DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=44310>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44310 ------- Additional Comments From [EMAIL PROTECTED] 2008-01-28 12:55 ------- Short explanation: Using this failure, a black hat could craft a malicious application in order to write arbitrary data to a random connection in any web app in the same tomcat instance. Long explanation: When developing asynchronous IO on top of tomcat, one need some kind of thread pool writing asynchronously on sockets (through response's outputStream) and use Comet API for reading. When doing so, you need to track any error or exception that may occur and avoid any thread writing as soon as any such error or exception occurs while reading (say a mobile device disconnected due to bad cellular network condition). It is close to impossible to ensure such behavior (if you can prove me wrong, you are hired and will get big bonuses from me :-). While in the process of running stability and load testing on such an application, where we made a lot of effort to avoid such bad behavior, we encountered rare cases that produced such bad condition (using the outputstream from a recycled response) thus resulting in data corruption in random other client connection. It took several weeks to find out why it was occurring and the consequences of such error is extremely bad: "data corruption!". We still do not see how to avoid all cases that could lead it to occur. Furthermore, the patch is attached, simple (5 lines moved) and very unlikely to introduce any regression. I have no requirement to include it in 6.0.16 since I have a workaround (disable recycling facades), but I think that other developers may encounter this kind of issue and take a lot of time (one man month in our case) to find this same workaround. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
