Re: Punishing bad clients with delays
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/14/19 15:47, Mark Thomas wrote: > On 14/05/2019 20:38, Igal @ Lucee.org wrote: >> On 5/14/2019 12:15 PM, Christopher Schultz wrote: > > > Then, Tomcat observes that the servlet or filter wants to put the response into the penalty box and, instead of flushing the response and (possibly) closing the connection, it just sits-around for a while, keeping the connection open. >> >> Wouldn't that punish Tomcat by keeping the connection open? Open >> the door for DDoS attacks? > > I don't think so. > > An open connection alone isn't going to be enough to trigger a DoS > (on a reasonable configured server). > > It won't make an existing DoS any worse. You'd still need DoS > protection. > > If you do it right, the client will just think the server is being > slow. > >> I would think that a better way to do it is to flush and close >> the request immediately, and then block the IP address for X >> seconds. > > I'd suggest putting the request into async mode with a predefined > timeout and a listener to handle the timeout. > > That way, no extra Tomcat plumbing is required - and your solution > is portable across Servlet containers. That is interesting, but I'd want to trigger it on authentication failure. If using Tomcat's authentication, I don't think the application has an opportunity to intercept, does it? I guess a Filter could work, but the Filter needs to know that the authentication failed. Can a Filter switch a connection from "normal" more to async mode? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzbK7wACgkQHPApP6U8 pFgoPQ//b9wibl2BumN7Savozi5W1lfXxXzWGKpVzchTEG3tT0QNPy7HJkN5Fybz M/OSGFaic/x6FCANzQiK4hgOPlnmjFsadIXmaE/kzHNWOvy6uwWhSlehry3AulIt D8obm4tQwyzRAMad0I0lxUDuhL4KwvAaPSgCWmNJL0SQ57i9TqfI5LgexYEdTtO4 cQ08M7jsDnVjmN2FXXh9hW5LARJvG9pRYno15vjwh8DHeDVDe6UU48xxdSNIvhs8 RCJJs77bL6YIxeBO8d4o1w+2fW6dazT1hzd5WgCA+Vk0P6PEEF+9nkDSlsjMPbgU tsxvmt0CDJcGP/xBHVj4ChyLbxSworWDhqlfSkbZzNckIGhnw8RCZKiwp0ceHsXB /eMndn0NI1SnXzxbOQshjGgmhFfkr1pskq2OoXLOficIGIvrQQkd+ZPxdsfeDLKc SBAaks0Z+4yiK3YGQ4qQ1EcIBvzEouN/Bq7jKkkTTPngkYsGSVw/0ho7ZMeHWZA3 a8aXrliAfcNgKfqWk+IRsK0W7Bqy6UC2bFVneF2qFRNfcd70l90mp4ifSyPwJfQL 5263lIqudlc+oowhOMtkgEhBlqUlcBZ17iJLqSOoR9IG1+DmrmMmjZ4zL3ngCHPc hYN8nEO7VeSEIUcy2V54LlIaLL4uPS5XRn2XnaTzMUsWlOIgw70= =GWCI -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Punishing bad clients with delays
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Igal,
On 5/14/19 15:38, Igal @ Lucee.org wrote:
> Chris,
>
> On 5/14/2019 12:15 PM, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>
>> All,
>>
>> bump
>>
>> It's hard to see anything with all the commit messages :)
>>
>> On 5/9/19 12:52, Christopher Schultz wrote:
>>> All,
>>>
>>> What are the options we might have to "punish" an HTTP client
>>> that we don't like for some reason?
>>>
>>> Specifically, I'd like to be able to write a servlet that
>>> ties-up the response to the client for a while for some bad
>>> behavior. For example, maybe lots of authentication attempts or
>>> some other criteria. Maybe even just a single bad
>>> authentication attempt.
>
> How do you identify the bad actor on subsequent requests? By its
> IP address?
I'm not sure I'd bother. Making a client wait 10 seconds for each bad
password attempt might be good enough. Sure, they can use NIO and
launch a million threads on their end but I can use mod_qos on my end.
>>> I'm thinking of something along these lines:
>>>
>>> public void doGet(...) {
>>>
>>> ...
>>>
>>> if(shouldPunishClient(...)) {
>>> request.setAttribute("delay-client", Boolean.TRUE); return; }
>>>
>>> ... }
>>>
>>> Or maybe even specify a time-out.
>>>
>>> Then, Tomcat observes that the servlet or filter wants to put
>>> the response into the penalty box and, instead of flushing the
>>> response and (possibly) closing the connection, it just
>>> sits-around for a while, keeping the connection open.
>
> Wouldn't that punish Tomcat by keeping the connection open? Open
> the door for DDoS attacks?
No, this is the point. Tie-up the connection, but not the thread.
> I would think that a better way to do it is to flush and close the
> request immediately, and then block the IP address for X seconds.
That can be done through other means (e.g. fail2ban).
