 4 ++-- webapps/docs/changelog.xml| 8 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/java/org/apache/jasper/compiler/ParserController.java b/java/org/apache/jasper/compiler/ParserController.java index 2cba1fbb14..01e2b2a336 100644 --- a/java/org/apache/jasper/compiler/ParserController.java +++ b/java/org/apache/jasper/compiler/ParserController.java @@ -453,8 +453,8 @@ class ParserController implements TagConstants { continue; } -// compare for "tag ", so we don't match "taglib" -if (jspReader.matches("tag ") || jspReader.matches("page")) { +// Want to match tag and page but not taglib +if (jspReader.matches("tag") && !jspReader.matches("lib") || jspReader.matches("page")) { jspReader.skipSpaces(); Attributes attrs = Parser.parseAttributes(this, jspReader); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 6a5181783d..d90a53092b 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -178,6 +178,14 @@ + + + +66536: Fix parsing of tag files that meant that tag +directives could be ignored for some tag files. (markt) + + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix BZ 66536 - tag directives could be ignored for some pages
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 46188bfd9c Fix BZ 66536 - tag directives could be ignored for some pages 46188bfd9c is described below commit 46188bfd9c02968a3d1570cf03315ec14b802a89 Author: Mark Thomas AuthorDate: Wed Mar 22 17:14:32 2023 + Fix BZ 66536 - tag directives could be ignored for some pages https://bz.apache.org/bugzilla/show_bug.cgi?id=66536 --- java/org/apache/jasper/compiler/ParserController.java | 4 ++-- webapps/docs/changelog.xml| 4 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/java/org/apache/jasper/compiler/ParserController.java b/java/org/apache/jasper/compiler/ParserController.java index 2cba1fbb14..01e2b2a336 100644 --- a/java/org/apache/jasper/compiler/ParserController.java +++ b/java/org/apache/jasper/compiler/ParserController.java @@ -453,8 +453,8 @@ class ParserController implements TagConstants { continue; } -// compare for "tag ", so we don't match "taglib" -if (jspReader.matches("tag ") || jspReader.matches("page")) { +// Want to match tag and page but not taglib +if (jspReader.matches("tag") && !jspReader.matches("lib") || jspReader.matches("page")) { jspReader.skipSpaces(); Attributes attrs = Parser.parseAttributes(this, jspReader); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index bc6e5f40b8..db19e925d8 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -200,6 +200,10 @@ LambdaExpression to a functional interface invocation failed. (markt) + +66536: Fix parsing of tag files that meant that tag +directives could be ignored for some tag files. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Fix BZ 66536 - tag directives could be ignored for some pages
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 6029b5e9f7 Fix BZ 66536 - tag directives could be ignored for some pages 6029b5e9f7 is described below commit 6029b5e9f71c97187cc7c0dea4cd1c9f2919679e Author: Mark Thomas AuthorDate: Wed Mar 22 17:14:32 2023 + Fix BZ 66536 - tag directives could be ignored for some pages https://bz.apache.org/bugzilla/show_bug.cgi?id=66536 --- java/org/apache/jasper/compiler/ParserController.java | 4 ++-- webapps/docs/changelog.xml| 4 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/java/org/apache/jasper/compiler/ParserController.java b/java/org/apache/jasper/compiler/ParserController.java index 2cba1fbb14..01e2b2a336 100644 --- a/java/org/apache/jasper/compiler/ParserController.java +++ b/java/org/apache/jasper/compiler/ParserController.java @@ -453,8 +453,8 @@ class ParserController implements TagConstants { continue; } -// compare for "tag ", so we don't match "taglib" -if (jspReader.matches("tag ") || jspReader.matches("page")) { +// Want to match tag and page but not taglib +if (jspReader.matches("tag") && !jspReader.matches("lib") || jspReader.matches("page")) { jspReader.skipSpaces(); Attributes attrs = Parser.parseAttributes(this, jspReader); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 94a54599f8..d35700aadf 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -185,6 +185,10 @@ LambdaExpression to a functional interface invocation failed. (markt) + +66536: Fix parsing of tag files that meant that tag +directives could be ignored for some tag files. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Remove spaces
