[GitHub] [tomcat] markt-asf commented on pull request #606: Further fix for BZ 66508
markt-asf commented on PR #606: URL: https://github.com/apache/tomcat/pull/606#issuecomment-1487952742 I have a test in that I can manually trigger the issue with a debugger at the moment and can step through the code with the fix to confirm it works. My desire is to create a unit test the recreates the issue. I have an idea for that but haven't implemented it yet. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] isapir opened a new pull request, #607: Added RateLimitFilter
isapir opened a new pull request, #607: URL: https://github.com/apache/tomcat/pull/607 This patch adds a RateLimitFilter based on the discussion in the Dev mailing list at [1] with more features to be added later [1] https://lists.apache.org/thread/0gt1kyjs86g9oqxofdgm0zbrb14lzgj6 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/01: Added RateLimitFilter
This is an automated email from the ASF dual-hosted git repository. isapir pushed a commit to branch ratelimit-filter in repository https://gitbox.apache.org/repos/asf/tomcat.git commit fa0c65bed1572bb45cc20f7a262df1b8b24dffdc Author: Igal Sapir AuthorDate: Tue Mar 28 21:40:20 2023 -0700 Added RateLimitFilter --- .../catalina/filters/LocalStrings.properties | 3 + .../apache/catalina/filters/RateLimitFilter.java | 230 + .../apache/catalina/util/TimeBucketCounter.java| 217 +++ .../catalina/filters/TestRateLimitFilter.java | 198 ++ .../catalina/util/TestTimeBucketCounter.java | 78 +++ webapps/docs/config/filter.xml | 126 +++ 6 files changed, 852 insertions(+) diff --git a/java/org/apache/catalina/filters/LocalStrings.properties b/java/org/apache/catalina/filters/LocalStrings.properties index 31f7bd0acd..cd5a52366e 100644 --- a/java/org/apache/catalina/filters/LocalStrings.properties +++ b/java/org/apache/catalina/filters/LocalStrings.properties @@ -52,6 +52,9 @@ http.403=Access to the specified resource [{0}] has been forbidden. httpHeaderSecurityFilter.clickjack.invalid=An invalid value [{0}] was specified for the anti click-jacking header httpHeaderSecurityFilter.committed=Unable to add HTTP headers since response is already committed on entry to the HTTP header security Filter +rateLimitFilter.initialized=RateLimitFilter [{0}] initialized with [{1}] requests per [{2}] seconds. Actual is [{3}] per [{4}] milliseconds. {5}. +rateLimitFilter.maxRequestsExceeded=[{0}] [{1}] Requests from [{2}] have exceeded the maximum allowed of [{3}] in a [{4}] second window. + remoteCidrFilter.invalid=Invalid configuration provided for [{0}]. See previous messages for details. remoteCidrFilter.noRemoteIp=Client does not have an IP address. Request denied. diff --git a/java/org/apache/catalina/filters/RateLimitFilter.java b/java/org/apache/catalina/filters/RateLimitFilter.java new file mode 100644 index 00..97d7c63670 --- /dev/null +++ b/java/org/apache/catalina/filters/RateLimitFilter.java @@ -0,0 +1,230 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.catalina.filters; + +import jakarta.servlet.FilterChain; +import jakarta.servlet.FilterConfig; +import jakarta.servlet.GenericFilter; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletRequest; +import jakarta.servlet.ServletResponse; +import jakarta.servlet.http.HttpServletResponse; +import org.apache.catalina.util.TimeBucketCounter; +import org.apache.juli.logging.Log; +import org.apache.juli.logging.LogFactory; +import org.apache.tomcat.util.res.StringManager; + +import java.io.IOException; + +public class RateLimitFilter extends GenericFilter { + +/** + * default duration in seconds + */ +public static final int DEFAULT_BUCKET_DURATION = 60; + +/** + * default number of requests per duration + */ +public static final int DEFAULT_BUCKET_REQUESTS = 300; + +/** + * default value for enforce + */ +public static final boolean DEFAULT_ENFORCE = true; + +/** + * default status code to return if requests per duration exceeded + */ +public static final int DEFAULT_STATUS_CODE = 429; + +/** + * default status message to return if requests per duration exceeded + */ +public static final String DEFAULT_STATUS_MESSAGE = "Too many requests"; + +/** + * request attribute that will contain the number of requests per duration + */ +public static final String RATE_LIMIT_ATTRIBUTE_COUNT = "org.apache.catalina.filters.RateLimitFilter.Count"; + +/** + * filter init-param to set the bucket duration in seconds + */ +public static final String PARAM_BUCKET_DURATION = "ratelimit.bucket.duration"; + +/** + * filter init-param to set the bucket number of requests + */ +public static final String PARAM_BUCKET_REQUESTS = "ratelimit.bucket.requests"; + +/** + * filter init-param to set the enforce flag + */ +public static final String PARAM_ENFORCE = "ratelimit.enforce"; + +/** + * filter init-param to
[tomcat] branch ratelimit-filter created (now fa0c65bed1)
This is an automated email from the ASF dual-hosted git repository. isapir pushed a change to branch ratelimit-filter in repository https://gitbox.apache.org/repos/asf/tomcat.git at fa0c65bed1 Added RateLimitFilter This branch includes the following new commits: new fa0c65bed1 Added RateLimitFilter The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66545] New: StandardRoot.createMainResourceSet() doesn't report permission issues
https://bz.apache.org/bugzilla/show_bug.cgi?id=66545 Bug ID: 66545 Summary: StandardRoot.createMainResourceSet() doesn't report permission issues Product: Tomcat 9 Version: 9.0.73 Hardware: PC Status: NEW Severity: minor Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: ebo...@apache.org Target Milestone: - StandardRoot.createMainResourceSet() throws an IllegalArgumentException if docBase neither points to a directory or a war file. The error message is "The main resource set specified {0} is not valid". This exception can also be thrown when docBase exists but the Tomcat process lacks the permissions to access it. In this case the error message isn't really helpful. I suggest checking the permissions first (with File.canRead() for example) and throwing an exception with an explicit message stating that Tomcat lacks the permissions to read the file/directory. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] rmaucher commented on pull request #606: Further fix for BZ 66508
rmaucher commented on PR #606: URL: https://github.com/apache/tomcat/pull/606#issuecomment-1487004868 Adding workarounds for this should be good (I suppose you have the means to test it on hand ;) ). I like the original goal of websockets to be built on the Servlet API, but there are some known difficulties for this. Of course, using async IO should always be recommended now that it works, since it is going to be more efficient in the "I'm doing real IO" scenario (more lightweight and straightforward). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
JDK 20 is now GA, JDK 21 Early-Access builds, and 2 important heads-up!
