[tomcat] branch 8.5.x updated: Fix BZ 66609. Correctly escape XML directory listings

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new 8e725713e8 Fix BZ 66609. Correctly escape XML directory listings
8e725713e8 is described below

commit 8e725713e836caa7fc26a3a3a36134cd4c564c63
Author: Mark Thomas 
AuthorDate: Wed May 24 14:11:32 2023 +0100

Fix BZ 66609. Correctly escape XML directory listings

Based on #621 by Alex Kachanov
---
 build.xml  |  4 +-
 .../apache/catalina/servlets/DefaultServlet.java   |  2 +-
 .../catalina/servlets/TestDefaultServlet.java  | 34 
 test/webapp/bug66609/_listing.xslt | 90 ++
 test/webapp/bug66609/a&a.txt   |  1 +
 test/webapp/bug66609/b'b.txt   |  1 +
 "test/webapp/bug66609/c\"c.txt"|  1 +
 test/webapp/bug66609/de.txt   |  1 +
 webapps/docs/changelog.xml |  5 ++
 10 files changed, 138 insertions(+), 2 deletions(-)

diff --git a/build.xml b/build.xml
index c2232942af..934083b359 100644
--- a/build.xml
+++ b/build.xml
@@ -622,6 +622,7 @@
 
 
 
+
 
 
 
@@ -670,8 +671,9 @@
 
 
 
-
 
+
+
 
 
 
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java 
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 50c34380ae..1ed4ab9627 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -1774,7 +1774,7 @@ public class DefaultServlet extends HttpServlet {
   .append('\'');
 sb.append(" urlPath='")
   .append(rewrittenContextPath)
-  .append(rewriteUrl(directoryWebappPath + entry))
+  .append(Escape.xml(rewriteUrl(directoryWebappPath + entry)))
   .append(childResource.isDirectory()?"/":"")
   .append('\'');
 if (childResource.isFile()) {
diff --git a/test/org/apache/catalina/servlets/TestDefaultServlet.java 
b/test/org/apache/catalina/servlets/TestDefaultServlet.java
index ac8e269d8a..1b63a64d27 100644
--- a/test/org/apache/catalina/servlets/TestDefaultServlet.java
+++ b/test/org/apache/catalina/servlets/TestDefaultServlet.java
@@ -608,4 +608,38 @@ public class TestDefaultServlet extends TomcatBaseTest {
 return true;
 }
 }
+
+/*
+ * Bug 66609
+ */
+@Test
+public void testXmlDirectoryListing() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+
+File appDir = new File("test/webapp");
+Context ctxt = tomcat.addContext("", appDir.getAbsolutePath());
+
+Wrapper defaultServlet = Tomcat.addServlet(ctxt, "default", new 
DefaultServlet());
+defaultServlet.addInitParameter("listings", "true");
+defaultServlet.addInitParameter("localXsltFile", "_listing.xslt");
+
+ctxt.addServletMappingDecoded("/", "default");
+
+tomcat.start();
+
+Map> resHeaders= new HashMap<>();
+String path = "http://localhost:"; + getPort() + "/bug66609/";
+ByteChunk out = new ByteChunk();
+
+int rc = getUrl(path, out, resHeaders);
+Assert.assertEquals(HttpServletResponse.SC_OK, rc);
+String length = resHeaders.get("Content-Length").get(0);
+Assert.assertEquals(Long.parseLong(length), out.getLength());
+out.recycle();
+
+rc = headUrl(path, out, resHeaders);
+Assert.assertEquals(HttpServletResponse.SC_OK, rc);
+Assert.assertEquals(0, out.getLength());
+Assert.assertEquals(length, resHeaders.get("Content-Length").get(0));
+}
 }
diff --git a/test/webapp/bug66609/_listing.xslt 
b/test/webapp/bug66609/_listing.xslt
new file mode 100644
index 00..ee132052b1
--- /dev/null
+++ b/test/webapp/bug66609/_listing.xslt
@@ -0,0 +1,90 @@
+
+
+
+http://www.w3.org/1999/XSL/Transform";
+  version="3.0">
+
+  
+
+  
+   
+
+  
+Sample Directory Listing For
+
+  
+  
+h1 {color : white;background-color : #0086b2;}
+h3 {color : white;background-color : #0086b2;}
+body {font-family : sans-serif,Arial,Tahoma;
+ color : black;background-color : white;}
+b {color : white;background-color : #0086b2;}
+a {color : black;} HR{color : #0086b2;}
+table td { paddin

[tomcat] branch 9.0.x updated: Fix BZ 66609. Correctly escape XML directory listings

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new ae809134ca Fix BZ 66609. Correctly escape XML directory listings
ae809134ca is described below

commit ae809134ca050ef258b87f25717fe8dcc993af5f
Author: Mark Thomas 
AuthorDate: Wed May 24 14:11:32 2023 +0100

Fix BZ 66609. Correctly escape XML directory listings

Based on #621 by Alex Kachanov
---
 build.xml  |  4 +-
 .../apache/catalina/servlets/DefaultServlet.java   |  2 +-
 .../catalina/servlets/TestDefaultServlet.java  | 34 
 test/webapp/bug66609/_listing.xslt | 90 ++
 test/webapp/bug66609/a&a.txt   |  1 +
 test/webapp/bug66609/b'b.txt   |  1 +
 "test/webapp/bug66609/c\"c.txt"|  1 +
 test/webapp/bug66609/de.txt   |  1 +
 webapps/docs/changelog.xml |  5 ++
 10 files changed, 138 insertions(+), 2 deletions(-)

diff --git a/build.xml b/build.xml
index bb29c06422..abc9b446c8 100644
--- a/build.xml
+++ b/build.xml
@@ -862,6 +862,7 @@
 
 
 
+
 
 
 
@@ -910,8 +911,9 @@
 
 
 
-
 
+
+
 
 
 