>>> The poller usually waits for data to become available on either
>>> end of the connection and pushes the bytes. How complicated
>>> would it be to put connections into a queue where they wait
>>> some amount of time before being flushed/closed/returned to the
>>> connection pool? In this case, the only stimulus for taking
>>> action is the passage of time, not arrival of data on a
>>> stream.
>>>
>>> Any thoughts about how this could be done?
>
> You mean as part of the NIO implementation?
Yes, something like that. Instead of closing and returning the
connection to the pool, put it in another "timeout" pool for a bit and
then close/return it after some timeout.
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzbK18ACgkQHPApP6U8
pFgJphAAruPfn0xW8GCyObHNTVJzU4LxBar52QNY8Q4Espp+qZRyT/OpuMsLEpDW
xlyq2Au4Uh625jX/EzCshm/Tbe9JSNOWx668sae7LkDkX708ZA1mgGbyo6J669L3
avOz4j6Bt7Yn4OC9mRm2vu6BYCOhlpe6WHYkZEsC7n73kAf9CqhqMlOa01qM1BZr
PDNp/tLz6MJfSBROJHvB4Bj/0Ga00aoqxHv8x0oHDqmUKDyJs370u3MVtvxtUpqx
V3Md+f12CBxtkj1HkfcNOW3/S1gYJLG3syd2NITdWs1y+E8WUvXyDkynwt+pfbDw
KGJzhyLbbQlbFmAawns9J/dgBLX8nFwvR3vqoFA1qVmeblSmdn1CHAl/sNmpZnz6
m+wgDkEbJ9L55MsyNS0qhnHNqcVLypPpHcEtqtri56ZMR6d0Vib9pntctkI0vYQc
QiLGJUi2BhNnuP2n2AmtV9ANfoFGbGun/3/vO3Kj+C+LnW5n3X+MeNSrdGEVSem7
qBeAGAfS0z9WcpMnCafMjeC6ZqaOqBvp1PhJ+2pK6n8WtxCnpqnk181q2lDYmpnZ
EGOsU08LigVMs4YlSs7ELxtyu+CLeRV8XEL+VvQ+0eG1TGFckJC6EgznggbALIro
wDmKy7I0cvGBKynKBaJuOFlPTbOq4jDK/N/O7kIPfRwuV2EflV0=
=pRck
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[ANN] Apache Tomcat 8.5.41 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.41. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers technologies. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from the 9.0.x branch. The notable changes since 8.5.40 include: - Stack traces written by the OneLineFormatter are fully indented. The entire stack trace is now indented by an additional TAB character. - Avoid OutOfMemoryErrors and ArrayIndexOutOfBoundsExceptions when accessing large files via the default servlet when resource caching has been disabled. - When running on newer JREs that don't support SSLv2Hello, don't warn that it is not available unless explicitly configured. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: http://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[ANN] Apache Tomcat 9.0.20 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.20. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.20 is a bugfix and feature release. The notable changes compared to 9.0.19 include: - The useAsyncIO boolean attribute on the Connector element value now defaults to true. - Stack traces written by the OneLineFormatter are fully indented. The entire stack trace is now indented by an additional TAB character. - Various HTTP/2 improvements and stability fixes. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1859248 - in /tomcat/site/trunk: ./ docs/ xdocs/
Author: markt Date: Tue May 14 20:09:40 2019 New Revision: 1859248 URL: http://svn.apache.org/viewvc?rev=1859248=rev Log: Update site for 8.5.41 release Modified: tomcat/site/trunk/build.properties.default tomcat/site/trunk/docs/doap_Tomcat.rdf tomcat/site/trunk/docs/download-80.html tomcat/site/trunk/docs/index.html tomcat/site/trunk/docs/migration-85.html tomcat/site/trunk/docs/oldnews.html tomcat/site/trunk/docs/whichversion.html tomcat/site/trunk/xdocs/doap_Tomcat.rdf tomcat/site/trunk/xdocs/download-80.xml tomcat/site/trunk/xdocs/index.xml tomcat/site/trunk/xdocs/migration-85.xml tomcat/site/trunk/xdocs/oldnews.xml tomcat/site/trunk/xdocs/whichversion.xml Modified: tomcat/site/trunk/build.properties.default URL: http://svn.apache.org/viewvc/tomcat/site/trunk/build.properties.default?rev=1859248=1859247=1859248=diff == --- tomcat/site/trunk/build.properties.default (original) +++ tomcat/site/trunk/build.properties.default Tue May 14 20:09:40 2019 @@ -37,7 +37,7 @@ tomcat.loc=http://www.apache.org/dist/to # - Tomcat versions - tomcat70=7.0.94 -tomcat85=8.5.40 +tomcat85=8.5.41 tomcat90=9.0.20 # - Download destination - Modified: tomcat/site/trunk/docs/doap_Tomcat.rdf URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/doap_Tomcat.rdf?rev=1859248=1859247=1859248=diff == --- tomcat/site/trunk/docs/doap_Tomcat.rdf (original) +++ tomcat/site/trunk/docs/doap_Tomcat.rdf Tue May 14 20:09:40 2019 @@ -67,8 +67,8 @@ Latest Stable 8.5.x Release -2019-04-12 -8.5.40 +2019-05-13 +8.5.41 Modified: tomcat/site/trunk/docs/download-80.