[Bug 56472] All classes remain in memory after stop of web application, when LDAP was used.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56472 --- Comment #10 from Stefan Frings stefan_fri...@qvc.com --- Created attachment 31671 -- https://issues.apache.org/bugzilla/attachment.cgi?id=31671action=edit Screenshot of jvisualvm showing that webappclassloader has no gc root I tested again with version 7.0.54, the problem still occurs. The classloader of the stopped web application still remains in memory, but it has no gc root. The problem occurs only when the after the application did an LDAP communication. It does not happen, when I comment out the related lines of code or when I configure Spring Security to use dummy user accounts (in xml file) instead of LDAP authentication. Any ideas why the class loader remains in memory? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56555] Multiple connection headers for status 400 when keep-alive is specified
https://issues.apache.org/bugzilla/show_bug.cgi?id=56555 --- Comment #5 from Mark Thomas ma...@apache.org --- Having re-read RFC2616 the use of a 400 response code in this case looks wrong. 400 is meant to be used to indicate a syntax error in the request which is why Tomcat closes the connection. Tomcat can not be sure that it has correctly identified the end of the faulty request and continuing to process the connection could lead to security problems. The correct response code for invalid credentials should be 401. I do not recall anyone raising this as an issue previously. Tomcat has no way of telling which component set the 400 response status and therefore no way of distinguishing between a correct use of a 400 where there has been a syntax error and the connection needs to be closed and any other use of a 400 where it is safe to leave the connection open. The presense (or not) of the connection header may provide a hint but it is not reliable indicator. You are not going to like it but the only safe option for Tomcat with a 400 response is to close the connection (and yes we need to up the connection header handling when this happens). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597982 - in /tomcat/trunk: java/org/apache/coyote/ajp/AbstractAjpProcessor.java webapps/docs/changelog.xml
Author: markt Date: Wed May 28 11:45:26 2014 New Revision: 1597982 URL: http://svn.apache.org/r1597982 Log: Fix copy/paste error and return a 500 rather 400 response Modified: tomcat/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java?rev=1597982r1=1597981r2=1597982view=diff == --- tomcat/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java (original) +++ tomcat/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java Wed May 28 11:45:26 2014 @@ -772,8 +772,8 @@ public abstract class AbstractAjpProcess } catch (Throwable t) { ExceptionUtils.handleThrowable(t); getLog().debug(sm.getString(ajpprocessor.request.prepare), t); -// 400 - Internal Server Error -response.setStatus(400); +// 500 - Internal Server Error +response.setStatus(500); getAdapter().log(request, response, 0); error = true; } Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1597982r1=1597981r2=1597982view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed May 28 11:45:26 2014 @@ -153,6 +153,10 @@ makes it easier to use Jasper independently from Tomcat. Patch provided by Greg Wilkins. (markt) /add + fix +Correct a copy/paste error and return a 500 response rather than a 400 +response when an internal server error occurs. (mark) + /fix /changelog /subsection subsection name=WebSocket - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597987 - in /tomcat/trunk: java/org/apache/coyote/http11/AbstractHttp11Processor.java test/org/apache/coyote/http11/TestAbstractHttp11Processor.java webapps/docs/changelog.xml
Author: markt Date: Wed May 28 12:15:51 2014 New Revision: 1597987 URL: http://svn.apache.org/r1597987 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56555 When Tomcat closes the connection based on the HTTP status code of the response, ensure that only one connection header is sent to the client. Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java?rev=1597987r1=1597986r2=1597987view=diff == --- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java Wed May 28 12:15:51 2014 @@ -1485,11 +1485,8 @@ public abstract class AbstractHttp11Proc // Connection: close header. keepAlive = keepAlive !statusDropsConnection(statusCode); if (!keepAlive) { -// Avoid adding the close header twice -if (!connectionClosePresent) { -headers.addValue(Constants.CONNECTION).setString( -Constants.CLOSE); -} +headers.setValue(Constants.CONNECTION).setString( +Constants.CLOSE); } else if (!http11 !error) { headers.addValue(Constants.CONNECTION).setString(Constants.KEEPALIVE); } Modified: tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java?rev=1597987r1=1597986r2=1597987view=diff == --- tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java (original) +++ tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java Wed May 28 12:15:51 2014 @@ -25,6 +25,7 @@ import java.net.Socket; import java.nio.CharBuffer; import java.util.HashMap; import java.util.List; +import java.util.Locale; import java.util.Map; import java.util.concurrent.CountDownLatch; @@ -53,6 +54,45 @@ import org.apache.tomcat.util.buf.ByteCh public class TestAbstractHttp11Processor extends TomcatBaseTest { @Test +public void testStatusForcesClose() throws Exception { +Tomcat tomcat = getTomcatInstance(); + +// Must have a real docBase - just use temp +Context ctxt = tomcat.addContext(, System.getProperty(java.io.tmpdir)); + +// Add protected servlet +Tomcat.addServlet(ctxt, StatusForcesCloseServlet, new StatusForcesCloseServlet()); +ctxt.addServletMapping(/*, StatusForcesCloseServlet); + +tomcat.start(); + +ByteChunk bc = new ByteChunk(); +MapString,ListString responseHeaders = new HashMap(); +getUrl(http://localhost:; + getPort() + /anything, bc, responseHeaders); + +// Assumes header name uses standard case +ListString values = responseHeaders.get(Connection); +Assert.assertEquals(1, values.size()); +Assert.assertEquals(close, values.get(0).toLowerCase(Locale.ENGLISH)); +} + +private static class StatusForcesCloseServlet extends HttpServlet { + +private static final long serialVersionUID = 1L; + +@Override +protected void doGet(HttpServletRequest req, HttpServletResponse resp) +throws ServletException, IOException { + +// Set the Connection header +resp.setHeader(Connection, keep-alive); + +// Set a status code that should force the connection to close +resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); +} +} + +@Test public void testWithTEVoid() throws Exception { Tomcat tomcat = getTomcatInstance(); Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1597987r1=1597986r2=1597987view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed May 28 12:15:51 2014 @@ -130,6 +130,11 @@ Ensure that a request without a body is correctly handled during Comet processing. This fixes the Comet chat example. (markt) /fix + fix +bug56555/bug: When Tomcat closes the connection based on the HTTP +status code of the response, ensure that only one connection header is +sent to the client. (markt) + /fix /changelog /subsection subsection name=Jasper
svn commit: r1597988 - in /tomcat/site/trunk: docs/security-8.html xdocs/security-8.xml
Author: kkolinko Date: Wed May 28 12:22:59 2014 New Revision: 1597988 URL: http://svn.apache.org/r1597988 Log: r1589985 (a followup to r1589980) is also part of the fix for CVE-2014-0119 Modified: tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1597988r1=1597987r2=1597988view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Wed May 28 12:22:59 2014 @@ -297,7 +297,8 @@ pThis was fixed in revisions a href=http://svn.apache.org/viewvc?view=revamp;rev=1588193;1588193/a, a href=http://svn.apache.org/viewvc?view=revamp;rev=1589837;1589837/a, - a href=http://svn.apache.org/viewvc?view=revamp;rev=1589980;1589980/a and + a href=http://svn.apache.org/viewvc?view=revamp;rev=1589980;1589980/a, + a href=http://svn.apache.org/viewvc?view=revamp;rev=1589985;1589985/a and a href=http://svn.apache.org/viewvc?view=revamp;rev=1589990;1589990/a./p Modified: tomcat/site/trunk/xdocs/security-8.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1597988r1=1597987r2=1597988view=diff == --- tomcat/site/trunk/xdocs/security-8.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Wed May 28 12:22:59 2014 @@ -71,7 +71,8 @@ pThis was fixed in revisions revlink rev=15881931588193/revlink, revlink rev=15898371589837/revlink, - revlink rev=15899801589980/revlink and + revlink rev=15899801589980/revlink, + revlink rev=15899851589985/revlink and revlink rev=15899901589990/revlink./p pThis issue was identified by the Tomcat security team on 12 April 2014 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1598005 - in /tomcat/site/trunk: docs/security-8.html xdocs/security-8.xml
