Re: Tomcat Export Notification Requirements
William A. Rowe, Jr. wrote: Hey folks, as you provide the bindings to the JSSE, even though you don't ship the JSSE .jars - we still need Tomcat in compliance with the federal export notification policies. I know you did some work on this in the past, but please see http://www.apache.org/dev/crypto.html I suppose we would need the same for Native connectors that uses OpenSSL. Up till now we are using Irelands Heanet to host the binaries. Please advice what's needed to be done to get the ECCN numbers. Regards, Mladen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Export Notification Requirements
Mladen Turk wrote: William A. Rowe, Jr. wrote: Hey folks, as you provide the bindings to the JSSE, even though you don't ship the JSSE .jars - we still need Tomcat in compliance with the federal export notification policies. I know you did some work on this in the past, but please see http://www.apache.org/dev/crypto.html I suppose we would need the same for Native connectors that uses OpenSSL. Up till now we are using Irelands Heanet to host the binaries. Please advice what's needed to be done to get the ECCN numbers. Read that page, please raise any questions that you have after you've covered it. You'll be glad to know once these notices are sent, you'll never need to check in again about openssl for mod_jk, the native jni connector or Tomcat+JSSE ever again. Think of the summary page http://www.apache.org/licenses/exports/ as documentation that all the steps are done for a specific software component, never to be repeated (whew!) The document is obviously evolving (only a half-dozen committers have followed the process yet, so we want to work out any wrinkles). Please point out problems :) Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: svn commit: r579298 - /tomcat/tc6.0.x/trunk/STATUS
Filip Hanik - Dev Lists wrote:
my suggestion, open a BZ item, attach the patch there, and have the
STATUS file refer to that item
Or put it under people.apache.prg/~your_name/patches/bla.patch.
Cheers
Jean-Frederic
Filip
Filip Hanik - Dev Lists wrote:
are we really gonna put each patch (the contents of it) in the STATUS
file,
this will make the status file unusable pretty quick, wont it?
Filip
[EMAIL PROTECTED] wrote:
Author: remm
Date: Tue Sep 25 08:22:40 2007
New Revision: 579298
URL: http://svn.apache.org/viewvc?rev=579298view=rev
Log:
- Patch update.
Modified:
tomcat/tc6.0.x/trunk/STATUS
Modified: tomcat/tc6.0.x/trunk/STATUS
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?rev=579298r1=579297r2=579298view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS (original)
+++ tomcat/tc6.0.x/trunk/STATUS Tue Sep 25 08:22:40 2007
@@ -15,7 +15,7 @@
limitations under the License.
-$Id: BUILDING.txt 562769 2007-08-04 22:08:32Z markt $
+$Revision: $ $Date: $
=
Apache Tomcat 6.0 Patch Proposals
@@ -26,7 +26,551 @@
[ New proposals should be added at the end of the list ]
* New cookie parser (third party contribution)
- http://people.apache.org/~jfclere/patches/Cookies.java.patch
+1:-1: jfclere: The tests must done another way.
+
+Index: java/org/apache/tomcat/util/http/Cookies.java
+===
+--- java/org/apache/tomcat/util/http/Cookies.java(revision 579106)
java/org/apache/tomcat/util/http/Cookies.java(working copy)
+@@ -45,7 +45,28 @@
+ boolean unprocessed=true;
+ + MimeHeaders headers;
+-++
++/*
++List of Separator Characters (see isSeparator())
++Excluding the '/' char violates the RFC, but ++it looks
like a lot of people put '/'
++in unquoted values: '/': ; //47 ++'\t':9 ' ':32 '\':34
'\'':39 '(':40 ')':41 ',':44 ':':58 ';':59 '':60 ++'=':61 '':62
'?':63 '@':64 '[':91 '\\':92 ']':93 '{':123 '}':125
++*/
++public static final char SEPARATORS[] = { '\t', ' ', '\',
'\'', '(', ')', ',', ++':', ';', '', '=', '', '?', '@',
'[', '\\', ']', '{', '}' };
++
++protected static final boolean separators[] = new boolean[128];
++static {
++for (int i = 0; i 128; i++) {
++separators[i] = false;
++}
++for (int i = 0; i SEPARATORS.length; i++) {
++separators[SEPARATORS[i]] = true;
++}
++}
++
+ /**
+ * Construct a new cookie collection, that will extract
+ * the information from headers.