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/download-80.html?rev=1859248=1859247=1859248=diff == --- tomcat/site/trunk/docs/download-80.html (original) +++ tomcat/site/trunk/docs/download-80.html Tue May 14 20:09:40 2019 @@ -226,7 +226,7 @@ Quick Navigation -[define v]8.5.40[end] +[define v]8.5.41[end] https://www.apache.org/dist/tomcat/tomcat-8/KEYS;>KEYS | [v] | Browse | Modified: tomcat/site/trunk/docs/index.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1859248=1859247=1859248=diff == --- tomcat/site/trunk/docs/index.html (original) +++ tomcat/site/trunk/docs/index.html Tue May 14 20:09:40 2019 @@ -277,33 +277,35 @@ changelog. - -2019-04-12 Tomcat 8.5.40 Released + +2019-05-13 Tomcat 8.5.41 Released -The Apache Tomcat Project is proud to announce the release of version 8.5.40 +The Apache Tomcat Project is proud to announce the release of version 8.5.41 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared -to 8.5.39 include: +to 8.5.40 include: -Fix for CVE-2019-0232, an RCE vulnerability on Windows +Stack traces written by the OneLineFormatter are fully indented. The +entire stack trace is now indented by an additional TAB character. -Add support for Java 11 to the JSP compiler. Java 12 and 13 are also -now supported if used with a ECJ version with support for those Java -versions +Avoid OutOfMemoryErrors and ArrayIndexOutOfBoundsExceptions when +accessing large files via the default servlet when resource caching +has been disabled. -Various NIO2 stability improvements +When running on newer JREs that don't support SSLv2Hello, don't +warn that it is not available unless explicitly configured. Full details of these changes, and all the other changes, are available in the -Tomcat 8.5 +Tomcat 8.5 changelog. Modified: tomcat/site/trunk/docs/migration-85.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/migration-85.html?rev=1859248=1859247=1859248=diff == --- tomcat/site/trunk/docs/migration-85.html (original) +++ tomcat/site/trunk/docs/migration-85.html Tue May 14 20:09:40 2019 @@ -724,8 +724,9 @@ of Apache Tomcat. 8.5.35 8.5.37 8.5.38 -8.5.39 -8.5.40 +8.5.39 +8.5.40 +8.5.41 , new version: 8.5.0 @@ -758,7 +759,8 @@ of Apache Tomcat. 8.5.37 8.5.38 8.5.39 -8.5.40 +8.5.40 +8.5.41 trunk (unreleased) Modified: tomcat/site/trunk/docs/oldnews.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/oldnews.html?rev=1859248=1859247=1859248=diff == ---
svn commit: r1859247 - in /tomcat/site/trunk/docs/tomcat-8.5-doc: ./ api/ api/org/apache/catalina/ api/org/apache/catalina/ant/ api/org/apache/catalina/ant/jmx/ api/org/apache/catalina/authenticator/
Author: markt Date: Tue May 14 20:03:42 2019 New Revision: 1859247 URL: http://svn.apache.org/viewvc?rev=1859247=rev Log: Update docs for 8.5.41 [This commit notification would consist of 66 parts, which exceeds the limit of 50 ones, so it was shortened to the summary.] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1859246 - in /tomcat/site/trunk: ./ docs/ xdocs/
Author: markt
Date: Tue May 14 19:52:38 2019
New Revision: 1859246
URL: http://svn.apache.org/viewvc?rev=1859246=rev
Log:
UPdate site for 9.0.20 release
Modified:
tomcat/site/trunk/build.properties.default
tomcat/site/trunk/docs/doap_Tomcat.rdf
tomcat/site/trunk/docs/download-90.html
tomcat/site/trunk/docs/index.html
tomcat/site/trunk/docs/migration-9.html
tomcat/site/trunk/docs/oldnews.html
tomcat/site/trunk/docs/whichversion.html
tomcat/site/trunk/xdocs/doap_Tomcat.rdf
tomcat/site/trunk/xdocs/download-90.xml
tomcat/site/trunk/xdocs/index.xml
tomcat/site/trunk/xdocs/migration-9.xml
tomcat/site/trunk/xdocs/oldnews.xml
tomcat/site/trunk/xdocs/whichversion.xml
Modified: tomcat/site/trunk/build.properties.default
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/build.properties.default?rev=1859246=1859245=1859246=diff
==
--- tomcat/site/trunk/build.properties.default (original)
+++ tomcat/site/trunk/build.properties.default Tue May 14 19:52:38 2019
@@ -38,7 +38,7 @@ tomcat.loc=http://www.apache.org/dist/to
# - Tomcat versions -
tomcat70=7.0.94
tomcat85=8.5.40
-tomcat90=9.0.19
+tomcat90=9.0.20
# - Download destination -
tomcat-site-docs.home=${base.path}/tomcat-site-docs/
Modified: tomcat/site/trunk/docs/doap_Tomcat.rdf
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/doap_Tomcat.rdf?rev=1859246=1859245=1859246=diff
==
--- tomcat/site/trunk/docs/doap_Tomcat.rdf (original)
+++ tomcat/site/trunk/docs/doap_Tomcat.rdf Tue May 14 19:52:38 2019
@@ -60,8 +60,8 @@
Latest Stable 9.0.x Release
-2019-04-13
-9.0.19
+2019-05-13
+9.0.20