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java 
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 18c3dd5fd3..27d0dd1df7 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -1726,7 +1726,7 @@ public class DefaultServlet extends HttpServlet {
   .append('\'');
 sb.append(" urlPath='")
   .append(rewrittenContextPath)
-  .append(rewriteUrl(directoryWebappPath + entry))
+  .append(Escape.xml(rewriteUrl(directoryWebappPath + entry)))
   .append(childResource.isDirectory()?"/":"")
   .append('\'');
 if (childResource.isFile()) {
diff --git a/test/org/apache/catalina/servlets/TestDefaultServlet.java 
b/test/org/apache/catalina/servlets/TestDefaultServlet.java
index ac8e269d8a..1b63a64d27 100644
--- a/test/org/apache/catalina/servlets/TestDefaultServlet.java
+++ b/test/org/apache/catalina/servlets/TestDefaultServlet.java
@@ -608,4 +608,38 @@ public class TestDefaultServlet extends TomcatBaseTest {
 return true;
 }
 }
+
+/*
+ * Bug 66609
+ */
+@Test
+public void testXmlDirectoryListing() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+
+File appDir = new File("test/webapp");
+Context ctxt = tomcat.addContext("", appDir.getAbsolutePath());
+
+Wrapper defaultServlet = Tomcat.addServlet(ctxt, "default", new 
DefaultServlet());
+defaultServlet.addInitParameter("listings", "true");
+defaultServlet.addInitParameter("localXsltFile", "_listing.xslt");
+
+ctxt.addServletMappingDecoded("/", "default");
+
+tomcat.start();
+
+Map> resHeaders= new HashMap<>();
+String path = "http://localhost:"; + getPort() + "/bug66609/";
+ByteChunk out = new ByteChunk();
+
+int rc = getUrl(path, out, resHeaders);
+Assert.assertEquals(HttpServletResponse.SC_OK, rc);
+String length = resHeaders.get("Content-Length").get(0);
+Assert.assertEquals(Long.parseLong(length), out.getLength());
+out.recycle();
+
+rc = headUrl(path, out, resHeaders);
+Assert.assertEquals(HttpServletResponse.SC_OK, rc);
+Assert.assertEquals(0, out.getLength());
+Assert.assertEquals(length, resHeaders.get("Content-Length").get(0));
+}
 }
diff --git a/test/webapp/bug66609/_listing.xslt 
b/test/webapp/bug66609/_listing.xslt
new file mode 100644
index 00..ee132052b1
--- /dev/null
+++ b/test/webapp/bug66609/_listing.xslt
@@ -0,0 +1,90 @@
+
+
+
+http://www.w3.org/1999/XSL/Transform";
+  version="3.0">
+
+  
+
+  
+   
+
+  
+Sample Directory Listing For
+
+  
+  
+h1 {color : white;background-color : #0086b2;}
+h3 {color : white;background-color : #0086b2;}
+body {font-family : sans-serif,Arial,Tahoma;
+ color : black;background-color : white;}
+b {color : white;background-color : #0086b2;}
+a {color : black;} HR{color : #0086b2;}
+table td { paddin

[tomcat] branch 10.1.x updated: Fix BZ 66609. Correctly escape XML directory listings

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
 new 46a319e216 Fix BZ 66609. Correctly escape XML directory listings
46a319e216 is described below

commit 46a319e216c1c7af4af2125c796bc751851619ae
Author: Mark Thomas 
AuthorDate: Wed May 24 14:11:32 2023 +0100

Fix BZ 66609. Correctly escape XML directory listings

Based on #621 by Alex Kachanov
---
 build.xml  |  4 +-
 .../apache/catalina/servlets/DefaultServlet.java   |  2 +-
 .../catalina/servlets/TestDefaultServlet.java  | 34 
 test/webapp/bug66609/_listing.xslt | 90 ++
 test/webapp/bug66609/a&a.txt   |  1 +
 test/webapp/bug66609/b'b.txt   |  1 +
 "test/webapp/bug66609/c\"c.txt"|  1 +
 test/webapp/bug66609/de.txt   |  1 +
 webapps/docs/changelog.xml |  5 ++
 10 files changed, 138 insertions(+), 2 deletions(-)

diff --git a/build.xml b/build.xml
index 5eb1cca34b..090cd601d8 100644
--- a/build.xml
+++ b/build.xml
@@ -869,6 +869,7 @@
 
 
 
+
 
 
 
@@ -917,8 +918,9 @@
 
 
 
-
 
+
+
 
 
 
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java 
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 879b6b8dc9..7561eaf083 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -1680,7 +1680,7 @@ public class DefaultServlet extends HttpServlet {
   .append('\'');
 sb.append(" urlPath='")
   .append(rewrittenContextPath)
-  .append(rewriteUrl(directoryWebappPath + entry))
+  .append(Escape.xml(rewriteUrl(directoryWebappPath + entry)))
   .append(childResource.isDirectory()?"/":"")
   .append('\'');
 if (childResource.isFile()) {
diff --git a/test/org/apache/catalina/servlets/TestDefaultServlet.java 
b/test/org/apache/catalina/servlets/TestDefaultServlet.java
index a185aa9586..b67cc325d4 100644
--- a/test/org/apache/catalina/servlets/TestDefaultServlet.java
+++ b/test/org/apache/catalina/servlets/TestDefaultServlet.java
@@ -608,4 +608,38 @@ public class TestDefaultServlet extends TomcatBaseTest {
 return true;
 }
 }
+
+/*
+ * Bug 66609
+ */
+@Test
+public void testXmlDirectoryListing() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+
+File appDir = new File("test/webapp");
+Context ctxt = tomcat.addContext("", appDir.getAbsolutePath());
+
+Wrapper defaultServlet = Tomcat.addServlet(ctxt, "default", new 
DefaultServlet());
+defaultServlet.addInitParameter("listings", "true");
+defaultServlet.addInitParameter("localXsltFile", "_listing.xslt");
+
+ctxt.addServletMappingDecoded("/", "default");
+
+tomcat.start();
+
+Map> resHeaders= new HashMap<>();
+String path = "http://localhost:"; + getPort() + "/bug66609/";
+ByteChunk out = new ByteChunk();
+
+int rc = getUrl(path, out, resHeaders);
+Assert.assertEquals(HttpServletResponse.SC_OK, rc);
+String length = resHeaders.get("Content-Length").get(0);
+Assert.assertEquals(Long.parseLong(length), out.getLength());
+out.recycle();
+
+rc = headUrl(path, out, resHeaders);
+Assert.assertEquals(HttpServletResponse.SC_OK, rc);
+Assert.assertEquals(0, out.getLength());
+Assert.assertEquals(length, resHeaders.get("Content-Length").get(0));
+}
 }
diff --git a/test/webapp/bug66609/_listing.xslt 
b/test/webapp/bug66609/_listing.xslt
new file mode 100644
index 00..ee132052b1
--- /dev/null
+++ b/test/webapp/bug66609/_listing.xslt
@@ -0,0 +1,90 @@
+
+
+
+http://www.w3.org/1999/XSL/Transform";
+  version="3.0">
+
+  
+
+  
+   
+
+  
+Sample Directory Listing For
+
+  
+  
+h1 {color : white;background-color : #0086b2;}
+h3 {color : white;background-color : #0086b2;}
+body {font-family : sans-serif,Arial,Tahoma;
+ color : black;background-color : white;}
+b {color : white;background-color : #0086b2;}
+a {color : black;} HR{color : #0086b2;}
+table td { paddin