+@@ -182,181 +203,6 @@
+ }
+ }
+ +-/** Process a byte[] header - allowing fast processing of the
+- * raw data
+- */
+-void processCookieHeader( byte bytes[], int off, int len )
+-{
+-if( len=0 || bytes==null ) return;
+-int end=off+len;
+-int pos=off;
+-+-int version=0; //sticky
+-ServerCookie sc=null;
+-+-
+-while( posend ) {
+-byte cc;
+-// [ skip_spaces name skip_spaces = skip_spaces value
EXTRA ; ] *
+-if( dbg0 ) log( Start: + pos + + end );
+-+-pos=skipSpaces(bytes, pos, end);
+-if( pos=end )
+-return; // only spaces
+-int startName=pos;
+-if( dbg0 ) log( SN: + pos );
+-+-// Version should be the first token
+-boolean isSpecial=false;
+-if(bytes[pos]=='$') { pos++; isSpecial=true; }
+-
+-pos= findDelim1( bytes, startName, end); // =;,
+-int endName=pos;
+-// current = = or or DELIM
+-pos= skipSpaces( bytes, endName, end ); +-
if( dbg0 ) log( DELIM: + endName + + (char)bytes[pos]);
+-
+-if(pos = end ) {
+-// it's a name-only cookie ( valid in RFC2109 )
+-if( ! isSpecial ) {
+-sc=addCookie();
+-sc.getName().setBytes( bytes, startName,
+- endName-startName );
+-sc.getValue().setString();
+-sc.setVersion( version );
+-if( dbg0 ) log( Name only, end: + startName
+ +
+- endName);
+-}
+-return;
+-}
+-
+-cc=bytes[pos];
+-pos++;
+-if( cc==';' || cc==',' || pos=end ) {
+-if( ! isSpecial startName!= endName ) {
+-sc=addCookie();
+-sc.getName().setBytes(
svn commit: r579521 - /tomcat/tc6.0.x/trunk/STATUS
Author: jfclere
Date: Wed Sep 26 01:52:21 2007
New Revision: 579521
URL: http://svn.apache.org/viewvc?rev=579521view=rev
Log:
Add the test part move remy's patch to people.apache.org and cast my vote.
Modified:
tomcat/tc6.0.x/trunk/STATUS
Modified: tomcat/tc6.0.x/trunk/STATUS
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?rev=579521r1=579520r2=579521view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS (original)
+++ tomcat/tc6.0.x/trunk/STATUS Wed Sep 26 01:52:21 2007
@@ -26,551 +26,7 @@
[ New proposals should be added at the end of the list ]
* New cookie parser (third party contribution)
- +1:
- -1: jfclere: The tests must done another way.
-
-Index: java/org/apache/tomcat/util/http/Cookies.java
-===
java/org/apache/tomcat/util/http/Cookies.java (revision 579106)
-+++ java/org/apache/tomcat/util/http/Cookies.java (working copy)
-@@ -45,7 +45,28 @@
- boolean unprocessed=true;
-
- MimeHeaders headers;
--
-+
-+/*
-+List of Separator Characters (see isSeparator())
-+Excluding the '/' char violates the RFC, but
-+it looks like a lot of people put '/'
-+in unquoted values: '/': ; //47
-+'\t':9 ' ':32 '\':34 '\'':39 '(':40 ')':41 ',':44 ':':58 ';':59 '':60
-+'=':61 '':62 '?':63 '@':64 '[':91 '\\':92 ']':93 '{':123 '}':125
-+*/
-+public static final char SEPARATORS[] = { '\t', ' ', '\', '\'', '(',
')', ',',
-+':', ';', '', '=', '', '?', '@', '[', '\\', ']', '{', '}' };
-+
-+protected static final boolean separators[] = new boolean[128];
-+static {
-+for (int i = 0; i 128; i++) {
-+separators[i] = false;
-+}
-+for (int i = 0; i SEPARATORS.length; i++) {
-+separators[SEPARATORS[i]] = true;
-+}
-+}
-+
- /**
- * Construct a new cookie collection, that will extract
- * the information from headers.