Author: kkolinko Date: Wed May 28 13:03:24 2014 New Revision: 1598005 URL: http://svn.apache.org/r1598005 Log: r1589983 (followup to r1589980 correcting a copy-paste typo) r1589992 (followup to r1589990 committing a missed change) are also part of the fix for CVE-2014-0119 Modified: tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1598005r1=1598004r2=1598005view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Wed May 28 13:03:24 2014 @@ -298,8 +298,10 @@ pThis was fixed in revisions a href=http://svn.apache.org/viewvc?view=revamp;rev=1588193;1588193/a, a href=http://svn.apache.org/viewvc?view=revamp;rev=1589837;1589837/a, a href=http://svn.apache.org/viewvc?view=revamp;rev=1589980;1589980/a, - a href=http://svn.apache.org/viewvc?view=revamp;rev=1589985;1589985/a and - a href=http://svn.apache.org/viewvc?view=revamp;rev=1589990;1589990/a./p + a href=http://svn.apache.org/viewvc?view=revamp;rev=1589983;1589983/a, + a href=http://svn.apache.org/viewvc?view=revamp;rev=1589985;1589985/a, + a href=http://svn.apache.org/viewvc?view=revamp;rev=1589990;1589990/a and + a href=http://svn.apache.org/viewvc?view=revamp;rev=1589992;1589992/a./p pThis issue was identified by the Tomcat security team on 12 April 2014 Modified: tomcat/site/trunk/xdocs/security-8.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1598005r1=1598004r2=1598005view=diff == --- tomcat/site/trunk/xdocs/security-8.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Wed May 28 13:03:24 2014 @@ -72,8 +72,10 @@ pThis was fixed in revisions revlink rev=15881931588193/revlink, revlink rev=15898371589837/revlink, revlink rev=15899801589980/revlink, - revlink rev=15899851589985/revlink and - revlink rev=15899901589990/revlink./p + revlink rev=15899831589983/revlink, + revlink rev=15899851589985/revlink, + revlink rev=15899901589990/revlink and + revlink rev=15899921589992/revlink./p pThis issue was identified by the Tomcat security team on 12 April 2014 and made public on 27 May 2014./p - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56555] Multiple connection headers for status 400 when keep-alive is specified
https://issues.apache.org/bugzilla/show_bug.cgi?id=56555 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #6 from Mark Thomas ma...@apache.org --- The multiple connection headers aspect of this has been fixed in 8.0.x for 8.0.9 onwards and in 7.0.x for 7.0.55 onwards. I'm marking this as RESOLVED on that basis. I recognise that this doesn't address the connection being closed part of the problem. I don't see an easy solution to that. Suggestions welcome and the dev list is probably the place to start that discussion. Alternatively, you can open a BZ enahncement request for a solution to the connection being closed in this case but, without a concrete proposal, the enhancement request is likely to make little/no progress. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1598007 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/coyote/http11/AbstractHttp11Processor.java test/org/apache/coyote/http11/TestAbstractHttp11Processor.java webapps/docs/changelog.xml
Author: markt Date: Wed May 28 13:17:04 2014 New Revision: 1598007 URL: http://svn.apache.org/r1598007 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56555 When Tomcat closes the connection based on the HTTP status code of the response, ensure that only one connection header is sent to the client. Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1597987 Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java?rev=1598007r1=1598006r2=1598007view=diff == --- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java Wed May 28 13:17:04 2014 @@ -1514,11 +1514,8 @@ public abstract class AbstractHttp11Proc // Connection: close header. keepAlive = keepAlive !statusDropsConnection(statusCode); if (!keepAlive) { -// Avoid adding the close header twice -if (!connectionClosePresent) { -headers.addValue(Constants.CONNECTION).setString( -Constants.CLOSE); -} +headers.setValue(Constants.CONNECTION).setString( +Constants.CLOSE); } else if (!http11 !error) { headers.addValue(Constants.CONNECTION).setString(Constants.KEEPALIVE); } Modified: tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java?rev=1598007r1=1598006r2=1598007view=diff == --- tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java (original) +++ tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java Wed May 28 13:17:04 2014 @@ -25,6 +25,7 @@ import java.net.Socket; import java.nio.CharBuffer; import java.util.HashMap; import java.util.List; +import java.util.Locale; import java.util.Map; import java.util.concurrent.CountDownLatch; @@ -53,6 +54,45 @@ import