[tomcat] 01/02: Fix BZ 66609. Correctly escape XML directory listings

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit bc161f3204b41f5f580d4ff4466b25aaea073c4e
Author: Mark Thomas 
AuthorDate: Wed May 24 14:11:32 2023 +0100

Fix BZ 66609. Correctly escape XML directory listings

Based on #621 by Alex Kachanov
---
 build.xml  |  4 +-
 .../apache/catalina/servlets/DefaultServlet.java   |  2 +-
 .../catalina/servlets/TestDefaultServlet.java  | 34 
 test/webapp/bug66609/_listing.xslt | 90 ++
 test/webapp/bug66609/a&a.txt   |  1 +
 test/webapp/bug66609/b'b.txt   |  1 +
 "test/webapp/bug66609/c\"c.txt"|  1 +
 test/webapp/bug66609/de.txt   |  1 +
 webapps/docs/changelog.xml |  5 ++
 10 files changed, 138 insertions(+), 2 deletions(-)

diff --git a/build.xml b/build.xml
index ab0021e3e2..f189b100f6 100644
--- a/build.xml
+++ b/build.xml
@@ -864,6 +864,7 @@
 
 
 
+
 
 
 
@@ -912,8 +913,9 @@
 
 
 
-
 
+
+
 
 
 
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java 
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 83e0aa142c..5c86b21170 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -1650,7 +1650,7 @@ public class DefaultServlet extends HttpServlet {
   .append('\'');
 sb.append(" urlPath='")
   .append(rewrittenContextPath)
-  .append(rewriteUrl(directoryWebappPath + entry))
+  .append(Escape.xml(rewriteUrl(directoryWebappPath + entry)))
   .append(childResource.isDirectory()?"/":"")
   .append('\'');
 if (childResource.isFile()) {
diff --git a/test/org/apache/catalina/servlets/TestDefaultServlet.java 
b/test/org/apache/catalina/servlets/TestDefaultServlet.java
index a185aa9586..b67cc325d4 100644
--- a/test/org/apache/catalina/servlets/TestDefaultServlet.java
+++ b/test/org/apache/catalina/servlets/TestDefaultServlet.java
@@ -608,4 +608,38 @@ public class TestDefaultServlet extends TomcatBaseTest {
 return true;
 }
 }
+
+/*
+ * Bug 66609
+ */
+@Test
+public void testXmlDirectoryListing() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+
+File appDir = new File("test/webapp");
+Context ctxt = tomcat.addContext("", appDir.getAbsolutePath());
+
+Wrapper defaultServlet = Tomcat.addServlet(ctxt, "default", new 
DefaultServlet());
+defaultServlet.addInitParameter("listings", "true");
+defaultServlet.addInitParameter("localXsltFile", "_listing.xslt");
+
+ctxt.addServletMappingDecoded("/", "default");
+
+tomcat.start();
+
+Map> resHeaders= new HashMap<>();
+String path = "http://localhost:"; + getPort() + "/bug66609/";
+ByteChunk out = new ByteChunk();
+
+int rc = getUrl(path, out, resHeaders);
+Assert.assertEquals(HttpServletResponse.SC_OK, rc);
+String length = resHeaders.get("Content-Length").get(0);
+Assert.assertEquals(Long.parseLong(length), out.getLength());
+out.recycle();
+
+rc = headUrl(path, out, resHeaders);
+Assert.assertEquals(HttpServletResponse.SC_OK, rc);
+Assert.assertEquals(0, out.getLength());
+Assert.assertEquals(length, resHeaders.get("Content-Length").get(0));
+}
 }
diff --git a/test/webapp/bug66609/_listing.xslt 
b/test/webapp/bug66609/_listing.xslt
new file mode 100644
index 00..ee132052b1
--- /dev/null
+++ b/test/webapp/bug66609/_listing.xslt
@@ -0,0 +1,90 @@
+
+
+
+http://www.w3.org/1999/XSL/Transform";
+  version="3.0">
+
+  
+
+  
+   
+
+  
+Sample Directory Listing For
+
+  
+  
+h1 {color : white;background-color : #0086b2;}
+h3 {color : white;background-color : #0086b2;}
+body {font-family : sans-serif,Arial,Tahoma;
+ color : black;background-color : white;}
+b {color : white;background-color : #0086b2;}
+a {color : black;} HR{color : #0086b2;}
+table td { padding: 5px; }
+  
+
+
+  Sample Directory Listing For
+
+  
+  
+  
+
+  Filename
+  Size
+  Last Modified
+
+
+
+  
+  
+  Apache Tomcat/11.0
+
+   
+  
+
+
+  
+
+  
+
+  
+

[Bug 56463] Allow to disable ServerInfo in directory listings in DefaultServlet

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56463

Violeta Georgieva  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #3 from Violeta Georgieva  ---
This has been fixed in trunk for 8.0.6 and in 7.0.x for 7.0.54 onwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56463] Allow to disable ServerInfo in directory listings in DefaultServlet

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56463

--- Comment #2 from Konstantin Kolinko  ---
It is not meant to be security. It is that some people like to hide that
information.