-@@ -182,181 +203,6 @@
- }
- }
-
--/** Process a byte[] header - allowing fast processing of the
-- * raw data
-- */
--void processCookieHeader( byte bytes[], int off, int len )
--{
--if( len=0 || bytes==null ) return;
--int end=off+len;
--int pos=off;
--
--int version=0; //sticky
--ServerCookie sc=null;
--
--
--while( posend ) {
--byte cc;
--// [ skip_spaces name skip_spaces = skip_spaces value EXTRA ; ]
*
--if( dbg0 ) log( Start: + pos + + end );
--
--pos=skipSpaces(bytes, pos, end);
--if( pos=end )
--return; // only spaces
--int startName=pos;
--if( dbg0 ) log( SN: + pos );
--
--// Version should be the first token
--boolean isSpecial=false;
--if(bytes[pos]=='$') { pos++; isSpecial=true; }
--
--pos= findDelim1( bytes, startName, end); // =;,
--int endName=pos;
--// current = = or or DELIM
--pos= skipSpaces( bytes, endName, end );
--if( dbg0 ) log( DELIM: + endName + + (char)bytes[pos]);
--
--if(pos = end ) {
--// it's a name-only cookie ( valid in RFC2109 )
--if( ! isSpecial ) {
--sc=addCookie();
--sc.getName().setBytes( bytes, startName,
-- endName-startName );
--sc.getValue().setString();
--sc.setVersion( version );
--if( dbg0 ) log( Name only, end: + startName + +
-- endName);
--}
--return;
--}
--
--cc=bytes[pos];
--pos++;
--if( cc==';' || cc==',' || pos=end ) {
--if( ! isSpecial startName!= endName ) {
--sc=addCookie();
--sc.getName().setBytes( bytes, startName,
-- endName-startName );
--sc.getValue().setString();
--sc.setVersion( version );
--if( dbg0 ) log( Name only: + startName + +
endName);
--}
--continue;
--}
--
--// we should have = ( tested all other alternatives )
--int startValue=skipSpaces( bytes, pos, end);
--int endValue=startValue;
--
--cc=bytes[pos];
--if( cc=='' ) {
--endValue=findDelim3( bytes, startValue+1, end, cc );
--if (endValue == -1) {
--endValue=findDelim2( bytes, startValue+1, end );
--} else startValue++;
--pos=endValue+1; // to skip to next cookie
-- } else {
--
DO NOT REPLY [Bug 43480] New: - NullPointerException when processing empty cookie header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=43480. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=43480 Summary: NullPointerException when processing empty cookie header Product: Tomcat 4 Version: 4.1.27 Platform: PC OS/Version: Windows Server 2003 Status: NEW Severity: normal Priority: P3 Component: Connector:HTTP/1.1 (deprecated) AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] We periodically receive the following in the Catalina log and I think this occurs when an empty cookie header is received at the server (e.g. Cookie:). I believe these empty cookie headers are coming from web browsers that have the Google Web Accelerator installed. 2007-09-26 09:07:36 Ajp13Processor[8009][4] process: finish java.lang.NullPointerException at java.util.StringTokenizer.init(StringTokenizer.java:146) at org.apache.tomcat.util.http.Cookies.processCookieHeader (Cookies.java:415) at org.apache.tomcat.util.http.Cookies.processCookies(Cookies.java:216) at org.apache.tomcat.util.http.Cookies.getCookieCount(Cookies.java:161) at org.apache.ajp.tomcat4.Ajp13Request.addCookies (Ajp13Request.java:193) at org.apache.ajp.tomcat4.Ajp13Request.setAjpRequest (Ajp13Request.java:155) at org.apache.ajp.tomcat4.Ajp13Processor.process (Ajp13Processor.java:449) at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:585) at java.lang.Thread.run(Thread.java:534) Please note the following: I believe the empty cookie headers were causing our Domino web server to crash in the jk2_requtil_getCookieByName() function. To resolve this problem I amended the 'workers2.Properties' file to set 'stickySession=0'. This appears to have stopped the web server crashes but created the issue above. An example of headers that caused the server to crash previously is shown below: GET /servlet/ep.ext? extId=155777byPostcode=ybyStreet=ybyHouseNumber=YbyAddress=yst=PRS HTTP/1.1 Accept-Language: en-gb,en-us;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x- shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://www.brent.gov.uk/registrar.nsf/24878f4b00d4f0f68025663c006c7944/79335ab1 0394dc1280256f79003d613d?OpenDocument Host: www.brent.gov.uk X-moz: prefetch Cookie: X-Forwarded-For: 82.153.25.44 Accept-Encoding: gzip -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 43477] - Bug fix 41217 causes another bug
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=43477. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=43477 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Additional Comments From [EMAIL PROTECTED] 2007-09-26 03:34 --- The cookie needs to be secure - otherwise session hijacking via sniffing would be able to be done. (And it would not be secure) -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r579647 - /tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c
