JDK 21 Release Candidates & JVM Language Summit
Greetings! JDK 21 is now in the Release Candidate Phase so everything is on track for the Java 21 GA release on September 19th! If you haven't done so, please start testing your project(s) using JDK 22 Early-Access builds and let us know the results. In other news, the JVM Language Summit took place a few days ago in Santa Clara (California). During this unique gathering of Java architects and OpenJDK developers, key updates were shared and discussed, ex. where Valhalla stands today, the new Class-File API, an update on Leyden and Valhalla, Project Panama, the challenges of Virtual Threads, continuation internals, etc. We have started to publish the JVMLS 2023 videos so make sure to keep an eye on this evolving JVMLS playlist [1] to understand where the Java platform is heading to. ## JDK 21 Early-Access Builds Per the JDK 21 schedule [2], we are now in the Release-Candidate Phase. The overall feature set [3] is frozen, no further JEPs will be targeted to this release. ### JEPs integrated to JDK 21: - 430: String Templates (Preview) - 431: Sequenced Collections - 439: Generational ZGC - 440: Record Patterns - 441: Pattern Matching for switch - 442: Foreign Function & Memory API (3rd Preview) - 443: Unnamed Patterns and Variables (Preview) - 444: Virtual Threads - 445: Unnamed Classes and Instance Main Methods (Preview) - 446: Scoped Values (Preview) - 448: Vector API (6th Incubator) - 449: Deprecate the Windows 32-bit x86 Port for Removal - 451: Prepare to Disallow the Dynamic Loading of Agents - 452: Key Encapsulation Mechanism API - 453: Structured Concurrency (Preview) The first JDK 21 Release Candidate builds (builds 35) are available [4]. Those builds are provided under the GNU General Public License v2, with the Classpath Exception. The Release Notes [5] and the Javadocs [6] are also available. [1] https://www.youtube.com/playlist?list=PLX8CzqL3ArzW90jKUCf4H6xCKpStxsOzp [2] https://openjdk.org/projects/jdk/21/#Schedule [3] https://openjdk.org/projects/jdk/21/#Features [4] https://jdk.java.net/21/ [5] https://jdk.java.net/21/release-notes [6] https://download.java.net/java/early_access/jdk21/docs/api/ ## JDK 22 Early-Access Builds The latest Early-Access builds 11 are available [7], and are provided under the GNU General Public License v2, with the Classpath Exception. The Release Notes are available here [8]. ### Changes in recent JDK 22 builds (b8-b11) that may be of interest: Note that this is only a curated list of changes, make sure to check [9] for additional changes. - JDK-8314209: Wrong @since tag for RandomGenerator::equiDoubles [Reported by JaCoCo] - JDK-8312489: Increase Default Value of the System Property jdk.jar.maxSignatureFileSize - JDK-8312433: HttpClient request fails due to connection being considered … - JDK-8313307: java/util/Formatter/Padding.java fails on some Locales - JDK-8312821: Javac accepts char literal as template - JDK-8313251: Add NativeLibraryLoad event - JDK-8313809: String template fails with java.lang.StringIndexOutOfBoundsE… - JDK-8312984: javac may crash on a record pattern with too few components - JDK-8310033: Clarify return value of Java Time compareTo methods - JDK-8302017: Allocate BadPaddingException only if it will be thrown - JDK-8310913: Move ReferencedKeyMap to jdk.internal so it may be shared - JDK-8313251: Add NativeLibraryLoad event to provide more detail about shared lib/dll loads - JDK-8311653: Modify -XshowSettings launcher behavior - JDK-8306441: Two phase segmented heap dump - JDK-8311981: JVM May Hang When Using Generational ZGC if a VM Handshake Stalls on Memory - JDK-8308850: Change JVM options with small ranges that get -Wconversion warnings to 32 bits [7] https://jdk.java.net/22/ [8] https://jdk.java.net/22/release-notes [9] https://github.com/openjdk/jdk/compare/jdk-22%2B8...jdk-22%2B11 ## JavaFX 21 & 22 Early-Access Builds These are early-access builds of the JavaFX Runtime, built from openjdk/jfx [10]. They allow JavaFX application developers to build and test their applications with JavaFX 21 or 22 on the latest JDK. The latest builds 29 (2023/8/7) of JavaFX 21 are now available [11]. The early-access builds 5 (2023/8/18) of the JavaFX 22 Runtime which is designed to work with JDK 22 are also available [12]. These early-access builds are provided under the GNU General Public License, version 2, with the Classpath Exception. Please send the feedback on the openjfx-dev mailing list [13]. [10] https://github.com/openjdk/jfx [11] https://jdk.java.net/javafx21/ [12] https://jdk.java.net/javafx22/ [13] http://mail.openjdk.org/mailman/listinfo/openjfx-dev ## Topics of Interest: JDK 21: G1/Parallel/Serial GC improvements https://tschatzl.github.io/2023/08/04/jdk21-g1-parallel-gc-changes.html To Java 21 and Beyond! https://inside.java/2023/08/08/to-java21-and-beyond/ Strengthen your Java App's Defenses with Key Encapsulation Mechanism API https://inside.java/2023/08/03/newscast-54/ JVMLS -
[GitHub] [tomcat] markt-asf commented on pull request #647: Replaced synchronized with StampedLock
markt-asf commented on PR #647: URL: https://github.com/apache/tomcat/pull/647#issuecomment-1688571304 What is the justification for this change? Synchronization is not automatically an issue for virtual threads. I'm not seeing anything in this code that would be unfriendly to virtual threads. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf merged pull request #646: Parameter error handling