org.apache.tomcat.util.buf.ByteCh public class TestAbstractHttp11Processor extends TomcatBaseTest { @Test +public void testStatusForcesClose() throws Exception { +Tomcat tomcat = getTomcatInstance(); + +// Must have a real docBase - just use temp +Context ctxt = tomcat.addContext(, System.getProperty(java.io.tmpdir)); + +// Add protected servlet +Tomcat.addServlet(ctxt, StatusForcesCloseServlet, new StatusForcesCloseServlet()); +ctxt.addServletMapping(/*, StatusForcesCloseServlet); + +tomcat.start(); + +ByteChunk bc = new ByteChunk(); +MapString,ListString responseHeaders = new HashMapString,ListString(); +getUrl(http://localhost:; + getPort() + /anything, bc, responseHeaders); + +// Assumes header name uses standard case +ListString values = responseHeaders.get(Connection); +Assert.assertEquals(1, values.size()); +Assert.assertEquals(close, values.get(0).toLowerCase(Locale.ENGLISH)); +} + +private static class StatusForcesCloseServlet extends HttpServlet { + +private static final long serialVersionUID = 1L; + +@Override +protected void doGet(HttpServletRequest req, HttpServletResponse resp) +throws ServletException, IOException { + +// Set the Connection header +resp.setHeader(Connection, keep-alive); + +// Set a status code that should force the connection to close +resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); +} +} + +@Test public void testWithTEVoid() throws Exception { Tomcat tomcat = getTomcatInstance(); Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1598007r1=1598006r2=1598007view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Wed May 28 13:17:04 2014 @@ -88,6 +88,11 @@ buffer when the buffer is only partially written on a subsequent write. (markt) /fix + fix +bug56555/bug: When
[Bug 56529] NoSuchElementException for attribute with empty string in custom tag
https://issues.apache.org/bugzilla/show_bug.cgi?id=56529 rsanthakumar rsanthaku...@gmail.com changed: What|Removed |Added Status|RESOLVED|REOPENED Component|Jasper |Jasper Resolution|FIXED |--- Product|Tomcat 8|Tomcat 7 Target Milestone||--- --- Comment #5 from rsanthakumar rsanthaku...@gmail.com --- Hi, I had the similar issues with the custom tag, even in the fixed code. It looks like the issue is fixed only in the method “checkXmlAttributes”, but there is similar kind of the implementation even in the “getJspAttribute” method of validator class. I am not sure whether it is an intended implementation, but it is throwing the following exception during the JSP compilation. The application started working once we fix the code in “getJspAttribute” method Exception: java.util.NoSuchElementException at java.util.ArrayList$Itr.next(ArrayList.java:834) at org.apache.jasper.compiler.Validator$ValidateVisitor.getJspAttribute(Validator.java:1385) at org.apache.jasper.compiler.Validator$ValidateVisitor.checkXmlAttributes(Validator.java:1262) at org.apache.jasper.compiler.Validator$ValidateVisitor.visit(Validator.java:876) at org.apache.jasper.compiler.Node$CustomTag.accept(Node.java:1538) Code snippets from “getJSPAttribute” 1380 if (el.containsEL()) { 1381 validateFunctions(el, n); 1382 } else { 1383 // Get text with \$ and \# escaping removed. 1384 // Should be a single Text node 1385 value = ((ELNode.Text) el.iterator().next()) 1386 .getText(); 1387 el = null; 1388 } 1389 } Request you to please look into this. Thanks Santhakumar -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1598008 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: markt Date: Wed May 28 13:20:58 2014 New Revision: 1598008 URL: http://svn.apache.org/r1598008 Log: Proposal Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1598008r1=1598007r2=1598008view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Wed May 28 13:20:58 2014 @@ -28,6 +28,15 @@ None PATCHES PROPOSED TO BACKPORT: [ New proposals should be added at the end of the list ] +* https://issues.apache.org/bugzilla/show_bug.cgi?id=56560 + Fix NoClassDefFoundError when using Ant + Fix the Jasper Ant task + Patch provided by M Gemmell + https://issues.apache.org/bugzilla/attachment.cgi?id=31659action=diff + +1: markt + -1: + + PATCHES/ISSUES THAT ARE STALLED: None - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56560] Jasper ant task fails with java.lang.NoClassDefFoundError: org.apache.tomcat.util.descriptor.LocalResolver
https://issues.apache.org/bugzilla/show_bug.cgi?id=56560 Mark Thomas ma...@apache.org changed: What|Removed |Added OS||All --- Comment #2 from Mark Thomas ma...@apache.org --- Patch proposed for 6.0.x. Regarding why list the JARs I suspect it is something to do with no having unnecessary dependencies but I'm not sure how much that really matters in this case. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in ASF Buildbot on tomcat-7-trunk