Author: jim
Date: Wed Sep 26 05:46:32 2007
New Revision: 579647
URL: http://svn.apache.org/viewvc?rev=579647view=rev
Log:
Allow it to compile :)
Modified:
tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c
Modified: tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c?rev=579647r1=579646r2=579647view=diff
==
--- tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c (original)
+++ tomcat/connectors/trunk/jk/native/apache-1.3/mod_jk.c Wed Sep 26 05:46:32
2007
@@ -356,7 +356,6 @@
static void JK_METHOD ws_flush(jk_ws_service_t *s)
{
-}
if (s s-ws_private) {
apache_private_data_t *p = s-ws_private;
BUFF *bf = p-r-connection-client;
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
[Tomcat Bayeux and Comet Implementation]
Hi guys; Is there any support for the Bayeux protocol and Comet style application works in the Tomcat 6.x? I looked at the tomcat sandbox and that is this implementations still experimental? Is there any timeline that these components inclueded with tomcat distribution? Thanks; Gurkan Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting
DO NOT REPLY [Bug 25127] - Tomcat 4.1.29 will not start with IBM JDK 1.3.0
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=25127. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=25127 --- Additional Comments From [EMAIL PROTECTED] 2007-09-26 06:57 --- Mark, you are right. This has nothing to do with this bug. I'm sorry about that. Just in case,anyone ask how I was able to solve my problem. I just put the proper jar file in the classpath. Here is my classpath CLASSPATH=\ $JAVA_HOME/lib/tools.jar:\ $CATALINA_HOME/bin/commons-daemon.jar:\ $CATALINA_HOME/bin/tomcat-juli.jar:\ $CATALINA_HOME/lib/catalina-ha.jar:\ $CATALINA_HOME/lib/catalina-tribes.jar:\ $CATALINA_HOME/lib/tomcat-coyote.jar:\ $CATALINA_HOME/lib/catalina.jar:\ $CATALINA_HOME/lib/servlet-api.jar:\ $CATALINA_HOME/lib/jasper.jar:\ $CATALINA_HOME/lib/jsp-api.jar:\ $CATALINA_HOME/lib/annotations-api.jar:\ $CATALINA_HOME/bin/bootstrap.jar -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[RESULT] Was Re: [VOTE] Back to ASF Basics (Was: Re: Review model take 2)
I'd like to call a vote on acceptance of the above methodology, as crafted and fine-tuned by Costin and myself. It is worthwhile to note that, really, these are the typical ASF methods, but with some grainy aspects better defined. In essence, some typical niceties are now mandated (changes, even in CTR, which affect the API, must be brought up first to gauge community approval). [ ] +1. Yes, the above works and addresses my concerns as well as the problems which started this whole thing. [ ] 0. Whatever. [ ] -1. The above does not work for the following reasons: The vote will run for 96 hours instead of the normal 72 because of the weekend. Only binding votes will be counted, but non-binding votes will be used to address wider concern/acceptance of the proposal. Looks like the 96 hours are up, and the tally is: +1: jim, yoav, tim, remy, costin, filip, mark, mladen, jean-frederic, rainer Not Sure: Peter followed up: I agree with Remy: We must find a process that really work normally quick and can handle conflicts fair. Henri +1'ed Peter's post. So I am not sure if Peter actually cast a vote or simply made a comment and I'm not sure if Henri +1'ed the proposal or Peter's comment or both. -1: null set As such, the vote passes!! We can now give ourselves a pat on the back for resolving this and start implementing the changes we approved... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Export Notification Requirements
Hey, On 9/26/07, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Please advice what's needed to be done to get the ECCN numbers. Read that page, please raise any questions that you have after you've covered it. You'll be glad to know once these notices are sent, you'll never need to check in again about openssl for mod_jk, the native jni connector or Tomcat+JSSE ever again. Think of the summary page http://www.apache.org/licenses/exports/ So we should NOT add Tomcat to the exports matrix UNTIL the notifications are sent to the government, right? Yoav - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r579687 - /tomcat/tc6.0.x/trunk/STATUS