I am just saying that new feature have to be documented.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56463] Allow to disable ServerInfo in directory listings in DefaultServlet

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56463

Michael Osipov <1983-01...@gmx.net> changed:

   What|Removed |Added

 OS||All

--- Comment #1 from Michael Osipov <1983-01...@gmx.net> ---
This is meant to be security by obscurity?

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56463] New: Allow to disable ServerInfo in directory listings in DefaultServlet

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56463

Bug ID: 56463
   Summary: Allow to disable ServerInfo in directory listings in
DefaultServlet
   Product: Tomcat 7
   Version: 7.0.53
  Hardware: PC
Status: NEW
  Severity: enhancement
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: knst.koli...@gmail.com

Discussion on dev@:
http://tomcat.markmail.org/thread/mh3yaptw7rlw2zcv

[quote]
Looking at Tomcat bug 56383 - "Securing ErrorReportValve" (
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383 ), i think a
similar thing can also be done for the Tomcat version number reported by
the DefaultServlet.
This servlet will show the version information from ServerInfo when the
listings are enabled. Currently it seems there is no way of disabling
version reporting other than 'hacking' the ServerInfo.
[/quote]

There is a way to customize those listings: define an XSLT style sheet.

That said, it is possible to introduce a configuration option for
DefaultServlet.

Places to patch:
- DefaultServlet.java
- webapps/docs/default-servlet.xml
- webapps/docs/security-howto.xml

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56405] Directory listings are broken in 8.0.x

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56405

Mark Thomas  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED
 OS||All

--- Comment #1 from Mark Thomas  ---
Fixed in 8.0.x for 8.0.6.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56405] New: Directory listings are broken in 8.0.x

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56405

Bug ID: 56405
   Summary: Directory listings are broken in 8.0.x
   Product: Tomcat 8
   Version: trunk
  Hardware: PC
Status: NEW
  Severity: normal
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: knst.koli...@gmail.com

It is issue in the current 8.0.x trunk  apparently introduced by r1582440
I think it does not affect 8.0.5 (r1580930)

Steps to reproduce:
1. Configure DefaultServlet with init-param listings equal to true.
2. Go to a directory in Tomcat.  Expected: listing of a directory, actual:
blank screen (zero-length response).

The following code on lines 919-920:
if (resource.isDirectory()) {
renderResult = render(getPathPrefix(request),
resource);
} else {

The 'renderResult' is an InputStream which have to be copy()'ed to output, but
copying never happens.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 54320] Regression: can not activate activate directory listings parameter for DefaultServlet STRICT_SERVLET_COMPLIANCE

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54320

--- Comment #4 from Cédrik LIME  ---
Thanks for the heads up, Violeta!

Strangely enough, specifying "resourceOnlyServlets=jsp" is enough, even though
it is the DefaultServlet that is serving the listing.

As this is a new behaviour for Tomcat 7, it might be worth to add a note in the
the documentation and/or conf/web.xml's DefaultServlet comments.

Regards,
Cédrik

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 54320] Regression: can not activate activate directory listings parameter for DefaultServlet STRICT_SERVLET_COMPLIANCE

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54320

Mark Thomas  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |INVALID

--- Comment #3 from Mark Thomas  ---
Thanks for tracking this down Violeta.

>From the original report, it sounded like a welcome file issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 54320] Regression: can not activate activate directory listings parameter for DefaultServlet STRICT_SERVLET_COMPLIANCE

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54320

--- Comment #2 from Violeta Georgieva  ---
Hi,

You still can achieve directory listing and strict servlet compliance together.
You need to add in the context.xml additional configuration -
"resourceOnlyServlets=default,jsp".
More information can be seen in the documentation -
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes

Regards
Violeta Georgieva

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 54320] Regression: can not activate activate directory listings parameter for DefaultServlet STRICT_SERVLET_COMPLIANCE

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54320

--- Comment #1 from Violeta Georgieva  ---
Hi,

I'm going to work on this.

Regards
Violeta

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 54320] New: Regression: can not activate activate directory listings parameter for DefaultServlet STRICT_SERVLET_COMPLIANCE

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54320

Bug ID: 54320
   Summary: Regression: can not activate activate directory
listings parameter for DefaultServlet
STRICT_SERVLET_COMPLIANCE
   Product: Tomcat 7
   Version: 7.0.34
  Hardware: All
OS: All
Status: NEW
  Severity: regression
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: cedrik.l...@gmail.com
Classification: Unclassified

Since Tomcat 7, one can not enable directory listings (in conf/web.xml) while
simultaneously enabling strict servlet compliance (by setting the
org.apache.catalina.STRICT_SERVLET_COMPLIANCE system property): one gets a 404
response.

This is a regression compared to Tomcat 5.5 and Tomcat 6.

The Servlet 3.0 specification states §10.10:
"If no matching welcome file is found in the manner described, the container
may handle the request in a manner it finds suitable. For some configurations
this may mean returning a directory listing or for others returning a 404
response."

so this new behaviour is still specification compliant strictly speaking.
But still I would really like to enable directory listings (which is also
specification compliant)! :-)

(And yes, I do know the warnings / trade-offs about enabling those listings.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 53854] DefaultServlet directory listings for aliased directories do not seem to work

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53854

Mark Thomas  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #5 from Mark Thomas  ---
This has been fixed in trunk and 7.0.x and will be included in 7.0.31 onwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 53854] DefaultServlet directory listings for aliased directories do not seem to work

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53854

--- Comment #4 from Mark Thomas  ---
The patch is not functionally correct for FileDirContext and still does not
address the root cause.

Issue include:
- ignores WARDirContext
- ignores 3rd party sub-classes
- does not use correct priority for aliases

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 53854] DefaultServlet directory listings for aliased directories do not seem to work

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53854

Daniel Mikusa  changed:

   What|Removed |Added

  Attachment #29357|0   |1
is obsolete||

--- Comment #3 from Daniel Mikusa  ---
Created attachment 29384
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=29384&action=edit
Updated patch, works with BaseDirContext and FileDirContext

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 53854] DefaultServlet directory listings for aliased directories do not seem to work

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53854

--- Comment #2 from Mark Thomas  ---
The proposed patch fixes the symptom rather than the cause. The fix needs to be
in BaseDirContext and other classes in the same package.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 53854] DefaultServlet directory listings for aliased directories do not seem to work

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53854

--- Comment #1 from Daniel Mikusa  ---
Created attachment 29357
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=29357&action=edit
Patch to DefaultServlet to workaround the error.