The Buildbot has detected a restored build on builder tomcat-7-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-7-trunk/builds/88 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1598007 Blamelist: markt Build succeeded! sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56529] NoSuchElementException for attribute with empty string in custom tag
https://issues.apache.org/bugzilla/show_bug.cgi?id=56529 Violeta Georgieva violet...@apache.org changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --- Comment #6 from Violeta Georgieva violet...@apache.org --- (In reply to rsanthakumar from comment #5) Hi, I had the similar issues with the custom tag, even in the fixed code. It looks like the issue is fixed only in the method “checkXmlAttributes”, but there is similar kind of the implementation even in the “getJspAttribute” method of validator class. This has been reported with bug 56561. The fix will be available in 6.0.42, 7.0.55 and 8.0.9 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56573] New: [Spec?] Session.getRequestURI() doesn't return the protocol, port etc.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56573 Bug ID: 56573 Summary: [Spec?] Session.getRequestURI() doesn't return the protocol, port etc. Product: Tomcat 8 Version: trunk Hardware: PC OS: Mac OS X 10.4 Status: NEW Severity: normal Priority: P2 Component: WebSocket Assignee: dev@tomcat.apache.org Reporter: jfarc...@apache.org The spec is unclear about it, but Session.getRequestURI(); doesn't return the full path, e.g for an enpoint, it returns /atmosphere-chat instead of ws://host:port/atmosphere-chat The issue I'm facing is an application cannot rebuidl the full URL as the port is missing, and there are no way to find the port without the proper URI. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56573] [Spec?] Session.getRequestURI() doesn't return the protocol, port etc.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56573 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #1 from Mark Thomas ma...@apache.org --- One to raise with the EG for clarification. As an aside, why does an application need to rebuild the full URL? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56573] [Spec?] Session.getRequestURI() doesn't return the protocol, port etc.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56573 --- Comment #2 from Jean-Francois Arcand jfarc...@apache.org --- For tracking purpose https://java.net/jira/browse/WEBSOCKET_SPEC-228 Atmosphere can dispatch a WebSocket Message into a normal HttpServletRequest so an application transparently use WebSocket under the hood. This is the use case. For example, RestEasy is broken because of the issue, but will workaround it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1598153 - /tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
Author: markt Date: Wed May 28 21:46:55 2014 New Revision: 1598153 URL: http://svn.apache.org/r1598153 Log: No need for the expectation check in an error state as the connection will be closed any way. Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java?rev=1598153r1=1598152r2=1598153view=diff == --- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java Wed May 28 21:46:55 2014 @@ -1073,18 +1073,16 @@ public abstract class AbstractHttp11Proc // input. This way uploading a 100GB file doesn't tie up the // thread if the servlet has rejected it. getInputBuffer().setSwallowInput(false); -} -if (response.getStatus() 200 || response.getStatus() 299) { -if (expectation) { -// Client sent Expect: 100-continue but received a -// non-2xx response. Disable keep-alive (if enabled) to -// ensure the connection is closed. Some clients may -// still send the body, some may send the next request. -// No way to differentiate, so close the connection to -// force the client to send the next request. -getInputBuffer().setSwallowInput(false); -keepAlive = false; -} +} else if (expectation +(response.getStatus() 200 || response.getStatus() 299)) { +// Client sent Expect: 100-continue but received a +// non-2xx response. Disable keep-alive (if enabled) to +// ensure the connection is closed. Some clients may +// still send the body, some may send the next request. +// No way to differentiate, so close the connection to +// force the client to send the next request. +getInputBuffer().setSwallowInput(false); +keepAlive = false; } endRequest(); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1588193 - svn:log