Author: fhanik Date: Wed Sep 26 08:10:04 2007 New Revision: 579687 URL: http://svn.apache.org/viewvc?rev=579687view=rev Log: Patch proposal for request info data Modified: tomcat/tc6.0.x/trunk/STATUS Modified: tomcat/tc6.0.x/trunk/STATUS URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?rev=579687r1=579686r2=579687view=diff == --- tomcat/tc6.0.x/trunk/STATUS (original) +++ tomcat/tc6.0.x/trunk/STATUS Wed Sep 26 08:10:04 2007 @@ -30,3 +30,8 @@ http://people.apache.org/~jfclere/patches/CookiesTest.patch +1: jfclere -1: + +* Fix request processing time on the Coyote statistics info + http://issues.apache.org/bugzilla/show_bug.cgi?id=43487 + +1: fhanik + -1: \ No newline at end of file - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r579688 - /tomcat/tc6.0.x/trunk/STATUS
Author: fhanik Date: Wed Sep 26 08:11:40 2007 New Revision: 579688 URL: http://svn.apache.org/viewvc?rev=579688view=rev Log: add my vote to cookie patch Modified: tomcat/tc6.0.x/trunk/STATUS Modified: tomcat/tc6.0.x/trunk/STATUS URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?rev=579688r1=579687r2=579688view=diff == --- tomcat/tc6.0.x/trunk/STATUS (original) +++ tomcat/tc6.0.x/trunk/STATUS Wed Sep 26 08:11:40 2007 @@ -28,7 +28,7 @@ * New cookie parser (third party contribution) http://people.apache.org/~jfclere/patches/Cookies.java.remy.patch http://people.apache.org/~jfclere/patches/CookiesTest.patch - +1: jfclere + +1: jfclere, fhanik -1: * Fix request processing time on the Coyote statistics info - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 43480] - NullPointerException when processing empty cookie header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=43480. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=43480 --- Additional Comments From [EMAIL PROTECTED] 2007-09-26 09:47 --- This is in the deprecated processCookieHeader. I'd like to have this function removed (for bunches of reasons) in but I'll have to see how Ajp uses it. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 43477] - Bug fix 41217 causes another bug
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=43477. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=43477 --- Additional Comments From [EMAIL PROTECTED] 2007-09-26 09:52 --- Reply to [EMAIL PROTECTED] funkman said: The cookie needs to be secure - otherwise session hijacking via sniffing would be able to be done. (And it would not be secure) So in this case do you mean that I have to keep all my applications under SSL even if I dont need that. The login page must be under ssl but the others application not automatically. Mustapha. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Export Notification Requirements
Yoav Shapira wrote: Hey, On 9/26/07, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Please advice what's needed to be done to get the ECCN numbers. Read that page, please raise any questions that you have after you've covered it. You'll be glad to know once these notices are sent, you'll never need to check in again about openssl for mod_jk, the native jni connector or Tomcat+JSSE ever again. Think of the summary page http://www.apache.org/licenses/exports/ So we should NOT add Tomcat to the exports matrix UNTIL the notifications are sent to the government, right? Correct. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Export Notification Requirements
Yoav Shapira wrote: Hey, On 9/26/07, William A. Rowe, Jr. [EMAIL PROTECTED] wrote: Please advice what's needed to be done to get the ECCN numbers. Read that page, please raise any questions that you have after you've covered it. You'll be glad to know once these notices are sent, you'll never need to check in again about openssl for mod_jk, the native jni connector or Tomcat+JSSE ever again. Think of the summary page http://www.apache.org/licenses/exports/ So we should NOT add Tomcat to the exports matrix UNTIL the notifications are sent to the government, right? I hit send too fast. You do them concurrently. Add the notice to exports, and send out the notification email. Because the notice includes; NOTIFICATION: http://www.apache.org/licenses/exports/ it's sort of a closed loop problem. Update the info, allow the usual one hour after updating from minotaur to sync, and then shoot out the notice referencing the list of notices sent :) Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Export Notification Requirements
William A. Rowe, Jr. wrote: it's sort of a closed loop problem. Update the info, allow the usual one hour after updating from minotaur to sync, and then shoot out the notice referencing the list of notices sent :) Can we get an example email that needs to be send and an email address? The page you referred looks pretty confusing with lots of links ;) Think wee need to have both JSSE and OpenSSL referenced. Regards, Mladen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Export Notification Requirements