Modified: tomcat/site/trunk/docs/download-90.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/download-90.html?rev=1859246=1859245=1859246=diff
==
--- tomcat/site/trunk/docs/download-90.html (original)
+++ tomcat/site/trunk/docs/download-90.html Tue May 14 19:52:38 2019
@@ -219,7 +219,7 @@
Quick Navigation
-[define v]9.0.19[end]
+[define v]9.0.20[end]
https://www.apache.org/dist/tomcat/tomcat-9/KEYS;>KEYS |
[v] |
Browse |
Modified: tomcat/site/trunk/docs/index.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1859246=1859245=1859246=diff
==
--- tomcat/site/trunk/docs/index.html (original)
+++ tomcat/site/trunk/docs/index.html Tue May 14 19:52:38 2019
@@ -242,30 +242,30 @@ project logo are trademarks of the Apach
-
-2019-04-13 Tomcat 9.0.19 Released
+
+2019-05-13 Tomcat 9.0.20 Released
-The Apache Tomcat Project is proud to announce the release of version 9.0.19
-of Apache Tomcat. The notable changes compared to 9.0.17 include:
+The Apache Tomcat Project is proud to announce the release of version 9.0.20
+of Apache Tomcat. The notable changes compared to 9.0.19 include:
-Fix for CVE-2019-0232, an RCE vulnerability on Windows
+The useAsyncIO boolean attribute on the Connector element value now
+defaults to true.
-Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
-now supported if used with a ECJ version with support for those Java
-versions
+Stack traces written by the OneLineFormatter are fully indented. The
+entire stack trace is now indented by an additional TAB character.
-Various NIO2 stability improvements
+Various HTTP/2 improvements and stability fixes.
Full details of these changes, and all the other changes, are available in the
-Tomcat 9
+Tomcat 9
changelog.
Modified: tomcat/site/trunk/docs/migration-9.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/migration-9.html?rev=1859246=1859245=1859246=diff
==
--- tomcat/site/trunk/docs/migration-9.html (original)
+++ tomcat/site/trunk/docs/migration-9.html Tue May 14 19:52:38 2019
@@ -868,8 +868,9 @@ of Apache Tomcat.
9.0.13
9.0.14
9.0.16
-9.0.17
-9.0.19
+9.0.17
+9.0.19
+9.0.20
, new version:
9.0.0.M1
@@ -903,7 +904,8 @@ of Apache Tomcat.
9.0.14
9.0.16
9.0.17
-9.0.19
+9.0.19
+9.0.20
trunk (unreleased)
Modified: tomcat/site/trunk/docs/oldnews.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/oldnews.html?rev=1859246=1859245=1859246=diff
==
--- tomcat/site/trunk/docs/oldnews.html (original)
+++ tomcat/site/trunk/docs/oldnews.html Tue May 14 19:52:38 2019
@@ -302,6 +302,41 @@ this hackathon and contribute to the dev
+
+2019-04-13 Tomcat 9.0.19 Released
+
+
svn commit: r1859245 - in /tomcat/site/trunk/docs/tomcat-9.0-doc: ./ api/ api/org/apache/catalina/ api/org/apache/catalina/ant/ api/org/apache/catalina/ant/jmx/ api/org/apache/catalina/authenticator/
Author: markt Date: Tue May 14 19:48:28 2019 New Revision: 1859245 URL: http://svn.apache.org/viewvc?rev=1859245=rev Log: Update docs for 9.0.20 [This commit notification would consist of 66 parts, which exceeds the limit of 50 ones, so it was shortened to the summary.] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Punishing bad clients with delays
On 14/05/2019 20:38, Igal @ Lucee.org wrote: > On 5/14/2019 12:15 PM, Christopher Schultz wrote: >>> Then, Tomcat observes that the servlet or filter wants to put the >>> response into the penalty box and, instead of flushing the >>> response and (possibly) closing the connection, it just sits-around >>> for a while, keeping the connection open. > > Wouldn't that punish Tomcat by keeping the connection open? Open the > door for DDoS attacks? I don't think so. An open connection alone isn't going to be enough to trigger a DoS (on a reasonable configured server). It won't make an existing DoS any worse. You'd still need DoS protection. If you do it right, the client will just think the server is being slow. > I would think that a better way to do it is to flush and close the > request immediately, and then block the IP address for X seconds. I'd suggest putting the request into async mode with a predefined timeout and a listener to handle the timeout. That way, no extra Tomcat plumbing is required - and your solution is portable across Servlet containers. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Punishing bad clients with delays
Chris,
On 5/14/2019 12:15 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
All,
bump
It's hard to see anything with all the commit messages :)
On 5/9/19 12:52, Christopher Schultz wrote:
All,
What are the options we might have to "punish" an HTTP client that
we don't like for some reason?