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 66a9a3d437 Remove spaces 66a9a3d437 is described below commit 66a9a3d43750777f4629e3ab9f1d6f6d0555c14d Author: Mark Thomas AuthorDate: Wed Mar 22 16:17:16 2023 + Remove spaces --- webapps/docs/changelog.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index c7a09f13b6..6a5181783d 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -149,7 +149,7 @@ Expand the set of HTTP request headers considered sensitive that should be skipped when generating a response to a TRACE request. -This aligns with 11.0.x. (markt) +This aligns with 11.0.x. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Remove spaces
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 8b52ae7a55 Remove spaces 8b52ae7a55 is described below commit 8b52ae7a555b546785de2d0c21be7a60c4708325 Author: Mark Thomas AuthorDate: Wed Mar 22 16:17:16 2023 + Remove spaces --- webapps/docs/changelog.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 8dd6c08408..94a54599f8 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -149,7 +149,7 @@ Expand the set of HTTP request headers considered sensitive that should be skipped when generating a response to a TRACE request. -This aligns with 11.0.x. (markt) +This aligns with 11.0.x. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Remove spaces
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 5d1c1ac2c7 Remove spaces 5d1c1ac2c7 is described below commit 5d1c1ac2c77b4bec388984f813d7833079d4fa07 Author: Mark Thomas AuthorDate: Wed Mar 22 16:17:16 2023 + Remove spaces --- webapps/docs/changelog.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index d7034c69b8..bc6e5f40b8 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -164,7 +164,7 @@ Expand the set of HTTP request headers considered sensitive that should be skipped when generating a response to a TRACE request. This aligns with the current draft of the Servlet 6.1 specification. -(markt) +(markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Update handling of sensitive methods for TRACE
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 10fb0de3a5 Update handling of sensitive methods for TRACE 10fb0de3a5 is described below commit 10fb0de3a5e87906574e3db9a026a534f108e193 Author: Mark Thomas AuthorDate: Wed Mar 22 14:56:46 2023 + Update handling of sensitive methods for TRACE List of headers aligns with Tomcat 11.0.x --- java/javax/servlet/http/HttpServlet.java | 45 +--- webapps/docs/changelog.xml | 5 2 files changed, 41 insertions(+), 9 deletions(-) diff --git a/java/javax/servlet/http/HttpServlet.java b/java/javax/servlet/http/HttpServlet.java index 0cefd0ea07..84e8e1971c 100644 --- a/java/javax/servlet/http/HttpServlet.java +++ b/java/javax/servlet/http/HttpServlet.java @@ -24,11 +24,11 @@ import java.io.Writer; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.text.MessageFormat; +import java.util.Arrays; import java.util.Enumeration; -import java.util.HashSet; +import java.util.List; import java.util.Locale; import java.util.ResourceBundle; -import java.util.Set; import javax.servlet.AsyncEvent; import javax.servlet.AsyncListener; @@ -82,14 +82,10 @@ public abstract class HttpServlet extends GenericServlet { private static final String LSTRING_FILE = "javax.servlet.http.LocalStrings"; private static final ResourceBundle lStrings = ResourceBundle.getBundle(LSTRING_FILE); -private static final Set SENSITIVE_HTTP_HEADERS = new HashSet<>(); +private static final List SENSITIVE_HTTP_HEADERS = Arrays.asList("authorization", "cookie", "x-forwarded", +"forwarded", "proxy-authorization"); -static { -SENSITIVE_HTTP_HEADERS.add("cookie"); -SENSITIVE_HTTP_HEADERS.add("authorization"); -} - /** * Does nothing, because this is an abstract class. @@ -456,7 +452,7 @@ public abstract class HttpServlet extends GenericServlet { while (reqHeaderNames.hasMoreElements()) { String headerName = reqHeaderNames.nextElement(); // RFC 7231, 4.3.8 - skip 'sensitive' headers -if (!SENSITIVE_HTTP_HEADERS.contains(headerName.toLowerCase(Locale.ENGLISH))) { +if (!isSensitiveHeader(headerName)) { Enumeration headerValues = req.getHeaders(headerName); while (headerValues.hasMoreElements()) { String headerValue = headerValues.nextElement(); @@ -477,6 +473,37 @@ public abstract class HttpServlet extends GenericServlet { } +/** + * Is the provided HTTP request header considered sensitive and therefore should be excluded from the response to a + * {@code TRACE} request? + * + * By default, the headers that start with any of the following are considered sensitive: + * + * authorization + * cookie + * x-forwarded + * forwarded + * proxy-authorization + * + * + * Note that HTTP header names are case insensitive. + * + * @param headerName the name of the HTTP request header to test + * + * @return (@code true} if the HTTP request header is considered sensitive and should be excluded from the response + * to a {@code TRACE} request, otherwise {@code false} + */ +private boolean isSensitiveHeader(String headerName) { +String lcHeaderName = headerName.toLowerCase(Locale.ENGLISH); +for (String sensitiveHeaderName : SENSITIVE_HTTP_HEADERS) { +if (lcHeaderName.startsWith(sensitiveHeaderName)) { +return true; +} +} +return false; +} + + /** * Receives standard HTTP requests from the public service method and dispatches them to the * doMethod methods defined in this class. This method is an HTTP-specific version of the diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 5b5f755ed6..c7a09f13b6 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -146,6 +146,11 @@ Add support code for custom user attributes in RealmBase. Based on code from 473 by Carsten Klein. (remm) + +Expand the set of HTTP request headers considered sensitive that should +be skipped when generating a response to a TRACE request. +This aligns with 11.0.x. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated (ac33fb7ba3 -> d81dc233b5)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from ac33fb7ba3 Fix formatting in XML source that results in an unwanted space in the final documentation. new 3d6196c22a Update handling of sensitive methods for TRACE new d81dc233b5 Update handling of sensitive methods for TRACE The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: java/jakarta/servlet/http/HttpServlet.java | 45 -- webapps/docs/changelog.xml | 5 2 files changed, 41 insertions(+), 9 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Update handling of sensitive methods for TRACE
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit d81dc233b5d7433576c5c1cca7712e16358b5c9c Author: Mark Thomas AuthorDate: Wed Mar 22 15:00:40 2023 + Update handling of sensitive methods for TRACE List of headers aligns with 11.0.x --- java/jakarta/servlet/http/HttpServlet.java | 6 ++ webapps/docs/changelog.xml | 3 +-- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/java/jakarta/servlet/http/HttpServlet.java b/java/jakarta/servlet/http/HttpServlet.java index 72934570de..83942847ce 100644 --- a/java/jakarta/servlet/http/HttpServlet.java +++ b/java/jakarta/servlet/http/HttpServlet.java @@ -512,7 +512,7 @@ public abstract class HttpServlet extends GenericServlet { * Is the provided HTTP request header considered sensitive and therefore should be excluded from the response to a * {@code TRACE} request? * - * By default, the headers thats start with any of the following are considered sensitive: + * By default, the headers that start with any of the following are considered sensitive: * * authorization * cookie @@ -527,10 +527,8 @@ public abstract class HttpServlet extends GenericServlet { * * @return (@code true} if