Author: kkolinko Revision: 1588193 Modified property: svn:log Modified: svn:log at Wed May 28 22:21:57 2014 -- --- svn:log (original) +++ svn:log Wed May 28 22:21:57 2014 @@ -1,2 +1,3 @@ Small optimisation. The resolver and the factory are only used when running under a security manager so only load them in this case. Also avoid a possible memory leak when creating these objects. +This is part 1 of 7 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1589837 - svn:log
Author: kkolinko Revision: 1589837 Modified property: svn:log Modified: svn:log at Wed May 28 22:25:44 2014 -- --- svn:log (original) +++ svn:log Wed May 28 22:25:44 2014 @@ -1,2 +1,2 @@ Add some defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. -This is part 1 of 3 of the fix for CVE-2014-0119 +This is part 2 of 7 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1589980 - svn:log
Author: kkolinko Revision: 1589980 Modified property: svn:log Modified: svn:log at Wed May 28 22:26:10 2014 -- --- svn:log (original) +++ svn:log Wed May 28 22:26:10 2014 @@ -1,2 +1,2 @@ More defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. -This is part 2 of 3 of the fix for CVE-2014-0119 +This is part 3 of 7 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1589985 - svn:log
Author: kkolinko Revision: 1589985 Modified property: svn:log Modified: svn:log at Wed May 28 22:27:39 2014 -- --- svn:log (original) +++ svn:log Wed May 28 22:27:39 2014 @@ -1 +1,2 @@ Parser uses lazy init so move creation of parser inside the block that uses the container class loader. +This is part 5 of 7 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1589983 - svn:log
Author: kkolinko Revision: 1589983 Modified property: svn:log Modified: svn:log at Wed May 28 22:27:00 2014 -- --- svn:log (original) +++ svn:log Wed May 28 22:27:00 2014 @@ -1 +1,2 @@ Fix indents and copy/paste errors +This is part 4 of 7 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1589990 - svn:log
Author: kkolinko Revision: 1589990 Modified property: svn:log Modified: svn:log at Wed May 28 22:28:09 2014 -- --- svn:log (original) +++ svn:log Wed May 28 22:28:09 2014 @@ -1,2 +1,2 @@ More defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. -This is part 3 of 3 of the fix for CVE-2014-0119 +This is part 6 of 7 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1589992 - svn:log
Author: kkolinko Revision: 1589992 Modified property: svn:log Modified: svn:log at Wed May 28 22:28:41 2014 -- --- svn:log (original) +++ svn:log Wed May 28 22:28:41 2014 @@ -1 +1,2 @@ Add new constant missed in previous commit +This is part 7 of 7 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1598167 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html xdocs/security-6.xml xdocs/security-7.xml
Author: kkolinko Date: Wed May 28 22:59:18 2014 New Revision: 1598167 URL: http://svn.apache.org/r1598167 Log: Add r1590036 and r1593815 to the list of fixes for CVE-2014-0119 Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1598167r1=1598166r2=1598167view=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Wed May 28 22:59:18 2014 @@ -403,7 +403,8 @@ Tomcat instance./p -pThis was fixed in revisions a href=http://svn.apache.org/viewvc?view=revamp;rev=1589640;1589640/a and +pThis was fixed in revisions a href=http://svn.apache.org/viewvc?view=revamp;rev=1589640;1589640/a, + a href=http://svn.apache.org/viewvc?view=revamp;rev=1593815;1593815/a and a href=http://svn.apache.org/viewvc?view=revamp;rev=1593821;1593821/a./p Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1598167r1=1598166r2=1598167view=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Wed May 28 22:59:18 2014 @@ -341,8 +341,9 @@ pThis was fixed in revisions a href=http://svn.apache.org/viewvc?view=revamp;rev=1588199;1588199/a, + a href=http://svn.apache.org/viewvc?view=revamp;rev=1589997;1589997/a, a href=http://svn.apache.org/viewvc?view=revamp;rev=1590028;1590028/a and - a href=http://svn.apache.org/viewvc?view=revamp;rev=1589997;1589997/a./p + a href=http://svn.apache.org/viewvc?view=revamp;rev=1590036;1590036/a./p pThis issue was identified by the Tomcat security team on 12 April 2014 Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1598167r1=1598166r2=1598167view=diff == --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Wed May 28 22:59:18 2014 @@ -117,7 +117,8 @@ XML files processed for other web applications