[GitHub] [tomcat] markt-asf commented on pull request #606: Further fix for BZ 66508
markt-asf commented on PR #606: URL: https://github.com/apache/tomcat/pull/606#issuecomment-1487952742 I have a test in that I can manually trigger the issue with a debugger at the moment and can step through the code with the fix to confirm it works. My desire is to create a unit test the recreates the issue. I have an idea for that but haven't implemented it yet. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] isapir opened a new pull request, #607: Added RateLimitFilter
isapir opened a new pull request, #607: URL: https://github.com/apache/tomcat/pull/607 This patch adds a RateLimitFilter based on the discussion in the Dev mailing list at [1] with more features to be added later [1] https://lists.apache.org/thread/0gt1kyjs86g9oqxofdgm0zbrb14lzgj6 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/01: Added RateLimitFilter
This is an automated email from the ASF dual-hosted git repository.
isapir pushed a commit to branch ratelimit-filter
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit fa0c65bed1572bb45cc20f7a262df1b8b24dffdc
Author: Igal Sapir
AuthorDate: Tue Mar 28 21:40:20 2023 -0700
Added RateLimitFilter
---
.../catalina/filters/LocalStrings.properties | 3 +
.../apache/catalina/filters/RateLimitFilter.java | 230 +
.../apache/catalina/util/TimeBucketCounter.java| 217 +++
.../catalina/filters/TestRateLimitFilter.java | 198 ++
.../catalina/util/TestTimeBucketCounter.java | 78 +++
webapps/docs/config/filter.xml | 126 +++
6 files changed, 852 insertions(+)
diff --git a/java/org/apache/catalina/filters/LocalStrings.properties
b/java/org/apache/catalina/filters/LocalStrings.properties
index 31f7bd0acd..cd5a52366e 100644
--- a/java/org/apache/catalina/filters/LocalStrings.properties
+++ b/java/org/apache/catalina/filters/LocalStrings.properties
@@ -52,6 +52,9 @@ http.403=Access to the specified resource [{0}] has been
forbidden.
httpHeaderSecurityFilter.clickjack.invalid=An invalid value [{0}] was
specified for the anti click-jacking header
httpHeaderSecurityFilter.committed=Unable to add HTTP headers since response
is already committed on entry to the HTTP header security Filter
+rateLimitFilter.initialized=RateLimitFilter [{0}] initialized with [{1}]
requests per [{2}] seconds. Actual is [{3}] per [{4}] milliseconds. {5}.
+rateLimitFilter.maxRequestsExceeded=[{0}] [{1}] Requests from [{2}] have
exceeded the maximum allowed of [{3}] in a [{4}] second window.
+
remoteCidrFilter.invalid=Invalid configuration provided for [{0}]. See
previous messages for details.
remoteCidrFilter.noRemoteIp=Client does not have an IP address. Request denied.
diff --git a/java/org/apache/catalina/filters/RateLimitFilter.java
b/java/org/apache/catalina/filters/RateLimitFilter.java
new file mode 100644
index 00..97d7c63670
--- /dev/null
+++ b/java/org/apache/catalina/filters/RateLimitFilter.java
@@ -0,0 +1,230 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.filters;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.FilterConfig;
+import jakarta.servlet.GenericFilter;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletResponse;
+import org.apache.catalina.util.TimeBucketCounter;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+import java.io.IOException;
+
+public class RateLimitFilter extends GenericFilter {
+
+/**
+ * default duration in seconds
+ */
+public static final int DEFAULT_BUCKET_DURATION = 60;
+
+/**
+ * default number of requests per duration
+ */
+public static final int DEFAULT_BUCKET_REQUESTS = 300;
+
+/**
+ * default value for enforce
+ */
+public static final boolean DEFAULT_ENFORCE = true;
+
+/**
+ * default status code to return if requests per duration exceeded
+ */
+public static final int DEFAULT_STATUS_CODE = 429;
+
+/**
+ * default status message to return if requests per duration exceeded
+ */
+public static final String DEFAULT_STATUS_MESSAGE = "Too many requests";
+
+/**
+ * request attribute that will contain the number of requests per duration
+ */
+public static final String RATE_LIMIT_ATTRIBUTE_COUNT =
"org.apache.catalina.filters.RateLimitFilter.Count";
+
+/**
+ * filter init-param to set the bucket duration in seconds
+ */
+public static final String PARAM_BUCKET_DURATION =
"ratelimit.bucket.duration";
+
+/**
+ * filter init-param to set the bucket number of requests
+ */
+public static final String PARAM_BUCKET_REQUESTS =
"ratelimit.bucket.requests";
+
+/**
+ * filter init-param to set the enforce flag
+ */
+public static final String PARAM_ENFORCE = "ratelimit.enforce";
+
+/**
+ * filter init-param to
[tomcat] branch ratelimit-filter created (now fa0c65bed1)
This is an automated email from the ASF dual-hosted git repository. isapir pushed a change to branch ratelimit-filter in repository https://gitbox.apache.org/repos/asf/tomcat.git at fa0c65bed1 Added RateLimitFilter This branch includes the following new commits: new fa0c65bed1 Added RateLimitFilter The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66545] New: StandardRoot.createMainResourceSet() doesn't report permission issues
https://bz.apache.org/bugzilla/show_bug.cgi?id=66545
Bug ID: 66545
Summary: StandardRoot.createMainResourceSet() doesn't report
permission issues
Product: Tomcat 9
Version: 9.0.73
Hardware: PC
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: ebo...@apache.org
Target Milestone: -
StandardRoot.createMainResourceSet() throws an IllegalArgumentException if
docBase neither points to a directory or a war file. The error message is "The
main resource set specified {0} is not valid". This exception can also be
thrown when docBase exists but the Tomcat process lacks the permissions to
access it. In this case the error message isn't really helpful.