the HTTP request header is considered sensitive and should be excluded from the response * to a {@code TRACE} request, otherwise {@code false} - * - * @since Servlet 6.1 */ -protected boolean isSensitiveHeader(String headerName) { +private boolean isSensitiveHeader(String headerName) { String lcHeaderName = headerName.toLowerCase(Locale.ENGLISH); for (String sensitiveHeaderName : SENSITIVE_HTTP_HEADERS) { if (lcHeaderName.startsWith(sensitiveHeaderName)) { diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 34cea70a65..8dd6c08408 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -149,8 +149,7 @@ Expand the set of HTTP request headers considered sensitive that should be skipped when generating a response to a TRACE request. -This aligns with the current draft of the Servlet 6.1 specification. -(markt) +This aligns with 11.0.x. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Update handling of sensitive methods for TRACE
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 3d6196c22ad24e28f3a5bdf7f312bdfd0d9ea8d4 Author: Mark Thomas AuthorDate: Wed Mar 22 14:56:46 2023 + Update handling of sensitive methods for TRACE List of headers aligns with Servlet 6.1 Add new protected method to allow customization --- java/jakarta/servlet/http/HttpServlet.java | 47 -- webapps/docs/changelog.xml | 6 2 files changed, 44 insertions(+), 9 deletions(-) diff --git a/java/jakarta/servlet/http/HttpServlet.java b/java/jakarta/servlet/http/HttpServlet.java index aec57d5e56..72934570de 100644 --- a/java/jakarta/servlet/http/HttpServlet.java +++ b/java/jakarta/servlet/http/HttpServlet.java @@ -24,11 +24,11 @@ import java.io.Writer; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.text.MessageFormat; +import java.util.Arrays; import java.util.Enumeration; -import java.util.HashSet; +import java.util.List; import java.util.Locale; import java.util.ResourceBundle; -import java.util.Set; import jakarta.servlet.AsyncEvent; import jakarta.servlet.AsyncListener; @@ -84,7 +84,8 @@ public abstract class HttpServlet extends GenericServlet { private static final String LSTRING_FILE = "jakarta.servlet.http.LocalStrings"; private static final ResourceBundle lStrings = ResourceBundle.getBundle(LSTRING_FILE); -private static final Set SENSITIVE_HTTP_HEADERS = new HashSet<>(); +private static final List SENSITIVE_HTTP_HEADERS = Arrays.asList("authorization", "cookie", "x-forwarded", +"forwarded", "proxy-authorization"); /** * @deprecated May be removed in a future release @@ -106,11 +107,6 @@ public abstract class HttpServlet extends GenericServlet { */ private volatile boolean cachedUseLegacyDoHead; -static { -SENSITIVE_HTTP_HEADERS.add("cookie"); -SENSITIVE_HTTP_HEADERS.add("authorization"); -} - /** * Does nothing, because this is an abstract class. @@ -491,7 +487,7 @@ public abstract class HttpServlet extends GenericServlet { while (reqHeaderNames.hasMoreElements()) { String headerName = reqHeaderNames.nextElement(); // RFC 7231, 4.3.8 - skip 'sensitive' headers -if (!SENSITIVE_HTTP_HEADERS.contains(headerName.toLowerCase(Locale.ENGLISH))) { +if (!isSensitiveHeader(headerName)) { Enumeration headerValues = req.getHeaders(headerName); while (headerValues.hasMoreElements()) { String headerValue = headerValues.nextElement(); @@ -512,6 +508,39 @@ public abstract class HttpServlet extends GenericServlet { } +/** + * Is the provided HTTP request header considered sensitive and therefore should be excluded from the response to a + * {@code TRACE} request? + * + * By default, the headers thats start with any of the following are considered sensitive: + * + * authorization + * cookie + * x-forwarded + * forwarded + * proxy-authorization + * + * + * Note that HTTP header names are case insensitive. + * + * @param headerName the name of the HTTP request header to test + * + * @return (@code true} if the HTTP request header is considered sensitive and should be excluded from the response + * to a {@code TRACE} request, otherwise {@code false} + * + * @since