deployed on the same Tomcat instance./p -pThis was fixed in revisions revlink rev=15896401589640/revlink and +pThis was fixed in revisions revlink rev=15896401589640/revlink, + revlink rev=15938151593815/revlink and revlink rev=15938211593821/revlink./p pThis issue was identified by the Tomcat security team on 12 April 2014 Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1598167r1=1598166r2=1598167view=diff == --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Wed May 28 22:59:18 2014 @@ -64,8 +64,9 @@ Tomcat instance./p pThis was fixed in revisions revlink rev=15881991588199/revlink, + revlink rev=15899971589997/revlink, revlink rev=15900281590028/revlink and - revlink rev=15899971589997/revlink./p + revlink rev=15900361590036/revlink./p pThis issue was identified by the Tomcat security team on 12 April 2014 and made public on 27 May 2014./p - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1588199 - svn:log
Author: kkolinko Revision: 1588199 Modified property: svn:log Modified: svn:log at Wed May 28 23:01:17 2014 -- --- svn:log (original) +++ svn:log Wed May 28 23:01:17 2014 @@ -1,2 +1,3 @@ Small optimisation. The resolver and the factory are only used when running under a security manager so only load them in this case. Also avoid a possible memory leak when creating these objects. +This is part 1 of 4 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1589997 - svn:log
Author: kkolinko Revision: 1589997 Modified property: svn:log Modified: svn:log at Wed May 28 23:01:51 2014 -- --- svn:log (original) +++ svn:log Wed May 28 23:01:51 2014 @@ -1,2 +1,2 @@ More defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. -This is part 1 of 2 of the fix for CVE-2014-0119 +This is part 2 of 4 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1590028 - svn:log
Author: kkolinko Revision: 1590028 Modified property: svn:log Modified: svn:log at Wed May 28 23:06:35 2014 -- --- svn:log (original) +++ svn:log Wed May 28 23:06:35 2014 @@ -1,2 +1,2 @@ Defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. -This is part 2 of 2 of the fix for CVE-2014-0119 +This is part 3 of 4 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1590036 - svn:log
Author: kkolinko Revision: 1590036 Modified property: svn:log Modified: svn:log at Wed May 28 23:10:35 2014 -- --- svn:log (original) +++ svn:log Wed May 28 23:10:35 2014 @@ -1 +1,2 @@ Ensure TLD parser obtained from cache has correct value of blockExternal +This is part 4 of 4 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1589640 - svn:log
Author: kkolinko Revision: 1589640 Modified property: svn:log Modified: svn:log at Wed May 28 23:14:11 2014 -- --- svn:log (original) +++ svn:log Wed May 28 23:14:11 2014 @@ -1 +1,2 @@ Avoid memory leak and add small optimisation to default Servlet +This is part 1 of 3 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1593815 - svn:log
Author: kkolinko Revision: 1593815 Modified property: svn:log Modified: svn:log at Wed May 28 23:15:02 2014 -- --- svn:log (original) +++ svn:log Wed May 28 23:15:02 2014 @@ -1,2 +1,3 @@ Ensure TLD parser obtained from cache has correct value of blockExternal (r1590036 + r1590040 + r1590065) +This is part 2 of 3 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1593821 - svn:log
Author: kkolinko Revision: 1593821 Modified property: svn:log Modified: svn:log at Wed May 28 23:15:37 2014 -- --- svn:log (original) +++ svn:log Wed May 28 23:15:37 2014 @@ -1,4 +1,4 @@ Defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. Patch by markt. -This is the fix for CVE-2014-0119 +This is part 3 of 3 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in ASF Buildbot on tomcat-trunk
The Buildbot has detected a restored build on builder tomcat-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-trunk/builds/119 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/trunk] 1598153 Blamelist: markt Build succeeded! sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Building Tomcat 7 with JDK 7
From what I have read building Tomcat 7 has to be done with JDK 6 and the option by the devs was to fix JDK 7 building in Tomcat 8 and tell people to compile Tomcat 7 with JDK 6, running it with Java 7. Is this true? Are there plans to fix TC 7 to compile with JDK7? Should there be? Is this something of worthwhile pursuit? I have not contributed much to this project over the years, so please forgive my ignorance in advance. -- With Regards, Andrew Carr e. andrewlanec...@gmail.com w. andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743