I was able to work around this error with a slight modification to the
DefaultServlet code.  Not sure if this is the best solution, but it seems to
work without breaking anything so I'm attaching it here.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 53854] New: DefaultServlet directory listings for aliased directories do not seem to work

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53854

  Priority: P2
Bug ID: 53854
  Assignee: dev@tomcat.apache.org
   Summary: DefaultServlet directory listings for aliased
directories do not seem to work
  Severity: minor
Classification: Unclassified
OS: All
  Reporter: dmik...@vmware.com
  Hardware: All
Status: NEW
   Version: 7.0.30
 Component: Catalina
   Product: Tomcat 7

The following situation does not seem to work.

1.) In a Context, add an alias to a directory.
2.) Enable directory listings on the DefaultServlet.
3.) Try to view the directory listing of the alias directory.

Example:

conf/context.xml:

  
  ...
  

conf/web.xml:

...

default
   
org.apache.catalina.servlets.DefaultServlet

debug
0


listings
true

1

...

contents of the directory "/my/downloads":

  -rw-r--r--@ 1 daniel  staff  8156824 Sep 10 09:15 apache-tomcat-7.0.30.zip

URL works:

http://localhost:8080/files/apache-tomcat-7.0.30.zip

URL does not work:

http://localhost:8080/files/

The URL that does not work fails with the error:

SEVERE: Servlet.service() for servlet [default] in context with path [/] threw
exception [Error accessing resource] with root cause
javax.naming.NameNotFoundException: Resource /files/ not found
at org.apache.naming.resources.FileDirContext.list(FileDirContext.java:303)
at
org.apache.naming.resources.ProxyDirContext.list(ProxyDirContext.java:512)
at
org.apache.catalina.servlets.DefaultServlet.renderHtml(DefaultServlet.java:1458)
at
org.apache.catalina.servlets.DefaultServlet.render(DefaultServlet.java:1254)
at
org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:951)
at
org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:412)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:680)

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

DO NOT REPLY [Bug 38128] - directory listings DoS

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128





--- Additional Comments From [EMAIL PROTECTED]  2006-12-26 07:58 ---
Note I've also converted existing DefaultServlet catch(Throwable t) code to
catching exceptions.

I saw your mailing list messages, and I believe the benchmarks.  I still think
this approach is too heavyweight.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 38128] - directory listings DoS

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128





--- Additional Comments From [EMAIL PROTECTED]  2006-12-26 07:56 ---
(In reply to comment #5)
> There are a few things I dislike in this patch.
> 
> You shouldn't catch Throwables and then silently not handle them.  You 
> shouldn't
> even do that with Exceptions, but certainly not Throwables.  That by itself
> means -1 on the patch as it stands currently.

I agree that catching Throwable is a really bad idea, however the DefaultServlet
code does this repeatedly when accessing parameters from the servlet config. I
chose to keep the code consistent and follow the pattern already prevalent when
making this patch. I beleive it should be a simple matter to string replace
Throwable with a more appropriate exception in this code.

> Then there's the overall weight of the solution: adding a custom cache and 
> tying
> it into the default web.xml just for this case seems overweight.  I wonder if
> there's an easier solution without caching, and certainly without a time-based
> cache which means additional background processing.  One approach that comes 
> to
> mind is a no-op XSLT for customizations, as documented in
> http://tomcat.apache.org/tomcat-5.0-doc/default-servlet.html#dir
> 
> Finally, as you probably know directory listings are easy to disable: see
> http://marc.theaimsgroup.com/?l=tomcat-user&m=105525007220640&w=2 for example 
> of
> the one setting change required.  For others concerned about this DoS (and I
> don't think there are any, seeing as how no one else has opined on this issue
> and/or posted such a DoS on the mailing lists), they can simply disable
> directory listings.
> 
> Because of these, I'm going to mark this particular patch as WONTFIX.  If
> someone else wants strongly feels this patch should be applied as-is, they can
> say so here.  Otherwise, maybe a more lightweight patch can be attached to the
> issue (and the issue itself reopened), that is if anyone still cares.

The caching this patch adds is not just a special purpose fix to eliminate a
DoS, it also significantly improves the performance of directory listings in the
general case. Please review my posts to the dev lists containing my benchmarks
comparing performance with and without the patch in place.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 38128] - directory listings DoS

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128


[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||WONTFIX




--- Additional Comments From [EMAIL PROTECTED]  2006-12-24 17:38 ---
There are a few things I dislike in this patch.

You shouldn't catch Throwables and then silently not handle them.  You shouldn't
even do that with Exceptions, but certainly not Throwables.  That by itself
means -1 on the patch as it stands currently.

Then there's the overall weight of the solution: adding a custom cache and tying
it into the default web.xml just for this case seems overweight.  I wonder if
there's an easier solution without caching, and certainly without a time-based
cache which means additional background processing.  One approach that comes to
mind is a no-op XSLT for customizations, as documented in
http://tomcat.apache.org/tomcat-5.0-doc/default-servlet.html#dir

Finally, as you probably know directory listings are easy to disable: see
http://marc.theaimsgroup.com/?l=tomcat-user&m=105525007220640&w=2 for example of
the one setting change required.  For others concerned about this DoS (and I
don't think there are any, seeing as how no one else has opined on this issue
and/or posted such a DoS on the mailing lists), they can simply disable
directory listings.