Servlet 6.1 + */ +protected boolean isSensitiveHeader(String headerName) { +String lcHeaderName = headerName.toLowerCase(Locale.ENGLISH); +for (String sensitiveHeaderName : SENSITIVE_HTTP_HEADERS) { +if (lcHeaderName.startsWith(sensitiveHeaderName)) { +return true; +} +} +return false; +} + + /** * Receives standard HTTP requests from the public service method and dispatches them to the * doMethod methods defined in this class. This method is an HTTP-specific version of the diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index d2dab6d75c..34cea70a65 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -146,6 +146,12 @@ Add support code for custom user attributes in RealmBase. Based on code from 473 by Carsten Klein. (remm) + +Expand the set of HTTP request headers considered sensitive that should +be skipped when generating a response to a TRACE request. +This aligns with the current draft of the Servlet 6.1 specification. +(markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail:
[tomcat] branch main updated: Update handling of sensitive methods for TRACE
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 4f10a86dee Update handling of sensitive methods for TRACE 4f10a86dee is described below commit 4f10a86dee1f4a357bebd000b6b23e32031a1a27 Author: Mark Thomas AuthorDate: Wed Mar 22 14:56:46 2023 + Update handling of sensitive methods for TRACE List of headers aligns with Servlet 6.1 Add new protected method to allow customization --- java/jakarta/servlet/http/HttpServlet.java | 47 -- webapps/docs/changelog.xml | 6 2 files changed, 44 insertions(+), 9 deletions(-) diff --git a/java/jakarta/servlet/http/HttpServlet.java b/java/jakarta/servlet/http/HttpServlet.java index 15bb6521de..08f317877b 100644 --- a/java/jakarta/servlet/http/HttpServlet.java +++ b/java/jakarta/servlet/http/HttpServlet.java @@ -24,11 +24,11 @@ import java.io.Writer; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.text.MessageFormat; +import java.util.Arrays; import java.util.Enumeration; -import java.util.HashSet; +import java.util.List; import java.util.Locale; import java.util.ResourceBundle; -import java.util.Set; import jakarta.servlet.AsyncEvent; import jakarta.servlet.AsyncListener; @@ -85,7 +85,8 @@ public abstract class HttpServlet extends GenericServlet { private static final String LSTRING_FILE = "jakarta.servlet.http.LocalStrings"; private static final ResourceBundle lStrings = ResourceBundle.getBundle(LSTRING_FILE); -private static final Set SENSITIVE_HTTP_HEADERS = new HashSet<>(); +private static final List SENSITIVE_HTTP_HEADERS = Arrays.asList("authorization", "cookie", "x-forwarded", +"forwarded", "proxy-authorization"); /** * @deprecated May be removed in a future release @@ -107,11 +108,6 @@ public abstract class HttpServlet extends GenericServlet { */ private volatile boolean cachedUseLegacyDoHead; -static { -SENSITIVE_HTTP_HEADERS.add("cookie"); -SENSITIVE_HTTP_HEADERS.add("authorization"); -} - /** * Does nothing, because this is an abstract class. @@ -544,7 +540,7 @@ public abstract class HttpServlet extends GenericServlet { while (reqHeaderNames.hasMoreElements()) { String headerName = reqHeaderNames.nextElement(); // RFC 7231, 4.3.8 - skip 'sensitive' headers -if (!SENSITIVE_HTTP_HEADERS.contains(headerName.toLowerCase(Locale.ENGLISH))) { +if (!isSensitiveHeader(headerName)) { Enumeration headerValues = req.getHeaders(headerName); while (headerValues.hasMoreElements()) { String headerValue = headerValues.nextElement(); @@ -565,6 +561,39 @@ public abstract class HttpServlet extends GenericServlet { } +/** + * Is the provided HTTP request header considered sensitive and therefore should be excluded from the response to a + * {@code TRACE} request? + * + * By default, the headers thats start with any of the following are considered sensitive: + * + * authorization + * cookie + * x-forwarded + * forwarded + * proxy-authorization + * + * + * Note that HTTP header names are case insensitive. + * + * @param headerName the