Mladen Turk wrote: William A. Rowe, Jr. wrote: it's sort of a closed loop problem. Update the info, allow the usual one hour after updating from minotaur to sync, and then shoot out the notice referencing the list of notices sent :) Can we get an example email that needs to be send and an email address? The page you referred looks pretty confusing with lots of links ;) Think wee need to have both JSSE and OpenSSL referenced. Please review the section Notify the U.S. Government of the Release and let me know of any suggested changes, or ask about the confusing paragraph so I can rewrite it. These sorts of things never get fixed if everyone is walked through it one by one :-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Export Notification Requirements
William A. Rowe, Jr. wrote: Mladen Turk wrote: William A. Rowe, Jr. wrote: it's sort of a closed loop problem. Update the info, allow the usual one hour after updating from minotaur to sync, and then shoot out the notice referencing the list of notices sent :) Can we get an example email that needs to be send and an email address? The page you referred looks pretty confusing with lots of links ;) Think wee need to have both JSSE and OpenSSL referenced. Please review the section Notify the U.S. Government of the Release and let me know of any suggested changes, or ask about the confusing paragraph so I can rewrite it. Argh. I was looking at the wrong location. I'll try running the tool. However, not sure what to do with JSSE and how to reference those. Is http://java.sun.com/javase/technologies/security/ enough? They tend to change the uri often ;) Regards, Mladen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Export Notification Requirements
Mladen Turk wrote: William A. Rowe, Jr. wrote: Mladen Turk wrote: William A. Rowe, Jr. wrote: it's sort of a closed loop problem. Update the info, allow the usual one hour after updating from minotaur to sync, and then shoot out the notice referencing the list of notices sent :) Can we get an example email that needs to be send and an email address? The page you referred looks pretty confusing with lots of links ;) Think wee need to have both JSSE and OpenSSL referenced. Please review the section Notify the U.S. Government of the Release and let me know of any suggested changes, or ask about the confusing paragraph so I can rewrite it. Argh. I was looking at the wrong location. I'll try running the tool. However, not sure what to do with JSSE and how to reference those. Is http://java.sun.com/javase/technologies/security/ enough? They tend to change the uri often ;) It must be a link from which bis can get to the source code of the open source crypto provider. They provide a link on that page; Archived JAAS, JCE, and JSSE Optional packages - however following that link reveals version 1.0.3 of the JSSE alone, so this doesn't satisfy the requirements since there is no way to get to the specific sources. But *wait* - we don't ship the JSSE, we incorporate it but the user must obtain it themselves. The crypto code *we* ship is strictly at openssl or in our own svn repositories. So - incorporate by reference that it leverages JSSE (that link is fine) but since we don't ship it, we don't point them to that 'source code'. Only our own. c.f. derby and geronimo. So follow the geronimo example and the httpd example of openssl notice and I think that covers Tomcat. Now in the case of a few others where they've leveraged BouncyCastle (an IP minefield in it's own right), they have actually shipped those .jar's as I understand it. So their form of notice was correct. Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [RESULT] Was Re: [VOTE] Back to ASF Basics (Was: Re: Review model take 2)
[ ] +1. Yes, the above works and addresses my concerns as well as the problems which started this whole thing. Just to be sure 2007/9/26, Jim Jagielski [EMAIL PROTECTED]: I'd like to call a vote on acceptance of the above methodology, as crafted and fine-tuned by Costin and myself. It is worthwhile to note that, really, these are the typical ASF methods, but with some grainy aspects better defined. In essence, some typical niceties are now mandated (changes, even in CTR, which affect the API, must be brought up first to gauge community approval). [ ] +1. Yes, the above works and addresses my concerns as well as the problems which started this whole thing. [ ] 0. Whatever. [ ] -1. The above does not work for the