markt-asf merged PR #646: URL: https://github.com/apache/tomcat/pull/646 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated (b55774b615 -> 32b48cadc3)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from b55774b615 Fix formatting. There should be a space between number and unit. new 3f8a229be8 With the changes to parameter error handling all parsing is explicit new 6f181e1062 Implement parameter error handling changes new 7c4e89fc00 Remove unused strings new d701009958 Remove Parameters.FailReason and associated plumbing new 0befa0eb1b Add a changelog entry new b19862c87b Add tests for changes in parameter handling new d6f5676169 Handle exception triggered by invalid parameters during access logging new 32b48cadc3 Review getParameterXXX() - invalid parameters + debug should not fail The 8 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: conf/web.xml | 21 - java/org/apache/catalina/Globals.java | 16 - java/org/apache/catalina/connector/Request.java| 498 + .../apache/catalina/core/StandardWrapperValve.java | 14 +- .../catalina/filters/FailedRequestFilter.java | 109 - .../catalina/filters/RequestDumperFilter.java | 26 +- java/org/apache/catalina/servlets/CGIServlet.java | 15 +- .../catalina/valves/ExtendedAccessLogValve.java| 8 +- .../util/http/InvalidParameterException.java | 98 .../tomcat/util/http/LocalStrings.properties | 5 - .../tomcat/util/http/LocalStrings_cs.properties| 4 - .../tomcat/util/http/LocalStrings_de.properties| 4 - .../tomcat/util/http/LocalStrings_es.properties| 4 - .../tomcat/util/http/LocalStrings_fr.properties| 5 - .../tomcat/util/http/LocalStrings_ja.properties| 5 - .../tomcat/util/http/LocalStrings_ko.properties| 5 - .../tomcat/util/http/LocalStrings_pt_BR.properties | 17 - .../tomcat/util/http/LocalStrings_zh_CN.properties | 5 - java/org/apache/tomcat/util/http/Parameters.java | 169 ++- .../servlet/TestServletRequestParameters.java | 63 +++ .../servlet/TestServletRequestParametersBase.java | 90 ...TestServletRequestParametersFormUrlEncoded.java | 104 + ...stServletRequestParametersMultipartEncoded.java | 131 ++ .../TestServletRequestParametersQueryString.java | 112 + .../org/apache/catalina/connector/TestRequest.java | 39 +- .../apache/tomcat/util/http/TestParameters.java| 18 +- webapps/docs/changelog.xml | 8 + webapps/docs/config/ajp.xml| 15 +- webapps/docs/config/filter.xml | 43 -- webapps/docs/config/http.xml | 15 +- webapps/docs/security-howto.xml| 10 +- 31 files changed, 926 insertions(+), 750 deletions(-) delete mode 100644 java/org/apache/catalina/filters/FailedRequestFilter.java create mode 100644 java/org/apache/tomcat/util/http/InvalidParameterException.java delete mode 100644 java/org/apache/tomcat/util/http/LocalStrings_pt_BR.properties create mode 100644 test/jakarta/servlet/TestServletRequestParameters.java create mode 100644 test/jakarta/servlet/TestServletRequestParametersBase.java create mode 100644 test/jakarta/servlet/TestServletRequestParametersFormUrlEncoded.java create mode 100644 test/jakarta/servlet/TestServletRequestParametersMultipartEncoded.java create mode 100644 test/jakarta/servlet/TestServletRequestParametersQueryString.java - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/08: Implement parameter error handling changes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 6f181e1062a472bc5f0234980f66cbde42c1041b Author: Mark Thomas AuthorDate: Tue Aug 15 20:32:15 2023 +0100 Implement parameter error handling changes --- java/org/apache/catalina/connector/Request.java| 459 ++--- .../apache/catalina/core/StandardWrapperValve.java | 14 +- .../util/http/InvalidParameterException.java | 98 + java/org/apache/tomcat/util/http/Parameters.java | 132 ++ .../apache/tomcat/util/http/TestParameters.java| 18 +- 5 files changed, 367 insertions(+), 354 deletions(-) diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java index 9a6de071d5..869cae087d 100644 --- a/java/org/apache/catalina/connector/Request.java +++ b/java/org/apache/catalina/connector/Request.java @@ -103,8 +103,8 @@ import org.apache.tomcat.util.buf.StringUtils; import org.apache.tomcat.util.buf.UDecoder; import org.apache.tomcat.util.http.CookieProcessor; import org.apache.tomcat.util.http.FastHttpDateFormat; +import org.apache.tomcat.util.http.InvalidParameterException; import org.apache.tomcat.util.http.Parameters; -import org.apache.tomcat.util.http.Parameters.FailReason; import org.apache.tomcat.util.http.Rfc6265CookieProcessor; import org.apache.tomcat.util.http.ServerCookie; import org.apache.tomcat.util.http.ServerCookies; @@ -303,6 +303,12 @@ public class Request implements HttpServletRequest { protected ParameterMap parameterMap = new ParameterMap<>(); +/** + * The exception thrown, if any when parsing the parameters including parts. + */ +protected IllegalStateException parametersParseException = null; + + /** * The parts, if any, uploaded with this request. */ @@ -445,6 +451,7 @@ public class Request implements HttpServletRequest { } parts = null; } +parametersParseException = null; partsParseException = null; locales.clear(); localesParsed = false; @@ -1061,30 +1068,13 @@ public class Request implements HttpServletRequest { } -/** - * @return the value of the specified request parameter, if any; otherwise, return null. If there is - * more than one value defined, return only the first one. - * - * @param name Name of the desired request parameter - */ @Override public String getParameter(String name) { - -if (!parametersParsed) { -parseParameters(); -} - +parseParameters(); return coyoteRequest.getParameters().getParameter(name); - } -/** - * Returns a Map of the parameters of this request. Request parameters are extra information sent with - * the request. For HTTP servlets, parameters are contained in the query string or posted form data. - * - * @return A Map containing parameter names as keys and parameter values as map values. - */ @Override public Map getParameterMap() { @@ -1102,39 +1092,20 @@ public class Request implements HttpServletRequest { parameterMap.setLocked(true); return parameterMap; - } -/** - * @return the names of all defined request parameters for this request. - */ @Override public Enumeration getParameterNames() { - -if (!parametersParsed) { -parseParameters(); -} - +parseParameters(); return coyoteRequest.getParameters().getParameterNames(); - } -/** - * @return the defined values for the specified request parameter, if any; otherwise, return null. - * - * @param name Name of the desired request parameter - */ @Override public String[] getParameterValues(String name) { - -if (!parametersParsed) { -parseParameters(); -} - +parseParameters(); return coyoteRequest.getParameters().getParameterValues(name); - } @@ -2635,6 +2606,7 @@ public class Request implements HttpServletRequest { getContext().getAuthenticator().logout(this); } + @Override public Collection getParts() throws IOException, IllegalStateException, ServletException { @@ -2653,6 +2625,7 @@ public class Request implements HttpServletRequest { return parts; } + private void parseParts() { // Return immediately if the parts have already been parsed @@ -2677,119 +2650,103 @@ public class Request implements HttpServletRequest { Parameters parameters = coyoteRequest.getParameters(); parameters.setLimit(maxParameterCount); -boolean success = false; -try { -File location; -String locationStr = mce.getLocation(); -if (locationStr == null || locationStr.length() == 0) { -
[tomcat] 08/08: Review getParameterXXX() - invalid parameters + debug should not fail
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 32b48cadc3a51b1770d76902901b3541a987ae41 Author: Mark Thomas AuthorDate: Sun Aug 20 16:37:20 2023 -0700 Review getParameterXXX() - invalid parameters + debug should not fail --- .../catalina/filters/RequestDumperFilter.java | 26 +- java/org/apache/catalina/servlets/CGIServlet.java | 15 - 2 files changed, 25 insertions(+), 16 deletions(-) diff --git a/java/org/apache/catalina/filters/RequestDumperFilter.java b/java/org/apache/catalina/filters/RequestDumperFilter.java index fc76581a4d..28d6395c57 100644 --- a/java/org/apache/catalina/filters/RequestDumperFilter.java +++ b/java/org/apache/catalina/filters/RequestDumperFilter.java @@ -134,19 +134,23 @@ public class RequestDumperFilter extends GenericFilter { doLog("method", hRequest.getMethod()); } -Enumeration pnames = request.getParameterNames(); -while (pnames.hasMoreElements()) { -String pname = pnames.nextElement(); -String pvalues[] = request.getParameterValues(pname); -StringBuilder result = new StringBuilder(pname); -result.append('='); -for (int i = 0; i < pvalues.length; i++) { -if (i > 0) { -result.append(", "); +try { +Enumeration pnames = request.getParameterNames(); +while (pnames.hasMoreElements()) { +String pname = pnames.nextElement(); +String pvalues[] = request.getParameterValues(pname); +StringBuilder result = new StringBuilder(pname); +result.append('='); +for (int i = 0; i < pvalues.length; i++) { +if (i > 0) { +result.append(", "); +} +result.append(pvalues[i]); } -result.append(pvalues[i]); +doLog(" parameter", result.toString()); } -doLog(" parameter", result.toString()); +} catch (IllegalStateException ise) { +doLog("parameters", "Invalid request parameters"); } if (hRequest == null) { diff --git a/java/org/apache/catalina/servlets/CGIServlet.java b/java/org/apache/catalina/servlets/CGIServlet.java index e1cda7bb97..c4c967fd36 100644 --- a/java/org/apache/catalina/servlets/CGIServlet.java +++ b/java/org/apache/catalina/servlets/CGIServlet.java @@ -470,12 +470,17 @@ public final class CGIServlet extends HttpServlet { Locale locale = locales.nextElement(); log.trace("Locale: [" +locale + "]"); } -Enumeration params = req.getParameterNames(); -while (params.hasMoreElements()) { -String param = params.nextElement(); -for (String value : req.getParameterValues(param)) { -log.trace("Request Parameter: " + param + ": [" + value + "]"); +Enumeration params; +try { +params = req.getParameterNames(); +while (params.hasMoreElements()) { +String param = params.nextElement(); +for (String value : req.getParameterValues(param)) { +log.trace("Request Parameter: " + param + ": [" + value + "]"); +} } +} catch (IllegalStateException ise) { +log.trace("Request Parameters: [Invalid]"); } log.trace("Protocol: [" + req.getProtocol() + "]"); log.trace("Remote Address: [" + req.getRemoteAddr() + "]"); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 06/08: Add tests for changes in parameter handling