name of the HTTP request header to test + * + * @return (@code true} if the HTTP request header is considered sensitive and should be excluded from the response + * to a {@code TRACE} request, otherwise {@code false} + * + * @since Servlet 6.1 + */ +protected boolean isSensitiveHeader(String headerName) { +String lcHeaderName = headerName.toLowerCase(Locale.ENGLISH); +for (String sensitiveHeaderName : SENSITIVE_HTTP_HEADERS) { +if (lcHeaderName.startsWith(sensitiveHeaderName)) { +return true; +} +} +return false; +} + + /** * Receives standard HTTP requests from the public service method and dispatches them to the * doMethod methods defined in this class. This method is an HTTP-specific version of the diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index e88e2fdf22..d7034c69b8 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -160,6 +160,12 @@ Add support code for custom user attributes in RealmBase. Based on code from 473 by Carsten Klein. (remm) + +Expand the set of HTTP request headers considered sensitive that should +be skipped when generating a response to a TRACE request. +This aligns with the current draft of the Servlet 6.1 specification. +(markt) +
[Bug 66536] tagsfiles seem to be compiled with the wrong source encoding
https://bz.apache.org/bugzilla/show_bug.cgi?id=66536 Holger Klawitter changed: What|Removed |Added Summary|tagsfiles seem to be|tagsfiles seem to be |compiles with the wrong |compiled with the wrong |source encoding |source encoding -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66536] tagsfiles seem to be compiles with the wrong source encoding
https://bz.apache.org/bugzilla/show_bug.cgi?id=66536 Holger Klawitter changed: What|Removed |Added Version|9.0.69 |9.0.73 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Reduce default for maxParameterCount
Any more thoughts on this? There hasn't been much movement from the spec EG on this, so my current thinking is to revert this change for 10.1.x and earlier to wait and see what the Servlet EG decides. Mark On 15/03/2023 15:05, Mark Thomas wrote: On 15/03/2023 11:22, Konstantin Kolinko wrote: ср, 15 мар. 2023 г. в 13:29, Konstantin Kolinko : ср, 15 мар. 2023 г. в 13:15, Konstantin Kolinko : ср, 15 мар. 2023 г. в 12:07, Mark Thomas : On 14/03/2023 21:13, Christopher Schultz wrote: On 3/14/23 13:57, Mark Thomas wrote: On 09/03/2023 14:23, Christopher Schultz wrote: I would go for a 1000 limit for all currently-supported versions. It's *very* easy to raise the limit if it interferes with a specific application's functions. I *would* add an entry in the "notable changes" for each release e.g. https://tomcat.apache.org/migration-10.1.html#Tomcat_10.1.x_noteable_changes Makes sense. I'll do that. -1 unless the behaviour of "silently dropping extra parameters" is changed as well. Silent loss of data is not what I want to see in production. Fair point. Although I'll note that that is exactly what happens if the current limit is exceeded. I accept that, by lowering the limit, it is now more likely that limit will be exceeded. How much more likely I don't know and I don't think we have any reasonable way to determine. Also, the failure isn't completely silent. There will be an INFO log message the first time it happens in a 24 hour period. Proposals: 1. I think that maxParameterCount would better be configured per-Context. The count of parameters is a property of a specific web application. Makes sense. As an migration path for 10.1.x, 9.0.x and 8.5.x, do we want to make the Connector attribute the default to be used if a value is not explicitly set on the Context? That makes the new feature backwards compatible. We can remove the Connector setting in 11.0.x. 2. I wonder if we can make handling of the errors configurable. I think that the following options are possible: a) Drop parameters that exceeded the limit, or failed to decode. This is what we do now. b) If there is any error, ignore all parameters and behave as if none were provided. I'm wary