following reasons: The vote will run for 96 hours instead of the normal 72 because of the weekend. Only binding votes will be counted, but non-binding votes will be used to address wider concern/acceptance of the proposal. Looks like the 96 hours are up, and the tally is: +1: jim, yoav, tim, remy, costin, filip, mark, mladen, jean-frederic, rainer Not Sure: Peter followed up: I agree with Remy: We must find a process that really work normally quick and can handle conflicts fair. Henri +1'ed Peter's post. So I am not sure if Peter actually cast a vote or simply made a comment and I'm not sure if Henri +1'ed the proposal or Peter's comment or both. -1: null set As such, the vote passes!! We can now give ourselves a pat on the back for resolving this and start implementing the changes we approved... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r579788 - /tomcat/current/tc5.5.x/STATUS
Author: fhanik Date: Wed Sep 26 13:46:14 2007 New Revision: 579788 URL: http://svn.apache.org/viewvc?rev=579788view=rev Log: add my vote Modified: tomcat/current/tc5.5.x/STATUS Modified: tomcat/current/tc5.5.x/STATUS URL: http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS?rev=579788r1=579787r2=579788view=diff == --- tomcat/current/tc5.5.x/STATUS (original) +++ tomcat/current/tc5.5.x/STATUS Wed Sep 26 13:46:14 2007 @@ -27,6 +27,6 @@ * Fix problem where client-flush loses headers if the response isn't committed yet: http://issues.apache.org/bugzilla/show_bug.cgi?id=43478 - +1: billbarker + +1: billbarker, fhanik -1: - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 29936] - XML parser loading problems by container
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=29936. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=29936 --- Additional Comments From [EMAIL PROTECTED] 2007-09-26 13:54 --- Created an attachment (id=20889) -- (http://issues.apache.org/bugzilla/attachment.cgi?id=20889action=view) WAR causing problem for container -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 29936] - XML parser loading problems by container
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=29936. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=29936 [EMAIL PROTECTED] changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|WORKSFORME | --- Additional Comments From [EMAIL PROTECTED] 2007-09-26 13:56 --- I've attached a small problematic WAR that just contains a blank web.xml along with a saxon.jar in the WEB-INF/lib. Remember that you need to remove ALL the apps that come with Tomcat (rm -fr webapps/*) as well as the configs (rm -fr conf/Catalina). -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 43480] - NullPointerException when processing empty cookie header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=43480. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=43480 --- Additional Comments From [EMAIL PROTECTED] 2007-09-26 14:58 --- Notes: 1. tomcat4.ajp.* doesn't the setBytes method of MessageBytes in Ajp13Request when adding header/value pairs. 2. This means the header value(s) never get a type of T_BYTES 3. Cookie processing always defaults to the simple StringTokenizer version. Possible Solutions: 1. Do a simple check for null strings in the StringTokenizer version of processCookieHeader. 2. Convert(!) the string to byte [], making sure no wackiness occurs with the character set and use the more modern processCookieHeaders. 3. Look into the possibility of having Ajp13Request, et. al use setBytes (The problem with this is that the header/value pair is actually set in HttpRequestBase) I am leaning towards option 1, because it is low-impact. The cons are that we still have a code path engaged with the deprecated parser. I still need to replicate this also. Any input? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 43497] New: - Add ability to escape rendered output of JSP expressions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://issues.apache.org/bugzilla/show_bug.cgi?id=43497.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43497
Summary: Add ability to escape rendered output of JSP expressions
Product: Tomcat 6
Version: 6.0.14
Platform: Other
OS/Version: other
Status: NEW
Severity: enhancement
Priority: P3
Component: Jasper
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]
JSP's Expression Language does not XML-escape it's content by default. While
c:out and ${fn:escapeXml(string)} can be used, I think it's a nice option to
allow turning on escaping by default - in Tomcat's web.xml. This is similar to
the trimSpaces option that Tomcat added before it was part of the JSP spec.