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit b19862c87b3a3c163cda60ff839f59297d438983 Author: Mark Thomas AuthorDate: Fri Aug 18 15:58:44 2023 +0100 Add tests for changes in parameter handling --- .../servlet/TestServletRequestParameters.java | 63 ++ .../servlet/TestServletRequestParametersBase.java | 90 ++ ...TestServletRequestParametersFormUrlEncoded.java | 104 ...stServletRequestParametersMultipartEncoded.java | 131 + .../TestServletRequestParametersQueryString.java | 112 ++ 5 files changed, 500 insertions(+) diff --git a/test/jakarta/servlet/TestServletRequestParameters.java b/test/jakarta/servlet/TestServletRequestParameters.java new file mode 100644 index 00..1f50f4e5dd --- /dev/null +++ b/test/jakarta/servlet/TestServletRequestParameters.java @@ -0,0 +1,63 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package jakarta.servlet; + +import java.nio.charset.StandardCharsets; + +import org.junit.Assert; +import org.junit.Test; + +import static org.apache.catalina.startup.SimpleHttpClient.CRLF; +import org.apache.catalina.core.StandardContext; +import org.apache.catalina.startup.Tomcat; + +public class TestServletRequestParameters extends TestServletRequestParametersBase { + +@Test +public void testClientDisconnect() throws Exception { + +Tomcat tomcat = getTomcatInstance(); + +tomcat.getConnector().setMaxPostSize(20); + Assert.assertTrue(tomcat.getConnector().setProperty("connectionTimeout", "1000")); + +// No file system docBase required +StandardContext ctx = (StandardContext) tomcat.addContext("", null); + +// Map the test Servlet +ParameterParsingServlet parameterParsingServlet = new ParameterParsingServlet(); +Tomcat.addServlet(ctx, "parameterParsingServlet", parameterParsingServlet); +ctx.addServletMappingDecoded("/", "parameterParsingServlet"); + +tomcat.start(); + +TestParameterClient client = new TestParameterClient(); +client.setPort(getPort()); +client.setRequest(new String[] { "POST / HTTP/1.1" + CRLF + "Host: localhost:" + getPort() + CRLF + +"Connection: close" + CRLF + "Transfer-Encoding: chunked" + CRLF + +"Content-Type: application/x-www-form-urlencoded" + CRLF + CRLF + "0a" + CRLF + "var1=val1&" + CRLF }); + +client.setResponseBodyEncoding(StandardCharsets.UTF_8); +client.connect(); +// Incomplete request will look timeout reading body and behave like a client disconnect +client.processRequest(); + +// Connection should be closed by the server. +//readLine() will receive an EOF reading the status line resuting in a null +Assert.assertNull(client.getResponseLine()); +} +} diff --git a/test/jakarta/servlet/TestServletRequestParametersBase.java b/test/jakarta/servlet/TestServletRequestParametersBase.java new file mode 100644 index 00..fce787175e --- /dev/null +++ b/test/jakarta/servlet/TestServletRequestParametersBase.java @@ -0,0 +1,90 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package jakarta.servlet; + +import java.io.IOException; +import java.io.PrintWriter; +import java.nio.charset.StandardCharsets; +import jav
[tomcat] 03/08: Remove unused strings
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 7c4e89fc00cd4d377133430f68c16bea11bc16bd Author: Mark Thomas AuthorDate: Wed Aug 16 08:42:36 2023 +0100 Remove unused strings --- .../org/apache/tomcat/util/http/LocalStrings.properties | 5 - .../apache/tomcat/util/http/LocalStrings_cs.properties | 4 .../apache/tomcat/util/http/LocalStrings_de.properties | 4 .../apache/tomcat/util/http/LocalStrings_es.properties | 4 .../apache/tomcat/util/http/LocalStrings_fr.properties | 5 - .../apache/tomcat/util/http/LocalStrings_ja.properties | 5 - .../apache/tomcat/util/http/LocalStrings_ko.properties | 5 - .../tomcat/util/http/LocalStrings_pt_BR.properties | 17 - .../tomcat/util/http/LocalStrings_zh_CN.properties | 5 - 9 files changed, 54 deletions(-) diff --git a/java/org/apache/tomcat/util/http/LocalStrings.properties b/java/org/apache/tomcat/util/http/LocalStrings.properties index 43307a8893..292706984a 100644 --- a/java/org/apache/tomcat/util/http/LocalStrings.properties +++ b/java/org/apache/tomcat/util/http/LocalStrings.properties @@ -27,13 +27,8 @@ parameters.copyFail=Failed to create copy of original parameter values for debug parameters.decodeFail.debug=Character decoding failed. Parameter [{0}] with value [{1}] has been ignored. parameters.decodeFail.info=Character decoding failed. Parameter [{0}] with value [{1}] has been ignored. Note that the name and value quoted here may be corrupted due to the failed decoding. Use debug level logging to see the original, non-corrupted values. parameters.emptyChunk=Empty parameter chunk ignored -parameters.fallToDebug=\n\ -\ Note: further occurrences of Parameter errors will be logged at DEBUG level. parameters.invalidChunk=Invalid chunk starting at byte [{0}] and ending at byte [{1}] with a value of [{2}] ignored parameters.maxCountFail=More than the maximum number of request parameters (GET plus POST) for a single request ([{0}]) were detected. Any parameters beyond this limit have been ignored. To change this limit, set the maxParameterCount attribute on the Connector. -parameters.maxCountFail.fallToDebug=\n\ -\ Note: further occurrences of this error will be logged at DEBUG level. -parameters.multipleDecodingFail=Character decoding failed. A total of [{0}] failures were detected but only the first was logged. Enable debug level logging for this logger to log all failures. parameters.noequal=Parameter starting at position [{0}] and ending at position [{1}] with a value of [{2}] was not followed by an ''='' character