Because of these, I'm going to mark this particular patch as WONTFIX.  If
someone else wants strongly feels this patch should be applied as-is, they can
say so here.  Otherwise, maybe a more lightweight patch can be attached to the
issue (and the issue itself reopened), that is if anyone still cares.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 38128] - directory listings DoS

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128





--- Additional Comments From [EMAIL PROTECTED]  2006-04-27 00:02 ---
Is there anything I can do to expidite the process? I would really like to see a
fix for the problem incorporated. Without some fix it is impossible to use the
directory listing feature when even moderately large directories are involved.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 38128] - directory listings DoS

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128





--- Additional Comments From [EMAIL PROTECTED]  2006-04-26 21:04 ---
Patch is yet to be evaluated.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 38128] - directory listings DoS

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128





--- Additional Comments From [EMAIL PROTECTED]  2006-04-26 13:48 ---
Does anyone know what the status regarding this patch is? I believe the problem
still affects the latest versions of tomcat.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 38128] - directory listings DoS

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128





--- Additional Comments From [EMAIL PROTECTED]  2006-01-04 22:22 ---
Created an attachment (id=17328)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=17328&action=view)
patch for caching directory listings

This patch addresses the DoS problem and significantly improves directory
listing performance.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 38128] New: - directory listings DoS

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128

   Summary: directory listings DoS
   Product: Tomcat 5
   Version: 5.5.14
  Platform: All
OS/Version: All
Status: NEW
  Severity: normal
  Priority: P2
 Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: [EMAIL PROTECTED]


With directory listings enabled, multiple requests to a large directory can
cause tomcat to quickly run out of memory and die.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: directory listings (updated patch)

[Mark Thomas]

Patches posted to the dev list tend to get lost if none looks at them
straight away. I suggest you create a bugzilla entry and add your
patch to that.

Mark

Rafael H. Schloming wrote:
> Is no interest in merging this patch? I'd like to see it accepted, so if
> there is anything I can do, please let me know.
> 
> On Fri, 2005-12-02 at 11:23 -0500, Rafael H. Schloming wrote:
> 
>>Attached is an updated patch for the directory listings cache. I've made
>>the following changes:
>>
>>  * the cache is now implemented in a separate class 
>>(org.apache.catalina.util.ExpiringCache)
>>
>>  * added the following servlet parameters:
>>  - listings-cache [true]
>>  - listings-cache-size [1000]
>>  - listings-cache-ttl [5000]
>>
>>  * fixed the cache to key on the full resource path
>>(I was under the mistaken impression that contextPath was enough)
>>
>>I also modified the synchronization behavior a bit. Previously if
>>directory A were being rendered then a request for directory B would
>>wait for it to finish before proceeding. With this patch a request will
>>only wait if a previous request is already rendering the same directory.
>>I believe this is closer to the ideal behavior since threads will never
>>waste resources rendering the same directory twice, but independent
>>directory listings will proceed in parallel.
>>
>>Please let me know if you would like any further changes.
>>-
>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: directory listings (updated patch)

[Rafael H. Schloming]

Is no interest in merging this patch? I'd like to see it accepted, so if
there is anything I can do, please let me know.

On Fri, 2005-12-02 at 11:23 -0500, Rafael H. Schloming wrote:
> Attached is an updated patch for the directory listings cache. I've made
> the following changes:
> 
>   * the cache is now implemented in a separate class 
> (org.apache.catalina.util.ExpiringCache)
> 
>   * added the following servlet parameters:
>   - listings-cache [true]
>   - listings-cache-size [1000]
>   - listings-cache-ttl [5000]
> 
>   * fixed the cache to key on the full resource path
> (I was under the mistaken impression that contextPath was enough)
> 
> I also modified the synchronization behavior a bit. Previously if
> directory A were being rendered then a request for directory B would
> wait for it to finish before proceeding. With this patch a request will
> only wait if a previous request is already rendering the same directory.
> I believe this is closer to the ideal behavior since threads will never
> waste resources rendering the same directory twice, but independent
> directory listings will proceed in parallel.
> 
> Please let me know if you would like any further changes.
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
-- 
Rafael H. Schloming <[EMAIL PROTECTED]>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

directory listings (updated patch)

[Rafael H. Schloming]

Attached is an updated patch for the directory listings cache. I've made
the following changes:

  * the cache is now implemented in a separate class 
(org.apache.catalina.util.ExpiringCache)

  * added the following servlet parameters:
  - listings-cache [true]
  - listings-cache-size [1000]
  - listings-cache-ttl [5000]

  * fixed the cache to key on the full resource path
(I was under the mistaken impression that contextPath was enough)

I also modified the synchronization behavior a bit. Previously if
directory A were being rendered then a request for directory B would
wait for it to finish before proceeding. With this patch a request will
only wait if a previous request is already rendering the same directory.
I believe this is closer to the ideal behavior since threads will never
waste resources rendering the same directory twice, but independent
directory listings will proceed in parallel.

Please let me know if you would like any further changes.
-- 
Rafael H. Schloming <[EMAIL PROTECTED]>
Index: container/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java
===
--- container/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java	(revision 347964)
+++ container/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java	(working copy)
@@ -32,6 +32,7 @@
 import java.io.Reader;
 import java.io.StringReader;
 import java.io.StringWriter;
+import java.io.UnsupportedEncodingException;
 import java.util.Enumeration;
 import java.util.StringTokenizer;
 import java.util.Vector;
@@ -54,6 +55,7 @@
 import javax.xml.transform.stream.StreamSource;
 
 import org.apache.catalina.Globals;
+import org.apache.catalina.util.ExpiringCache;
 import org.apache.catalina.util.ServerInfo;
 import org.apache.catalina.util.StringManager;
 import org.apache.catalina.util.URLEncoder;
@@ -144,14 +146,32 @@
  * the platform default is used.
  */
 protected String fileEncoding = null;
-
-
+
+
 /**
  * Minimum size for sendfile usage in bytes.
  */
 protected int sendfileSize = 48 * 1024;
-
-
+
+
+/**
+ * The maximum number of directory listings to cache.
+ */
+protected int listingsCacheSize = 1000;
+
+
+/**
+ * The maximum lifetime of cached directory listings.
+ */
+protected long listingsCacheTTL = 5000; // 5 seconds
+
+
+/**
+ * The expiring cache of directory listings, or null if this
+ * feature is disabled.
+ */
+protected ExpiringCache listingsCache = null;
+
 // - Static Initializer
 