I suggest checking the permissions first (with File.canRead() for example) and
throwing an exception with an explicit message stating that Tomcat lacks the
permissions to read the file/directory.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] rmaucher commented on pull request #606: Further fix for BZ 66508
rmaucher commented on PR #606: URL: https://github.com/apache/tomcat/pull/606#issuecomment-1487004868 Adding workarounds for this should be good (I suppose you have the means to test it on hand ;) ). I like the original goal of websockets to be built on the Servlet API, but there are some known difficulties for this. Of course, using async IO should always be recommended now that it works, since it is going to be more efficient in the "I'm doing real IO" scenario (more lightweight and straightforward). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
JDK 20 is now GA, JDK 21 Early-Access builds, and 2 important heads-up!
Welcome to the latest OpenJDK Quality Outreach update!
Last week was busy as we released both Java 20 and JavaFX 20. To
celebrate the launch, we hosted a live event focused on Java 20, i.e.
Level Up Java Day. All the sessions recordings will be made available
shortly on the YouTube Java channel.
Some recent events shown us that it is useful to conduct tests using the
latest early-access OpenJDK builds. This will benefit the OpenJDK
codebase but also your own codebase. Sometime, a failure could be due to
an actual regression introduced in OpenJDK. In that case, we obviously
want to hear about it while we can still address it. But sometime, a
failure could also be due to a subtle behaviour change… that works as
expected. Regardless of if it's a bug or a test that is now broken due
to a behaviour change, we want to hear from you. In the latter case, it
might also mean that we should probably communicate more about those
changes even if they might seem subtle. On that note, please make sure
to check all the 2 Heads-Up below: "Support for Unicode CLDR Version 42"
and "New network interface names on Windows".
So please, let us know if you observe anything using the latest
early-access builds of JDK 21.
## Heads-Up - JDK 20 - Support for Unicode CLDR Version 42
The JDK's locale data is based on the Unicode Consortium's Unicode
Common Locale Data Repository (CLDR). As mentioned in the December 2022
Quality Outreach newsletter [1], JDK 20 upgraded CLDR [2] to version 42
[3], which was released in October 2022. This version includes a "more
sophisticated handling of spaces" [4] that replaces regular spaces with
non-breaking spaces (NBSP / `\u00A0`) or narrow non-breaking spaces
(NNBSP / `\u202F`):
- in time formats between `a` and time
- in unit formats between {0} and unit
- in Cyrillic date formats before year marker such as `г`
Other noticeable changes include:
* " at " is no longer used for standard date/time format ’ [5]
* fix first day of week info for China (CN) [6]
* Japanese: Support numbers up to 京 [7]
As a consequence, production and test code that produces or parses
locale-dependent strings like formatted dates and times may change
behavior in potentially breaking ways (e.g. when a handcrafted datetime
string with a regular space is parsed, but the parser now expects an
NBSP or NNBSP). Issues can be hard to analyze because expected and
actual strings look very similar or even identical in various text
representations. To detect and fix these issues, make sure to use a text
editor that displays different kinds of spaces differently.
If the required fixes can't be implemented when upgrading to JDK 20,
consider using the JVM argument `-Djava.locale.providers=COMPAT` to use
legacy locale data. Note that this limits some locale-related
functionality and treat it as a temporary workaround, not a proper
solution. Moreover, the `COMPAT` option will be eventually removed in
the future.
It is also important to keep in mind that this kind of locale data
evolves regularly so programs parsing/composing the locale data by
themselves should be routinely checked with each JDK release.
[1]
https://mail.openjdk.org/pipermail/quality-discuss/2022-December/001100.html
[2] https://bugs.openjdk.org/browse/JDK-8284840
[3] https://cldr.unicode.org/index/downloads/cldr-42
[4] https://unicode-org.atlassian.net/browse/CLDR-14032
[5] https://unicode-org.atlassian.net/browse/CLDR-14831
[6] https://unicode-org.atlassian.net/browse/CLDR-11510
[7] https://unicode-org.atlassian.net/browse/CLDR-15966
## Heads-Up - JDK 21 - New network interface names on Windows
Network Names that the JDK assigns to network interfaces on Windows are
changing in JDK 21 [8].
The JDK historically synthesized names for network interfaces on
Windows. This has changed to use the names assigned by the Windows
operating system. For example, the JDK may have historically assigned a
name such as “eth0” for an ethernet interface and “lo” for the loopback.
The equivalent names that Windows assigns may be names such as
“ethernet_32768” and “loopback_0".
This change may impact code that does a lookup of network interfaces
with the `NetworkInterace.getByName(String name)` method. It also may
also be surprising to code that enumerates all network interfaces with
the `NetworkInterfaces.networkInterfaces()` or
`NetworkInterface.getNetworkInterfaces()` methods as the names of the
network interfaces will look different to previous releases. Depending
on configuration, it is possible that enumerating all network interfaces
will enumerate network interfaces that weren’t previously enumerated
because they didn’t have an Internet Protocol address assigned. The
display name returned by `NetworkInterface::getDisplayName` has not
changed so this should facilitate the identification of network
interfaces when using Windows native tools.
[8] https://bugs.openjdk.org/browse/JDK-8303898
## JDK 20 Ge