Specifically, I'd like to be able to write a servlet that ties-up
the response to the client for a while for some bad behavior. For
example, maybe lots of authentication attempts or some other
criteria. Maybe even just a single bad authentication attempt.
How do you identify the bad actor on subsequent requests? By its IP
address?
I'm thinking of something along these lines:
public void doGet(...) {
...
if(shouldPunishClient(...)) { request.setAttribute("delay-client",
Boolean.TRUE); return; }
... }
Or maybe even specify a time-out.
Then, Tomcat observes that the servlet or filter wants to put the
response into the penalty box and, instead of flushing the
response and (possibly) closing the connection, it just sits-around
for a while, keeping the connection open.
Wouldn't that punish Tomcat by keeping the connection open? Open the
door for DDoS attacks?
I would think that a better way to do it is to flush and close the
request immediately, and then block the IP address for X seconds.
The poller usually waits for data to become available on either end
of the connection and pushes the bytes. How complicated would it be
to put connections into a queue where they wait some amount of
time before being flushed/closed/returned to the connection pool?
In this case, the only stimulus for taking action is the passage of
time, not arrival of data on a stream.
Any thoughts about how this could be done?
You mean as part of the NIO implementation?
Clearly, a simple Thread.sleep() would do the trick in terms of
just making the client wait, but the point would be to make the
client wait without a performance impact on the server.
If you really want to punish a client then send back a "302
http://aol.com; ;-)
Best,
Igal
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1859244 - in /tomcat/site/trunk: docs/index.html docs/oldnews.html xdocs/index.xml xdocs/oldnews.xml
Author: markt Date: Tue May 14 19:36:01 2019 New Revision: 1859244 URL: http://svn.apache.org/viewvc?rev=1859244=rev Log: Move hackathon to old news section Modified: tomcat/site/trunk/docs/index.html tomcat/site/trunk/docs/oldnews.html tomcat/site/trunk/xdocs/index.xml tomcat/site/trunk/xdocs/oldnews.xml Modified: tomcat/site/trunk/docs/index.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1859244=1859243=1859244=diff == --- tomcat/site/trunk/docs/index.html (original) +++ tomcat/site/trunk/docs/index.html Tue May 14 19:36:01 2019 @@ -242,52 +242,6 @@ project logo are trademarks of the Apach - - Tomcat Hackathon - Brussels Belgium - 4/5 May 2019 - - - -As part of the https://joinup.ec.europa.eu/collection/eu-fossa-2;>EU-FOSSA 2 project, there will be a -https://eufossahackathon.bemyapp.com/;>Tomcat Hackathon in Brussels, Belgium on 4-5 May 2019. - - - -The outline of the schedule is: - - - -general update on the status of the project - -hacking - -wrap-up - - - - -with the majority of the time spent hacking. - - -We are currently collating potential tasks on https://cwiki.apache.org/confluence/display/TOMCAT/EU+FOSSA+May+2019;>the wiki. - - -The EU-FOSSA 2 project is providing accommodation (on the basis of 2 -people sharing - you can request a single room if you want to pay the -difference) and might be able to help with transport costs. - - -Space is limited so we are asking anyone who would like to attend -this hackathon and contribute to the development of Tomcat to -https://eufossahackathon.bemyapp.com/; rel="nofollow">register yourself. - - -Time is fairly tight so if you are interested please let us know ASAP. - - -We hope to see you in Brussels. - - - 2019-04-13 Tomcat 9.0.19 Released Modified: tomcat/site/trunk/docs/oldnews.