rfc6265CookieProcessor.invalidAttributeName=An invalid attribute name [{0}] was specified for this cookie diff --git a/java/org/apache/tomcat/util/http/LocalStrings_cs.properties b/java/org/apache/tomcat/util/http/LocalStrings_cs.properties index a2cfdc6f94..551eb9155d 100644 --- a/java/org/apache/tomcat/util/http/LocalStrings_cs.properties +++ b/java/org/apache/tomcat/util/http/LocalStrings_cs.properties @@ -19,9 +19,5 @@ cookies.invalidCookieToken=Cookies: neplatné cookie. Hodnota není znak nebo ci parameters.copyFail=Vytvoření kopie původních hodnot parametrů pro účely DEBUG logování selhalo parameters.decodeFail.debug=Dekódování znaku selhalo. Parametr [{0}] s hodnotou [{1}] byl ignorován. -parameters.fallToDebug=\n\ -\ Poznámka: další výskyty chyb parametrů budou zalogovány v DEBUG úrovni. -parameters.maxCountFail.fallToDebug=\n\ -\ Poznámka: další výskyty této chyby budou zalogovány v úrovni DEBUG. rfc6265CookieProcessor.invalidPath=Byla specifikována neplatná cesta [{0}] pro toto cookie diff --git a/java/org/apache/tomcat/util/http/LocalStrings_de.properties b/java/org/apache/tomcat/util/http/LocalStrings_de.properties index 22e8b604fb..b3e8a0da51 100644 --- a/java/org/apache/tomcat/util/http/LocalStrings_de.properties +++ b/java/org/apache/tomcat/util/http/LocalStrings_de.properties @@ -19,9 +19,5 @@ cookies.invalidSameSiteCookies=Unbekannte Einstellung [{0}], Sollte einer der We parameters.bytes=Starte Verarbeitung mit Eingabe [{0}] parameters.copyFail=Konnte keine Kopie der Originalwerte der Parameter für Debug-Ausgaben erzeugen parameters.decodeFail.debug=Zeichen-Dekodierung fehlgeschlagen. Parameter [{0}] mit Wert [{1}] wurde ignoriert -parameters.fallToDebug=\n\ -\ Beachte: weitere Vorkommen von Parameter Fehlern werden im DEBUG Level geloggt. -parameters.maxCountFail.fallToDebug=\n\ -\ Hinweis: weitere Vorkommen dieses Fehlers werden im DEBUG-Level protokolliert. rfc6265CookieProcessor.invalidPath=Ein ungültiger Pfad [{0}] ist für das Cookie spezifiziert diff --git a/java/org/apache/tomcat/util/http/LocalStrings_es.properties b/java/org/apache/tomcat/util/http/LocalStrings_es.properties index cb51d9fae0..2749ea9254 100644 --- a/java/org/apache/tomcat/util/http/LocalStrings_es.prop
[tomcat] 01/08: With the changes to parameter error handling all parsing is explicit
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 3f8a229be8cbdd99e718b1b72b5f9c0ea1421c23 Author: Mark Thomas AuthorDate: Tue Aug 15 19:54:02 2023 +0100 With the changes to parameter error handling all parsing is explicit --- java/org/apache/catalina/connector/Request.java | 15 +-- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java index a12fdb4226..9a6de071d5 100644 --- a/java/org/apache/catalina/connector/Request.java +++ b/java/org/apache/catalina/connector/Request.java @@ -2638,7 +2638,7 @@ public class Request implements HttpServletRequest { @Override public Collection getParts() throws IOException, IllegalStateException, ServletException { -parseParts(true); +parseParts(); if (partsParseException != null) { if (partsParseException instanceof IOException) { @@ -2653,7 +2653,7 @@ public class Request implements HttpServletRequest { return parts; } -private void parseParts(boolean explicit) { +private void parseParts() { // Return immediately if the parts have already been parsed if (parts != null || partsParseException != null) { @@ -2668,13 +2668,8 @@ public class Request implements HttpServletRequest { mce = new MultipartConfigElement(null, connector.getMaxPostSize(), connector.getMaxPostSize(), connector.getMaxPostSize()); } else { -if (explicit) { -partsParseException = new IllegalStateException(sm.getString("coyoteRequest.noMultipartConfig")); -return; -} else { -parts = Collections.emptyList(); -return; -} +partsParseException = new IllegalStateException(sm.getString("coyoteRequest.noMultipartConfig")); +return; } } @@ -3061,7 +3056,7 @@ public class Request implements HttpServletRequest { } if ("multipart/form-data".equals(contentType)) { -parseParts(false); +parseParts(); success = true; return; } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 05/08: Add a changelog entry
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 0befa0eb1b7feb9752d344902fe787489ef369c1 Author: Mark Thomas AuthorDate: Fri Aug 18 14:32:55 2023 +0100 Add a changelog entry --- webapps/docs/changelog.xml | 8 1 file changed, 8 insertions(+) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index bda9dc94dd..e4d3072d31 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -117,6 +117,14 @@ Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk) + +Update the HTTP parameter handling to align with the changes in the +Jakarta Servlet 6.1 API Javadoc for the ServletRequest +methods used to obtain request parameters. Invalid parameters and/or +exceeding parameter size and/or quantity limits now trigger +exceptions. As a consequence, the FailedRequestFilter has +been removed. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 04/08: Remove Parameters.FailReason and associated plumbing