Related: http://raibledesigns.com/rd/entry/java_web_frameworks_and_xss
I'll attach a patch to make this possible.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 43497] - Add ability to escape rendered output of JSP expressions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=43497. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=43497 --- Additional Comments From [EMAIL PROTECTED] 2007-09-26 19:04 --- Created an attachment (id=20891) -- (http://issues.apache.org/bugzilla/attachment.cgi?id=20891action=view) Patch to add the ability to escape the rendered output of JSP's EL by default -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 43423] - catalina.sh -force too fast
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=43423. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=43423 --- Additional Comments From [EMAIL PROTECTED] 2007-09-26 20:16 --- The assumption is that the once the shutdown command has been issued and the process has finished, that this means that the JVM is really dead. In fact, the JVM may still be running for a short time after Tomcat has gone away. So the 'kill' command is executed too soon. In my case, this means that any temporary files created with the delete on exit flag are not removed, eventually filling up the file system. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
svn commit: r579892 - /tomcat/tc6.0.x/trunk/STATUS
Author: pero Date: Wed Sep 26 22:11:46 2007 New Revision: 579892 URL: http://svn.apache.org/viewvc?rev=579892view=rev Log: Add my vote Modified: tomcat/tc6.0.x/trunk/STATUS Modified: tomcat/tc6.0.x/trunk/STATUS URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?rev=579892r1=579891r2=579892view=diff == --- tomcat/tc6.0.x/trunk/STATUS (original) +++ tomcat/tc6.0.x/trunk/STATUS Wed Sep 26 22:11:46 2007 @@ -28,10 +28,10 @@ * New cookie parser (third party contribution) http://people.apache.org/~jfclere/patches/Cookies.java.remy.patch http://people.apache.org/~jfclere/patches/CookiesTest.patch - +1: jfclere, fhanik + +1: jfclere, fhanik, pero -1: * Fix request processing time on the Coyote statistics info http://issues.apache.org/bugzilla/show_bug.cgi?id=43487 - +1: fhanik + +1: fhanik, pero -1: - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [RESULT] Was Re: [VOTE] Back to ASF Basics (Was: Re: Review model take 2)
Hi, I vote +1 :-) Peter Am 26.09.2007 um 16:22 schrieb Jim Jagielski: I'd like to call a vote on acceptance of the above methodology, as crafted and fine-tuned by Costin and myself. It is worthwhile to note that, really, these are the typical ASF methods, but with some grainy aspects better defined. In essence, some typical niceties are now mandated (changes, even in CTR, which affect the API, must be brought up first to gauge community approval). [ ] +1. Yes, the above works and addresses my concerns as well as the problems which started this whole thing. [ ] 0. Whatever. [ ] -1. The above does not work for the following reasons: The vote will run for 96 hours instead of the normal 72 because of the weekend. Only binding votes will be counted, but non-binding votes will be used to address wider concern/acceptance of the proposal. Looks like the 96 hours are up, and the tally is: +1: jim, yoav, tim, remy, costin, filip, mark, mladen, jean-frederic, rainer Not Sure: Peter followed up: I agree with Remy: We must find a process that really work normally quick and can handle conflicts fair. Henri +1'ed Peter's post. So I am not sure if Peter actually cast a vote or simply made a comment and I'm not sure if Henri +1'ed the proposal or Peter's comment or both. -1: null set As such, the vote passes!! We can now give ourselves a pat on the back for resolving this and start implementing the changes we approved... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