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/oldnews.html?rev=1859244=1859243=1859244=diff == --- tomcat/site/trunk/docs/oldnews.html (original) +++ tomcat/site/trunk/docs/oldnews.html Tue May 14 19:36:01 2019 @@ -256,6 +256,52 @@ + + Tomcat Hackathon - Brussels Belgium - 4/5 May 2019 + + + +As part of the https://joinup.ec.europa.eu/collection/eu-fossa-2;>EU-FOSSA 2 project, there will be a +https://eufossahackathon.bemyapp.com/;>Tomcat Hackathon in Brussels, Belgium on 4-5 May 2019. + + + +The outline of the schedule is: + + + +general update on the status of the project + +hacking + +wrap-up + + + + +with the majority of the time spent hacking. + + +We are currently collating potential tasks on https://cwiki.apache.org/confluence/display/TOMCAT/EU+FOSSA+May+2019;>the wiki. + + +The EU-FOSSA 2 project is providing accommodation (on the basis of 2 +people sharing - you can request a single room if you want to pay the +difference) and might be able to help with transport costs. + + +Space is limited so we are asking anyone who would like to attend +this hackathon and contribute to the development of Tomcat to +https://eufossahackathon.bemyapp.com/; rel="nofollow">register yourself. + + +Time is fairly tight so if you are interested please let us know ASAP. + + +We hope to see you in Brussels. + + + 2019-03-19 Tomcat 8.5.39 Released Modified: tomcat/site/trunk/xdocs/index.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/index.xml?rev=1859244=1859243=1859244=diff == --- tomcat/site/trunk/xdocs/index.xml (original) +++ tomcat/site/trunk/xdocs/index.xml Tue May 14 19:36:01 2019 @@ -39,42 +39,6 @@ project logo are trademarks of the Apach - - -As part of the https://joinup.ec.europa.eu/collection/eu-fossa-2; ->EU-FOSSA 2 project, there will be a -https://eufossahackathon.bemyapp.com/; ->Tomcat Hackathon in Brussels, Belgium on 4-5 May 2019. - - -The outline of the schedule is: - -general update on the status of the project -hacking -wrap-up - - -with the majority of the time spent hacking. - -We are currently collating potential tasks on https://cwiki.apache.org/confluence/display/TOMCAT/EU+FOSSA+May+2019; ->the wiki. - -The EU-FOSSA 2 project is providing accommodation (on the basis of 2 -people sharing - you can request a single room if you want to pay the -difference) and might be able to help with transport costs. - -Space is limited so we are asking anyone who would like to attend -this hackathon and contribute to the development of Tomcat to -https://eufossahackathon.bemyapp.com/; rel="nofollow" ->register yourself. - -Time is fairly tight so if you are interested please let us know ASAP. - -We hope to see you in Brussels. - - - The Apache Tomcat Project is proud to announce the release of version 9.0.19 Modified: tomcat/site/trunk/xdocs/oldnews.xml URL:
Re: Punishing bad clients with delays
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
All,
bump
It's hard to see anything with all the commit messages :)
On 5/9/19 12:52, Christopher Schultz wrote:
> All,
>
> What are the options we might have to "punish" an HTTP client that
> we don't like for some reason?
>
> Specifically, I'd like to be able to write a servlet that ties-up
> the response to the client for a while for some bad behavior. For
> example, maybe lots of authentication attempts or some other
> criteria. Maybe even just a single bad authentication attempt.
>
> I'm thinking of something along these lines:
>
> public void doGet(...) {
>
> ...
>
> if(shouldPunishClient(...)) { request.setAttribute("delay-client",
> Boolean.TRUE); return; }
>
> ... }
>
> Or maybe even specify a time-out.
>
> Then, Tomcat observes that the servlet or filter wants to put the
> response into the penalty box and, instead of flushing the
> response and (possibly) closing the connection, it just sits-around
> for a while, keeping the connection open.
>
> The poller usually waits for data to become available on either end
> of the connection and pushes the bytes. How complicated would it be
> to put connections into a queue where they wait some amount of
> time before being flushed/closed/returned to the connection pool?
> In this case, the only stimulus for taking action is the passage of
> time, not arrival of data on a stream.
>
> Any thoughts about how this could be done?
>
> Clearly, a simple Thread.sleep() would do the trick in terms of
> just making the client wait, but the point would be to make the
> client wait without a performance impact on the server.