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit d701009958e1c2f16f10226f15a13268ae314a32 Author: Mark Thomas AuthorDate: Wed Aug 16 08:50:56 2023 +0100 Remove Parameters.FailReason and associated plumbing This includes removing the FailedRequestFilter --- conf/web.xml | 21 java/org/apache/catalina/Globals.java | 16 --- java/org/apache/catalina/connector/Request.java| 26 - .../catalina/filters/FailedRequestFilter.java | 109 - java/org/apache/tomcat/util/http/Parameters.java | 37 --- .../org/apache/catalina/connector/TestRequest.java | 39 +--- webapps/docs/config/ajp.xml| 15 ++- webapps/docs/config/filter.xml | 43 webapps/docs/config/http.xml | 15 ++- webapps/docs/security-howto.xml| 10 +- 10 files changed, 15 insertions(+), 316 deletions(-) diff --git a/conf/web.xml b/conf/web.xml index 9ec69cc66e..89942a9e39 100644 --- a/conf/web.xml +++ b/conf/web.xml @@ -517,19 +517,6 @@ --> - - - - - @@ -608,14 +595,6 @@ --> - - -
[tomcat] 07/08: Handle exception triggered by invalid parameters during access logging
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit d6f56761693b06632f4bdd27d7c3010e3665bfbc Author: Mark Thomas AuthorDate: Sun Aug 20 13:05:07 2023 +0100 Handle exception triggered by invalid parameters during access logging --- java/org/apache/catalina/valves/ExtendedAccessLogValve.java | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/valves/ExtendedAccessLogValve.java b/java/org/apache/catalina/valves/ExtendedAccessLogValve.java index c9cba36f83..ad07cf6339 100644 --- a/java/org/apache/catalina/valves/ExtendedAccessLogValve.java +++ b/java/org/apache/catalina/valves/ExtendedAccessLogValve.java @@ -361,7 +361,13 @@ public class ExtendedAccessLogValve extends AccessLogValve { @Override public void addElement(CharArrayWriter buf, Date date, Request request, Response response, long time) { -buf.append(wrap(urlEncode(request.getParameter(parameter; +String parameterValue; +try { +parameterValue = request.getParameter(parameter); +} catch (IllegalStateException ise) { +parameterValue = null; +} +buf.append(wrap(urlEncode(parameterValue))); } } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot failure in on tomcat-11.0.x
Build status: BUILD FAILED: failed compile (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/112/builds/545 Blamelist: Mark Thomas Build Text: failed compile (failure) Status Detected: new failure Build Source Stamp: [branch main] 32b48cadc3a51b1770d76902901b3541a987ae41 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 1 shell_6: 0 shell_7: 0 shell_8: 0 shell_9: 0 Rsync docs to nightlies.apache.org: 0 shell_10: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 2 shell_11: 0 Rsync Logs to nightlies.apache.org: 0 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Avoid protocol relative redirects
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch cve-2023-41080 in repository https://gitbox.apache.org/repos/asf/tomcat.git commit e3703c9abb8fe0d5602f6ba8a8f11d4b6940815a Author: Mark Thomas AuthorDate: Tue Aug 22 11:31:23 2023 -0700 Avoid protocol relative redirects --- java/org/apache/catalina/authenticator/FormAuthenticator.java | 6 ++ webapps/docs/changelog.xml| 3 +++ 2 files changed, 9 insertions(+) diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index 5487ec87a8..9dd5635ca8 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -742,6 +742,12 @@ public class FormAuthenticator extends AuthenticatorBase { sb.append('?'); sb.append(saved.getQueryString()); } + +// Avoid protocol relative redirects +while (sb.length() > 1 && sb.charAt(1) == '/') { +sb.deleteCharAt(0); +} + return sb.toString(); } } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index e4d3072d31..a45195dfc1 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -125,6 +125,9 @@ exceptions. As a consequence, the FailedRequestFilter has been removed. (markt) + +Avoid protocol relative redirects in FORM authentication. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Rename base test so it is not treated as a class with actual tests
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch cve-2023-41080 in repository https://gitbox.apache.org/repos/asf/tomcat.git commit d8ebecffb5c0a39977a7c47d1a4b8a8bee84476e Author: Mark Thomas AuthorDate: Tue Aug 22 12:21:59 2023 -0700 Rename base test so it is not treated as a class with actual tests --- ...etRequestParametersBase.java => ServletRequestParametersBaseTest.java} | 0 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/test/jakarta/servlet/TestServletRequestParametersBase.java b/test/jakarta/servlet/ServletRequestParametersBaseTest.java similarity index 100% rename from test/jakarta/servlet/TestServletRequestParametersBase.java rename to test/jakarta/servlet/ServletRequestParametersBaseTest.java - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch cve-2023-41080 created (now d8ebecffb5)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch cve-2023-41080 in repository https://gitbox.apache.org/repos/asf/tomcat.git at d8ebecffb5 Rename base test so it is not treated as a class with actual tests This branch includes the following new commits: new e3703c9abb Avoid protocol relative redirects new d8ebecffb5 Rename base test so it is not treated as a class with actual tests The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch cve-2023-41080 updated: Additional classes for rename
