Am 21.11.2015 um 17:06 schrieb Felix Schumacher:
Am 21.11.2015 um 17:02 schrieb Felix Schumacher:
Am 20.11.2015 um 11:00 schrieb Mark Thomas:
The proposed Apache Tomcat 8.0.29 release is now available for voting.
The main changes since 8.0.28 are:
- Add an option to control (per context) quoting of EL expressions in
JSP attributes
- Correct a regression in the fix for 56777 that added support for
URIs in config file locations
- Add a new RestCsrfPreventionFilter that provides basic CSRF
protection for REST APIs
- Use instance manager for WebSocket server endpoint instances
It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.0.29/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1055/
The svn tag is:
http://svn.apache.org/repos/asf/tomcat/tc8.0.x/tags/TOMCAT_8_0_29/
The proposed 8.0.29 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.0.29
On my ubuntu 14.04.03 with java 7 (OpenJDK Runtime Environment
(IcedTea 2.6.1) (7u85-2.6.1-5ubuntu0.14.04.1)) a few tests are
failing, that I haven't noticed before. Those are in
TestNonLoginAndBasicAuthenticator.
Testcase: testBasicLoginRejectProtectedWithSession took 0,102 sec
>-------Caused an ERROR
Illegal character(s) in message header field: Cookie:
java.lang.IllegalArgumentException: Illegal character(s) in message
header field: Cookie:
>-------at
sun.net.www.protocol.http.HttpURLConnection.checkMessageHeader(HttpURLConnection.java:465)
>-------at
sun.net.www.protocol.http.HttpURLConnection.isExternalMessageHeaderAllowed(HttpURLConnection.java:435)
>-------at
sun.net.www.protocol.http.HttpURLConnection.setRequestProperty(HttpURLConnection.java:2767)
>-------at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:662)
>-------at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:640)
>-------at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:634)
>-------at
org.apache.catalina.authenticator.TestNonLoginAndBasicAuthenticator.doTestNonLogin(TestNonLoginAndBasicAuthenticator.java:364)
>-------at
org.apache.catalina.authenticator.TestNonLoginAndBasicAuthenticator.testBasicLoginRejectProtectedWithSession(TestNonLoginAndBasicAuthenticator.java:348)
A quick check with older tomcat versions showed the same errors. So I
believe, that the jre got stricter about the values in cookie names
(: at the end of Cookie).
If I remove the ":" from the "Cookie" name in the tests will run
without warning. Any reason to add ":" in line 360 and 383 in
test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java?
Now I have found, that this was already discussed in the vote for
native 1.2.1. But it seems, that there was no solution found. Any
other news on this?
https://www.mail-archive.com/dev@tomcat.apache.org/msg102070.html
While debugging this issue in eclipse, I found that checkMessageHeader
is explicitly checking for ":" (and "\n") in the key and throwing an
exception, when one is found.
So I believe the ":" is not allowed (anymore).
Regards,
Felix
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