>
> -chris
>
> -
>
>
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzbE9wACgkQHPApP6U8
pFi/Ew/9FxbZMlSr0OZPlh8g7dbQa8tGbvXJD+zRo27dW15oYtUkA4S3nWjhR67S
90T4N4uH+BmKMfHJwVC+Kp7LjFa9GP5g6sLAdJcnZSgriURkY+3f5UIO42GDjaCg
Wxm1UjnD/DuYMlW1M/HsyJZ9ps6+0X6vtZwJtBzxJJC+66WDOuI0SefnCJ0Gavbi
Or1julT0JT3oOuQYOk7mVgBL92jVOvACkQGAgCg4nnIpcXiyM8g0G/J9qLKSE4n+
S6wdTNaYkOlJ9vgCqTbx/8HkjHdNV0Riif+jqYG8vFvETvP6W87MfutBbiV1tZUR
Z/Cno494WADV24VU22hbxax8YF7HYCMASeUoZoP1fcSsgJ/HbVVftV2AKcbDJ7QO
6ktUXsbh+hVNUZaxQ1Z4KW2sRrmlAKQ0Cdr/dSRRuKCTEuA2wGZmDSSQrvRtz+ND
McVw183m6V0aKnzBQXnrq7UJ/iO5G+UquBTtrQHT7mo9Zf24Sdj20d29te23B2Fi
ODl4P0I4b0ROXoBElLjHAQHjCizbMMStnzR9/d5LJQmjnP1RlBVpHUxpBEglTIrR
pheqvHoWFJ/glWdzB34TzLzX3nnBuax/+ZyIlvEkZSeeLws+5PE49riGYB9+CZO/
9xzykbJKcl5rEOW6tU2TDCyc4jiADMptIkWjpt0JovZXAma6vCo=
=eE5w
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Minor fixes, forgotten finals and cleanups
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new d2eeca5 Minor fixes, forgotten finals and cleanups
d2eeca5 is described below
commit d2eeca58416a5cf94473239da691eeeba3e6729a
Author: remm
AuthorDate: Tue May 14 21:14:20 2019 +0200
Minor fixes, forgotten finals and cleanups
---
java/org/apache/tomcat/util/net/AprEndpoint.java | 2 +-
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 9 ++---
java/org/apache/tomcat/util/net/NioEndpoint.java | 5 -
.../apache/tomcat/util/net/SocketWrapperBase.java | 22 --
4 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java
b/java/org/apache/tomcat/util/net/AprEndpoint.java
index d5898fe..2d6622f 100644
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -2773,6 +2773,7 @@ public class AprEndpoint extends
AbstractEndpoint implements SNICallB
}
private class AprOperationState extends OperationState {
+private volatile boolean inline = true;
private AprOperationState(boolean read, ByteBuffer[] buffers, int
offset, int length,
BlockingMode block, long timeout, TimeUnit unit, A
attachment, CompletionCheck check,
CompletionHandler handler, Semaphore
semaphore,
@@ -2807,7 +2808,6 @@ public class AprEndpoint extends
AbstractEndpoint implements SNICallB
}
return;
}
-
if (!read && flush(false)) {
inline = false;
registerWriteInterest();
diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
index 3c166b9..652644a 100644
--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
@@ -469,6 +469,7 @@ public class Nio2Endpoint extends
AbstractJsseEndpoint
gatheringWriteCompletionHandler;
private boolean writeInterest = false; // Guarded by
writeCompletionHandler
private boolean writeNotify = false;
+
private volatile boolean closed = false;
private CompletionHandler sendfileHandler
@@ -952,7 +953,7 @@ public class Nio2Endpoint extends
AbstractJsseEndpoint() {
@Override
diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java
b/java/org/apache/tomcat/util/net/NioEndpoint.java
index bdebc73..621d58c 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -1426,6 +1426,7 @@ public class NioEndpoint extends
AbstractJsseEndpoint
}
private class NioOperationState extends OperationState {
+private volatile boolean inline = true;
private NioOperationState(boolean read, ByteBuffer[] buffers, int
offset, int length,
BlockingMode block, long timeout, TimeUnit unit, A
attachment, CompletionCheck check,
CompletionHandler handler, Semaphore
semaphore,
@@ -1478,7 +1479,9 @@ public class NioEndpoint extends
AbstractJsseEndpoint
// Write from main buffer first
if (!socketBufferHandler.isWriteBufferEmpty())
{
// There is still data inside the main
write buffer, it needs to be written first
-doWrite(false);
+
socketBufferHandler.configureWriteBufferForRead();
+
getSocket().write(socketBufferHandler.getWriteBuffer());
+// Start operation only if the main write
buffer is now empty
if
(!socketBufferHandler.isWriteBufferEmpty()) {
doWrite = false;
}
diff --git a/java/org/apache/tomcat/util/net/SocketWrapperBase.java
b/java/org/apache/tomcat/util/net/SocketWrapperBase.java
index 60e383d..b42c603 100644
--- a/java/org/apache/tomcat/util/net/SocketWrapperBase.java
+++ b/java/org/apache/tomcat/util/net/SocketWrapperBase.java
@@ -1005,7 +1005,6 @@ public abstract class SocketWrapperBase {
}
protected volatile long nBytes = 0;
protected volatile CompletionState state = CompletionState.PENDING;
-protected volatile boolean inline = true;
protected boolean completionDone = true;
/**
@@ -1017,7 +1016,7 @@ public abstract class SocketWrapperBase {
/**
* Process the operation using the connector executor.
[tomcat] branch master updated: Refactor async IO implementation to SocketWrapperBase
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 9d6388a Refactor async IO implementation to SocketWrapperBase
9d6388a is described below
commit 9d6388affba4e9140c50e8ca8938569f8709d008
Author: remm
AuthorDate: Tue May 14 18:00:32 2019 +0200
Refactor async IO implementation to SocketWrapperBase
Remove all duplicate code I could find, although it is likely there will
be further tweaks needed.