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch cve-2023-41080 in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/cve-2023-41080 by this push: new 93e59bda91 Additional classes for rename 93e59bda91 is described below commit 93e59bda914e03ddf3ccaf1f57dab47dbda650b9 Author: Mark Thomas AuthorDate: Tue Aug 22 12:22:16 2023 -0700 Additional classes for rename --- test/jakarta/servlet/ServletRequestParametersBaseTest.java | 2 +- test/jakarta/servlet/TestServletRequestParameters.java | 2 +- test/jakarta/servlet/TestServletRequestParametersFormUrlEncoded.java | 2 +- test/jakarta/servlet/TestServletRequestParametersMultipartEncoded.java | 2 +- test/jakarta/servlet/TestServletRequestParametersQueryString.java | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/test/jakarta/servlet/ServletRequestParametersBaseTest.java b/test/jakarta/servlet/ServletRequestParametersBaseTest.java index fce787175e..6a045c0217 100644 --- a/test/jakarta/servlet/ServletRequestParametersBaseTest.java +++ b/test/jakarta/servlet/ServletRequestParametersBaseTest.java @@ -32,7 +32,7 @@ import jakarta.servlet.http.HttpServletResponse; import org.apache.catalina.startup.SimpleHttpClient; import org.apache.catalina.startup.TomcatBaseTest; -public class TestServletRequestParametersBase extends TomcatBaseTest { +public class ServletRequestParametersBaseTest extends TomcatBaseTest { protected Map> parseReportedParameters(SimpleHttpClient client) { Map> parameters = new LinkedHashMap<>(); diff --git a/test/jakarta/servlet/TestServletRequestParameters.java b/test/jakarta/servlet/TestServletRequestParameters.java index 1f50f4e5dd..3354eb07fd 100644 --- a/test/jakarta/servlet/TestServletRequestParameters.java +++ b/test/jakarta/servlet/TestServletRequestParameters.java @@ -25,7 +25,7 @@ import static org.apache.catalina.startup.SimpleHttpClient.CRLF; import org.apache.catalina.core.StandardContext; import org.apache.catalina.startup.Tomcat; -public class TestServletRequestParameters extends TestServletRequestParametersBase { +public class TestServletRequestParameters extends ServletRequestParametersBaseTest { @Test public void testClientDisconnect() throws Exception { diff --git a/test/jakarta/servlet/TestServletRequestParametersFormUrlEncoded.java b/test/jakarta/servlet/TestServletRequestParametersFormUrlEncoded.java index 4266eef7c6..253836df5f 100644 --- a/test/jakarta/servlet/TestServletRequestParametersFormUrlEncoded.java +++ b/test/jakarta/servlet/TestServletRequestParametersFormUrlEncoded.java @@ -34,7 +34,7 @@ import org.apache.catalina.core.StandardContext; import org.apache.catalina.startup.Tomcat; @RunWith(Parameterized.class) -public class TestServletRequestParametersFormUrlEncoded extends TestServletRequestParametersBase { +public class TestServletRequestParametersFormUrlEncoded extends ServletRequestParametersBaseTest { @Parameterized.Parameters(name = "{index}: chunked[{0}]") public static Collection parameters() { diff --git a/test/jakarta/servlet/TestServletRequestParametersMultipartEncoded.java b/test/jakarta/servlet/TestServletRequestParametersMultipartEncoded.java index ac0941f853..c6afb1ff70 100644 --- a/test/jakarta/servlet/TestServletRequestParametersMultipartEncoded.java +++ b/test/jakarta/servlet/TestServletRequestParametersMultipartEncoded.java @@ -34,7 +34,7 @@ import org.apache.catalina.core.StandardContext; import org.apache.catalina.startup.Tomcat; @RunWith(Parameterized.class) -public class TestServletRequestParametersMultipartEncoded extends TestServletRequestParametersBase { +public class TestServletRequestParametersMultipartEncoded extends ServletRequestParametersBaseTest { @Parameterized.Parameters(name = "{index}: chunked[{0}]") public static Collection parameters() { diff --git a/test/jakarta/servlet/TestServletRequestParametersQueryString.java b/test/jakarta/servlet/TestServletRequestParametersQueryString.java index 037bdd55cc..2d19041c56 100644 --- a/test/jakarta/servlet/TestServletRequestParametersQueryString.java +++ b/test/jakarta/servlet/TestServletRequestParametersQueryString.java @@ -35,7 +35,7 @@ import org.apache.catalina.core.StandardContext; import org.apache.catalina.startup.Tomcat; @RunWith(Parameterized.class) -public class TestServletRequestParametersQueryString extends TestServletRequestParametersBase { +public class TestServletRequestParametersQueryString extends ServletRequestParametersBaseTest { private static final Integer SC_OK = Integer.valueOf(HttpServletResponse.SC_OK); private static final Integer SC_BAD_REQUEST = Integer.valueOf(HttpServletResponse.SC_BAD_REQUEST); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additiona
[tomcat] branch main updated (32b48cadc3 -> 93e59bda91)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from 32b48cadc3 Review getParameterXXX() - invalid parameters + debug should not fail add e3703c9abb Avoid protocol relative redirects add d8ebecffb5 Rename base test so it is not treated as a class with actual tests add 93e59bda91 Additional classes for rename No new revisions were added by this update. Summary of changes: java/org/apache/catalina/authenticator/FormAuthenticator.java | 6 ++ ...estParametersBase.java => ServletRequestParametersBaseTest.java} | 2 +- test/jakarta/servlet/TestServletRequestParameters.java | 2 +- .../jakarta/servlet/TestServletRequestParametersFormUrlEncoded.java | 2 +- .../servlet/TestServletRequestParametersMultipartEncoded.java | 2 +- test/jakarta/servlet/TestServletRequestParametersQueryString.java | 2 +- webapps/docs/changelog.xml | 3 +++ 7 files changed, 14 insertions(+), 5 deletions(-) rename test/jakarta/servlet/{TestServletRequestParametersBase.java => ServletRequestParametersBaseTest.java} (98%) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch cve-2023-41080 deleted (was 93e59bda91)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch cve-2023-41080 in repository https://gitbox.apache.org/repos/asf/tomcat.git was 93e59bda91 Additional classes for rename The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Avoid protocol relative redirects