of doing anything that will cause currently working applications to start breaking. c) Blow up by throwing a RuntimeException for any call to Request.getParameter() methods. It may be an IllegalStateException. This topic (error handling in parameters) is currently under discussion in the Servlet EG (https://github.com/jakartaee/servlet/issues/431). That discussion isn't particularly active but it is one of the current servlet issues on my TODO list so there will hopefully be some progress. My first thought was to go with c). I know that it contradicts with Servlet API JavaDoc, but if it is configurable then it is a possible option. I suppose that a web application should have error handling configured and should be able to deal with errors. If we go with c), it requires adding try/catch to safeguard getParameter() calls in the following classes of Tomcat: - org.apache.catalina.filters.FailedRequestFilter - org.apache.catalina.valves.ExtendedAccessLogValve (The ExtendedAccessLogValve can be configured to log the value of a parameter.) 3. I propose to change the default behaviour to b), "ignoring all parameters". The loss of data will be clearly visible to the applications. It would not go unnoted. In an ideal world, the Servlet spec would have opted for c) from the start. I wonder if it might not be better to revert this change for 10.1.x and earlier until the Servlet EG resolves #431 and then reconsider our options with (potentially) a new default behaviour in 11.0.x. If we don't revert then, of the current options: My concern with both b) and c) is that they could break applications that currently work. I don't like doing that if we don't have to in a point release. That leaves a). My main concern with a) is how to raise visibility of exceeding the limit. What if we changed the way UserDataHelper works (or introduced something new) that limited the number of log messages per period and thereby avoided the DoS risk via excessive logging but still generated enough log messages to raise awareness of the issue. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2023-28708 Apache Tomcat - Information Disclosure
CVE-2023-28708 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M2 Apache Tomcat 10.1.0-M1 to 10.1.5 Apache Tomcat 9.0.0-M1 to 9.0.71 Apache Tomcat 8.5.0 to 8.5.85 Description: When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M3 or later - Upgrade to Apache Tomcat 10.1.6 or later - Upgrade to Apache Tomcat 9.0.72 or later - Upgrade to Apache Tomcat 8.5.86 or later History: 2023-03-22 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1908633 - in /tomcat/site/trunk: docs/security-10.html docs/security-11.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-11.xml xdocs/security-8.xml xdo
Author: markt Date: Wed Mar 22 10:06:58 2023 New Revision: 1908633 URL: http://svn.apache.org/viewvc?rev=1908633=rev Log: Publish CVE-2023-28708 Modified: tomcat/site/trunk/docs/security-10.html tomcat/site/trunk/docs/security-11.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-10.xml tomcat/site/trunk/xdocs/security-11.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-10.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-10.html?rev=1908633=1908632=1908633=diff == --- tomcat/site/trunk/docs/security-10.html (original) +++ tomcat/site/trunk/docs/security-10.html Wed Mar 22 10:06:58 2023 @@ -42,7 +42,27 @@ Table of Contents -Fixed in Apache Tomcat 10.1.5Fixed in Apache Tomcat 10.1.2Fixed in Apache Tomcat 10.1.1Fixed in Apache Tomcat 10.0.27Fixed in Apache Tomcat 10.0.23Fixed in Apache Tomcat 10.1.0-M17Fixed in Apache Tomcat 10.0.21Fixed in Apache Tomcat 10.1.0-M15Fixed in Apache Tomcat 10.0.20Fixed in Apache Tomcat 10.1.0-M14Fixed in Apache Tomcat 10.0.16Fixed in Apache Tomcat 10.1.0-M10Fixed in Apache Tomcat 10.0.12Fixed in Apache Tomcat 10.1.0-M6Fixed in Apache Tomcat 10.0.7Fixed in Apache Tomcat 10.0.6Fixed in Apache Tomcat 10.0.5Fixed in Apache Tomcat 10.0.4Fixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10Fixed