Welcome to the latest OpenJDK Quality Outreach update! Last week was busy as we released both Java 20 and JavaFX 20. To celebrate the launch, we hosted a live event focused on Java 20, i.e. Level Up Java Day. All the sessions recordings will be made available shortly on the YouTube Java channel. Some recent events shown us that it is useful to conduct tests using the latest early-access OpenJDK builds. This will benefit the OpenJDK codebase but also your own codebase. Sometime, a failure could be due to an actual regression introduced in OpenJDK. In that case, we obviously want to hear about it while we can still address it. But sometime, a failure could also be due to a subtle behaviour change… that works as expected. Regardless of if it's a bug or a test that is now broken due to a behaviour change, we want to hear from you. In the latter case, it might also mean that we should probably communicate more about those changes even if they might seem subtle. On that note, please make sure to check all the 2 Heads-Up below: "Support for Unicode CLDR Version 42" and "New network interface names on Windows". So please, let us know if you observe anything using the latest early-access builds of JDK 21. ## Heads-Up - JDK 20 - Support for Unicode CLDR Version 42 The JDK's locale data is based on the Unicode Consortium's Unicode Common Locale Data Repository (CLDR). As mentioned in the December 2022 Quality Outreach newsletter [1], JDK 20 upgraded CLDR [2] to version 42 [3], which was released in October 2022. This version includes a "more sophisticated handling of spaces" [4] that replaces regular spaces with non-breaking spaces (NBSP / `\u00A0`) or narrow non-breaking spaces (NNBSP / `\u202F`): - in time formats between `a` and time - in unit formats between {0} and unit - in Cyrillic date formats before year marker such as `г` Other noticeable changes include: * " at " is no longer used for standard date/time format ’ [5] * fix first day of week info for China (CN) [6] * Japanese: Support numbers up to 京 [7] As a consequence, production and test code that produces or parses locale-dependent strings like formatted dates and times may change behavior in potentially breaking ways (e.g. when a handcrafted datetime string with a regular space is parsed, but the parser now expects an NBSP or NNBSP). Issues can be hard to analyze because expected and actual strings look very similar or even identical in various text representations. To detect and fix these issues, make sure to use a text editor that displays different kinds of spaces differently. If the required fixes can't be implemented when upgrading to JDK 20, consider using the JVM argument `-Djava.locale.providers=COMPAT` to use legacy locale data. Note that this limits some locale-related functionality and treat it as a temporary workaround, not a proper solution. Moreover, the `COMPAT` option will be eventually removed in the future. It is also important to keep in mind that this kind of locale data evolves regularly so programs parsing/composing the locale data by themselves should be routinely checked with each JDK release. [1] https://mail.openjdk.org/pipermail/quality-discuss/2022-December/001100.html [2] https://bugs.openjdk.org/browse/JDK-8284840 [3] https://cldr.unicode.org/index/downloads/cldr-42 [4] https://unicode-org.atlassian.net/browse/CLDR-14032 [5] https://unicode-org.atlassian.net/browse/CLDR-14831 [6] https://unicode-org.atlassian.net/browse/CLDR-11510 [7] https://unicode-org.atlassian.net/browse/CLDR-15966 ## Heads-Up - JDK 21 - New network interface names on Windows Network Names that the JDK assigns to network interfaces on Windows are changing in JDK 21 [8]. The JDK historically synthesized names for network interfaces on Windows. This has changed to use the names assigned by the Windows operating system. For example, the JDK may have historically assigned a name such as “eth0” for an ethernet interface and “lo” for the loopback. The equivalent names that Windows assigns may be names such as “ethernet_32768” and “loopback_0". This change may impact code that does a lookup of network interfaces with the `NetworkInterace.getByName(String name)` method. It also may also be surprising to code that enumerates all network interfaces with the `NetworkInterfaces.networkInterfaces()` or `NetworkInterface.getNetworkInterfaces()` methods as the names of the network interfaces will look different to previous releases. Depending on configuration, it is possible that enumerating all network interfaces will enumerate network interfaces that weren’t previously enumerated because they didn’t have an Internet Protocol address assigned. The display name returned by `NetworkInterface::getDisplayName` has not changed so this should facilitate the identification of network interfaces when using Windows native tools. [8] https://bugs.openjdk.org/browse/JDK-8303898 ## JDK 20 Ge