 
@@ -253,7 +273,36 @@
 } catch (Throwable t) {
 ;
 }
+try {
+value = getServletConfig().getInitParameter("listings-cache-size");
+listingsCacheSize = Integer.parseInt(value);
+} catch (Throwable t) {
+;
+}
+try {
+value = getServletConfig().getInitParameter("listings-cache-ttl");
+listingsCacheTTL = Long.parseLong(value);
+} catch (Throwable t) {
+;
+}
+try {
+value = getServletConfig().getInitParameter("listings-cache");
+if (value == null || new Boolean(value).booleanValue()) {
+listingsCache = new ExpiringCache
+(100, listingsCacheSize, listingsCacheTTL, (float) 0.75) {
+protected Object key(Object[] args) {
+return args[0] + "/" + ((CacheEntry) args[1]).name;
+}
 
+protected Object fault(Object[] args) {
+return doRender((String) args[0], (CacheEntry) args[1]);
+}
+};
+}
+} catch (Throwable t) {
+;
+}
+
 globalXsltFile = getServletConfig().getInitParameter("globalXsltFile");
 localXsltFile = getServletConfig().getInitParameter("localXsltFile");
 readmeFile = getServletConfig().getInitParameter("readmeFile");
@@ -,22 +1160,36 @@
 return result;
 }
 
+protected InputStream render
+(String contextPath, CacheEntry cacheEntry) {
+byte[] bytes;
+if (listingsCache == null) {
+bytes = doRender(contextPath, cacheEntry);
+} else {
+bytes = (byte[]) listingsCache.get(new Object[] {contextPath, cacheEntry});
+}
+return new ByteArrayInputStream(bytes);
+}
 
-
 /**
  *  Decide which way to render. HTML or XML.
  */
-protected InputStream render
+protected byte[] doRender
 (String contextPath, CacheEntry cacheEntry) {
 InputStream xsltInputStream =
 findXsltInputStream(cacheEntry.context);
 
+String str;
 if (xsltInputStream==

Re: directory listings

[Rafael H. Schloming]

I can confirm that the benchmarks I was doing were without XSLT. I was
using a directory with 2000 empty files on a dual processor 2.8Ghz Xeon
with 1G of RAM. I didn't make any changes to the default config produced
by ant deploy.

On Thu, 2005-12-01 at 19:18 +, Mark Thomas wrote:
> Tim Funk wrote:
> > It looks like this issue only occurs when the XSLT transformation is 
> > done on the directory listing. Which is not an out of box configuration 
> > so there is no worry for DOS (in case anyone is wondering).
> 
> Actually, there is an issue here without the XSLT. This is why 
> directory listing is now disabled by default. See 
> http://marc.theaimsgroup.com/?l=tomcat-dev&m=113148731122439&w=2
> 
> Mark

-- 
Rafael H. Schloming <[EMAIL PROTECTED]>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: directory listings

[Mark Thomas]

Tim Funk wrote:
It looks like this issue only occurs when the XSLT transformation is 
done on the directory listing. Which is not an out of box configuration 
so there is no worry for DOS (in case anyone is wondering).


Actually, there is an issue here without the XSLT. This is why 
directory listing is now disabled by default. See 
http://marc.theaimsgroup.com/?l=tomcat-dev&m=113148731122439&w=2


Mark


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: directory listings

[Rafael H. Schloming]

Thanks for the feedback. I'll make the changes you suggest as soon as I
have a chance and repost the patch.

On Wed, 2005-11-30 at 19:47 -0500, Yoav Shapira wrote:
> Hi,
> It's an interesting patch and an interesting idea in general.  I'm
> impressed with the performance findings, although I haven't seen
> anyone recently complaining about many concurrent directory listings
> requests.
> 
> I have a couple of requests for the patch, if you don't mind some
> feedback.  I'd prefer a separate class for the DirectoryListingCache
> or whatever you want to call it, with its CacheEntry and rendering,
> encoding methods.  It's kind of ugly to throw all of that into
> DefaultServlet.  DefaultServlet can then use the cache class.  I'd
> also prefer the relevant parameters (5, 1000) to be configurable, at
> least via protected setter/getter methods.  Finally, assuming the
> above refactoring is done, I'd like a parameter from web.xml to
> DefaultServlet setting whether to use the directory listing cache or
> not.  That way people can turn it off easily.
> 
> Yoav

-- 
Rafael H. Schloming <[EMAIL PROTECTED]>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: directory listings

[Tim Funk]

It looks like this issue only occurs when the XSLT transformation is done on 
the directory listing. Which is not an out of box configuration so there is 
no worry for DOS (in case anyone is wondering).


Otherwise - looks interesting.  cacheTTL  and cacheMax should be configurable 
at servlet init time.



-Tim

Rafael H. Schloming wrote:


Hi,

I've been looking into the performance problems associated with many
concurrent requests of large directories. After doing some informal
benchmarking I've come up with the attached patch that improves
performance in this scenario. The patch adds a size limited Map with a 5
second timeout for caching rendered directory listings. My tests show a
significant performance improvement and the server no longer keels over
from OutOfMemory exceptions at higher concurrency levels.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: directory listings

[Yoav Shapira]

Hi,
It's an interesting patch and an interesting idea in general.  I'm
impressed with the performance findings, although I haven't seen
anyone recently complaining about many concurrent directory listings
requests.

I have a couple of requests for the patch, if you don't mind some
feedback.  I'd prefer a separate class for the DirectoryListingCache
or whatever you want to call it, with its CacheEntry and rendering,
encoding methods.  It's kind of ugly to throw all of that into
DefaultServlet.  DefaultServlet can then use the cache class.  I'd
also prefer the relevant parameters (5, 1000) to be configurable, at
least via protected setter/getter methods.  Finally, assuming the
above refactoring is done, I'd like a parameter from web.xml to
DefaultServlet setting whether to use the directory listing cache or
not.  That way people can turn it off easily.