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new bb4624a9f3 Avoid protocol relative redirects bb4624a9f3 is described below commit bb4624a9f3e69d495182ebfa68d7983076407a27 Author: Mark Thomas AuthorDate: Tue Aug 22 11:31:23 2023 -0700 Avoid protocol relative redirects --- java/org/apache/catalina/authenticator/FormAuthenticator.java | 6 ++ webapps/docs/changelog.xml| 3 +++ 2 files changed, 9 insertions(+) diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index 2876a2d04c..c66ae56454 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -747,6 +747,12 @@ public class FormAuthenticator extends AuthenticatorBase { sb.append('?'); sb.append(saved.getQueryString()); } + +// Avoid protocol relative redirects +while (sb.length() > 1 && sb.charAt(1) == '/') { +sb.deleteCharAt(0); +} + return sb.toString(); } } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 0b37d87df5..b52bde0b9f 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -117,6 +117,9 @@ Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk) + +Avoid protocol relative redirects in FORM authentication. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Avoid protocol relative redirects
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 77c0ce2d16 Avoid protocol relative redirects 77c0ce2d16 is described below commit 77c0ce2d169efa248b64b992e547aad549ec906b Author: Mark Thomas AuthorDate: Tue Aug 22 11:31:23 2023 -0700 Avoid protocol relative redirects --- java/org/apache/catalina/authenticator/FormAuthenticator.java | 6 ++ webapps/docs/changelog.xml| 3 +++ 2 files changed, 9 insertions(+) diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index a57db51776..d54cc62182 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -747,6 +747,12 @@ public class FormAuthenticator extends AuthenticatorBase { sb.append('?'); sb.append(saved.getQueryString()); } + +// Avoid protocol relative redirects +while (sb.length() > 1 && sb.charAt(1) == '/') { +sb.deleteCharAt(0); +} + return sb.toString(); } } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 94948bae1b..80d0b214a8 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -117,6 +117,9 @@ Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk) + +Avoid protocol relative redirects in FORM authentication. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Avoid protocol relative redirects
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 4998ad745b Avoid protocol relative redirects 4998ad745b is described below commit 4998ad745b67edeadefe541c94ed029b53933d3b Author: Mark Thomas AuthorDate: Tue Aug 22 11:31:23 2023 -0700 Avoid protocol relative redirects --- java/org/apache/catalina/authenticator/FormAuthenticator.java | 6 ++ webapps/docs/changelog.xml| 3 +++ 2 files changed, 9 insertions(+) diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index a57db51776..d54cc62182 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -747,6 +747,12 @@ public class FormAuthenticator extends AuthenticatorBase { sb.append('?'); sb.append(saved.getQueryString()); } + +// Avoid protocol relative redirects +while (sb.length() > 1 && sb.charAt(1) == '/') { +sb.deleteCharAt(0); +} + return sb.toString(); } } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index bacf432793..9eadbe2b8c 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -117,6 +117,9 @@ Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk) + +Avoid protocol relative redirects in FORM authentication. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot success in on tomcat-11.0.x
Build status: Build succeeded! Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/112/builds/546 Blamelist: Mark Thomas Build Text: build successful Status Detected: restored build Build Source Stamp: [branch main] 93e59bda914e03ddf3ccaf1f57dab47dbda650b9 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 1 shell_6: 0 shell_7: 0 shell_8: 0 shell_9: 0 Rsync docs to nightlies.apache.org: 0 shell_10: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 1 shell_11: 0 Rsync Logs to nightlies.apache.org: 0 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] sergmain commented on pull request #647: Replaced synchronized with StampedLock
sergmain commented on PR #647: URL: https://github.com/apache/tomcat/pull/647#issuecomment-1689065406 From my point of view there are 2 approaches - analyze every synchronized or remove every synchronized without analyzing. My pull-request is with second approach. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on pull request #647: Replaced synchronized with StampedLock
markt-asf commented on PR #647: URL: https://github.com/apache/tomcat/pull/647#issuecomment-1689066140 Synchronized blocks only need to be replaced if they contain blocking operations. This one clearly doesn't. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf closed pull request #647: Replaced synchronized with StampedLock
markt-asf closed pull request #647: Replaced synchronized with StampedLock URL: https://github.com/apache/tomcat/pull/647 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org