in Apache Tomcat 10.0.0-M8Fixed in Apache Tomcat 10.0.0-M7Fixed in Apache Tomcat 10.0.0-M6< li>Fixed in Apache Tomcat 10.0.0-M5Not a vulnerability in Tomcat +Fixed in Apache Tomcat 10.1.6Fixed in Apache Tomcat 10.1.5Fixed in Apache Tomcat 10.1.2Fixed in Apache Tomcat 10.1.1Fixed in Apache Tomcat 10.0.27Fixed in Apache Tomcat 10.0.23Fixed in Apache Tomcat 10.1.0-M17Fixed in Apache Tomcat 10.0.21Fixed in Apache Tomcat 10.1.0-M15Fixed in Apache Tomcat 10.0.20Fixed in Apache Tomcat 10.1.0-M14Fixed in Apache Tomcat 10.0.16Fixed in Apache Tomcat 10.1.0-M10Fixed in Apache Tomcat 10.0.12Fixed in Apache Tomcat 10.1.0-M6Fixed in Apache Tomcat 10.0.7Fixed in Apache Tomcat 10.0.6Fixed in Apache Tomcat 10.0.5Fixed in Apache Tomcat 10.0.4Fixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10Fixed in Apache Tomcat 10.0.0-M8Fixed in Apache Tomcat 10.0.0-M7Fixed in Apache Tomcat 10.0.0-M6Fixed in Apache Tomcat 10.0.0-M5Not a vulnerability in Tomcat + 2023-02-24 Fixed in Apache Tomcat 10.1.6 + +Important: Apache Tomcat information disclosure + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28708; rel="nofollow">CVE-2023-28708 + +When using the RemoteIpFilter with requests received from a +reverse proxy via HTTP that include the X-Forwarded-Proto +header set to https, session cookies created by Tomcat did not +include the secure attribute. This could result in the user agent +transmitting the session cookie over an insecure channel. + +This was fixed with commit + https://github.com/apache/tomcat/commit/f509bbf31fc00abe3d9f25ebfabca5e05173da5b;>f509bbf3. + +https://bz.apache.org/bugzilla/show_bug.cgi?id=66471;>66471 was reported publicly on 8 February 2023. The security + implications were identified by the Tomcat Security team on 9 February + 2023. The issue was made public on 22 March 2023. + +Affects: 10.1.0-M1 to 10.1.5 + 2023-01-13 Fixed in Apache Tomcat 10.1.5 Important: Apache Tomcat denial of service Modified: tomcat/site/trunk/docs/security-11.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-11.html?rev=1908633=1908632=1908633=diff == --- tomcat/site/trunk/docs/security-11.html (original) +++ tomcat/site/trunk/docs/security-11.html Wed Mar 22 10:06:58 2023 @@ -39,6 +39,24 @@ Fixed in Apache Tomcat 11.0.0-M3 2023-02-23 Fixed in Apache Tomcat 11.0.0-M3 +Important: Apache Tomcat information disclosure + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28708; rel="nofollow">CVE-2023-28708 + +When using the RemoteIpFilter with requests received from a +reverse proxy via HTTP that include the X-Forwarded-Proto +header set to https, session cookies created by Tomcat did not +include the secure attribute. This could result in the user agent +transmitting the session cookie over an insecure channel. + +This was fixed with commit + https://github.com/apache/tomcat/commit/c64d496dda1560b5df113be55fbfaefec349b50f;>c64d496d. + +https://bz.apache.org/bugzilla/show_bug.cgi?id=66471;>66471 was reported publicly on 8 February 2023. The security + implications were identified by the Tomcat Security team on 9 February + 2023. The issue was made public on 22 March 2023. + +Affects: 11.0.0-M1 to
Re: [tomcat] branch main updated: Fix LambdaExpression to functional interface coercion
On 21/03/2023 17:35, Christopher Schultz wrote: I'm curious about this. How is a "functional interface" (i.e. all methods are abstract, except for those which were originally-defined in java.lang.Object and for some reason overridden to be abstract in this functional-interface) different from an actual interface, and why does JSP care? I can't tell what the use-case is from reading the unit tests. This feature originates with this EL issue: https://github.com/jakartaee/expression-language/issues/45 I was doing some research into this issue: https://github.com/jakartaee/expression-language/issues/176 and discovered an expression (tested in testOptional01) that should have worked but failed due to an NPE. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org