Yoav

On 11/30/05, Rafael H. Schloming <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I've been looking into the performance problems associated with many
> concurrent requests of large directories. After doing some informal
> benchmarking I've come up with the attached patch that improves
> performance in this scenario. The patch adds a size limited Map with a 5
> second timeout for caching rendered directory listings. My tests show a
> significant performance improvement and the server no longer keels over
> from OutOfMemory exceptions at higher concurrency levels.
>
> Below are the results of the benchmarks I performed against the
> unmodified server.
>
> c | total | mean
>   -
> 1 | 33.72985 seconds  | 330.730 ms
>10 | 12.807910 seconds | 1280.791 ms
>20 | 12.641188 seconds | 2528.238 ms
>30 | 12.930321 seconds | 3879.096 ms
>40 | --| --
>50 | --| --
>60 | --| --
>70 | --| --
>80 | --| --
>90 | --| --
>   100 | --| --
>
>
> Here are the same benchmarks with the attached patch applied:
>
> c | total | mean
>   -
> 1 | 0.949313 seconds  | 9.493 ms
>10 | 0.148746 seconds  | 14.875 ms
>20 | 0.167047 seconds  | 33.409 ms
>30 | 0.198910 seconds  | 59.673 ms
>40 | 0.202527 seconds  | 81.011 ms
>50 | 0.176821 seconds  | 88.410 ms
>60 | 0.203042 seconds  | 121.825 ms
>70 | 0.257176 seconds  | 180.023 ms
>80 | 0.283165 seconds  | 226.532 ms
>90 | 0.304787 seconds  | 274.308 ms
>   100 | 0.196776 seconds  | 196.776 ms
>
>   c = number of concurrent requests (see the -c flag for ab)
>   total = total time for benchmark to complete
>   mean = the average time until each request is complete
>   -- = benchmark timed out
>
>   In all cases the total number of requests is 100 and the test
>   directory being listed contains 2000 empty files.
>
> --
> Rafael H. Schloming <[EMAIL PROTECTED]>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>


--
Yoav Shapira
System Design and Management Fellow
MIT Sloan School of Management
Cambridge, MA, USA
[EMAIL PROTECTED] / www.yoavshapira.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

directory listings

[Rafael H. Schloming]

Hi,

I've been looking into the performance problems associated with many
concurrent requests of large directories. After doing some informal
benchmarking I've come up with the attached patch that improves
performance in this scenario. The patch adds a size limited Map with a 5
second timeout for caching rendered directory listings. My tests show a
significant performance improvement and the server no longer keels over
from OutOfMemory exceptions at higher concurrency levels.

Below are the results of the benchmarks I performed against the
unmodified server.

c | total | mean
  -
1 | 33.72985 seconds  | 330.730 ms
   10 | 12.807910 seconds | 1280.791 ms
   20 | 12.641188 seconds | 2528.238 ms
   30 | 12.930321 seconds | 3879.096 ms
   40 | --| --
   50 | --| --
   60 | --| --
   70 | --| --
   80 | --| --
   90 | --| --
  100 | --| --


Here are the same benchmarks with the attached patch applied:

c | total | mean
  -
1 | 0.949313 seconds  | 9.493 ms
   10 | 0.148746 seconds  | 14.875 ms
   20 | 0.167047 seconds  | 33.409 ms
   30 | 0.198910 seconds  | 59.673 ms
   40 | 0.202527 seconds  | 81.011 ms
   50 | 0.176821 seconds  | 88.410 ms
   60 | 0.203042 seconds  | 121.825 ms
   70 | 0.257176 seconds  | 180.023 ms
   80 | 0.283165 seconds  | 226.532 ms
   90 | 0.304787 seconds  | 274.308 ms
  100 | 0.196776 seconds  | 196.776 ms

  c = number of concurrent requests (see the -c flag for ab)
  total = total time for benchmark to complete
  mean = the average time until each request is complete
  -- = benchmark timed out

  In all cases the total number of requests is 100 and the test
  directory being listed contains 2000 empty files.

-- 
Rafael H. Schloming <[EMAIL PROTECTED]>
Index: container/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java
===
--- container/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java	(revision 347964)
+++ container/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java	(working copy)
@@ -32,7 +32,10 @@
 import java.io.Reader;
 import java.io.StringReader;
 import java.io.StringWriter;
+import java.io.UnsupportedEncodingException;
 import java.util.Enumeration;
+import java.util.LinkedHashMap;
+import java.util.Map;
 import java.util.StringTokenizer;
 import java.util.Vector;
 
@@ -,22 +1114,64 @@
 return result;
 }
 
+private long cacheTTL = 5000; // 5 seconds
+private int cacheMax = 1000; // keep at most 1000 listings
 
+    // cache for directory listings
+private Map cache = new LinkedHashMap(100, (float) 0.75, true) {
+protected boolean removeEldestEntry(Map.Entry entry) {
+return size() > cacheMax;
+}
+};
 
 /**
+ * Struct for storing directory listing and timestamp.
+ */
+private static class Listing {
+public byte[] bytes;
+public long timestamp;
+}
+
+/**
+ * Return true if the directory listing is expired.
+ */
+private boolean isExpired(Listing lst) {
+return System.currentTimeMillis() - lst.timestamp > cacheTTL;
+}
+
+protected InputStream render
+(String contextPath, CacheEntry cacheEntry) throws IOException {
+synchronized (cache) {
+Listing lst = (Listing) cache.get(contextPath);
+if (lst == null || isExpired(lst)) {
+if (lst == null) { lst = new Listing(); }
+lst.bytes = doRender(contextPath, cacheEntry);
+lst.timestamp = System.currentTimeMillis();
+cache.put(contextPath, lst);
+}
+return new ByteArrayInputStream(lst.bytes);
+}
+}
+
+/**
  *  Decide which way to render. HTML or XML.
  */
-protected InputStream render
-(String contextPath, CacheEntry cacheEntry) {
+protected byte[] doRender
+(String contextPath, CacheEntry cacheEntry) throws IOException {
 InputStream xsltInputStream =
 findXsltInputStream(cacheEntry.context);
 
+String str;
 if (xsltInputStream==null) {
-return renderHtml(contextPath, cacheEntry);
+str = renderHtml(contextPath, cacheEntry);
 } else {
-return renderXml(contextPath, cacheEntry, xsltInputStream);
+str = renderXml(contextPath, cacheEntry, xsltInputStream);
 }
-
+try {
+return str.getBytes("UTF8");
+} catch (UnsupportedEncodingException e) {
+return str.getBytes();
+}
 }
 
 /**
@@ -1136,9 +1181,9 @@
  * @param contextPath Context path to which our inte