---
.../catalina/security/SecurityClassLoad.java | 10 +-
java/org/apache/tomcat/util/net/AprEndpoint.java | 250 ++---
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 224 ++-
java/org/apache/tomcat/util/net/NioEndpoint.java | 245 ++---
.../apache/tomcat/util/net/SocketWrapperBase.java | 301 -
webapps/docs/changelog.xml | 4 +
6 files changed, 379 insertions(+), 655 deletions(-)
diff --git a/java/org/apache/catalina/security/SecurityClassLoad.java
b/java/org/apache/catalina/security/SecurityClassLoad.java
index 05272f4..2a44caf 100644
--- a/java/org/apache/catalina/security/SecurityClassLoad.java
+++ b/java/org/apache/catalina/security/SecurityClassLoad.java
@@ -190,16 +190,14 @@ public final class SecurityClassLoad {
loader.loadClass(basePackage +
"util.net.NioBlockingSelector$BlockPoller$RunnableAdd");
loader.loadClass(basePackage +
"util.net.NioBlockingSelector$BlockPoller$RunnableCancel");
loader.loadClass(basePackage +
"util.net.NioBlockingSelector$BlockPoller$RunnableRemove");
-loader.loadClass(basePackage +
"util.net.AprEndpoint$AprSocketWrapper$OperationState");
-loader.loadClass(basePackage +
"util.net.AprEndpoint$AprSocketWrapper$VectoredIOCompletionHandler");
-loader.loadClass(basePackage +
"util.net.NioEndpoint$NioSocketWrapper$OperationState");
-loader.loadClass(basePackage +
"util.net.NioEndpoint$NioSocketWrapper$VectoredIOCompletionHandler");
-loader.loadClass(basePackage +
"util.net.Nio2Endpoint$Nio2SocketWrapper$OperationState");
-loader.loadClass(basePackage +
"util.net.Nio2Endpoint$Nio2SocketWrapper$VectoredIOCompletionHandler");
+loader.loadClass(basePackage +
"util.net.AprEndpoint$AprSocketWrapper$AprOperationState");
+loader.loadClass(basePackage +
"util.net.NioEndpoint$NioSocketWrapper$NioOperationState");
+loader.loadClass(basePackage +
"util.net.Nio2Endpoint$Nio2SocketWrapper$Nio2OperationState");
loader.loadClass(basePackage +
"util.net.SocketWrapperBase$BlockingMode");
loader.loadClass(basePackage +
"util.net.SocketWrapperBase$CompletionCheck");
loader.loadClass(basePackage +
"util.net.SocketWrapperBase$CompletionHandlerCall");
loader.loadClass(basePackage +
"util.net.SocketWrapperBase$CompletionState");
+loader.loadClass(basePackage +
"util.net.SocketWrapperBase$VectoredIOCompletionHandler");
// security
loader.loadClass(basePackage + "util.security.PrivilegedGetTccl");
loader.loadClass(basePackage + "util.security.PrivilegedSetTccl");
diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java
b/java/org/apache/tomcat/util/net/AprEndpoint.java
index ad8e16d..d5898fe 100644
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -22,9 +22,6 @@ import java.net.InetSocketAddress;
import java.net.SocketTimeoutException;
import java.nio.ByteBuffer;
import java.nio.channels.CompletionHandler;
-import java.nio.channels.InterruptedByTimeoutException;
-import java.nio.channels.ReadPendingException;
-import java.nio.channels.WritePendingException;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.HashMap;
@@ -2159,22 +2156,9 @@ public class AprEndpoint extends
AbstractEndpoint implements SNICallB
// This field should only be used by Poller#run()
private int pollerFlags = 0;
-private final Semaphore readPending;
-private OperationState readOperation = null;
-private final Semaphore writePending;
-private OperationState writeOperation = null;
-
public AprSocketWrapper(Long socket, AprEndpoint endpoint) {
super(socket, endpoint);
-if (endpoint.getUseAsyncIO()) {
-readPending = new Semaphore(1);
-writePending = new Semaphore(1);
-} else {
-readPending = null;
-writePending = null;
-}
-
// TODO Make the socketWriteBuffer size configurable and align the
// SSL and app buffer size settings with NIO & NIO2.
if (endpoint.isSSLEnabled()) {
@@ -2779,59 +2763,32 @@ public class AprEndpoint
[tomcat] branch master updated: Avoid blocking write of internal buffer
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 0b7f845 Avoid blocking write of internal buffer
0b7f845 is described below
commit 0b7f845e191e6e88fe364190e4adfa6900d8e468
Author: remm
AuthorDate: Tue May 14 16:20:54 2019 +0200
Avoid blocking write of internal buffer
This introduces some "useless" code, but this is to align with NIO and
APR code before moving code into SocketWrapperBase. There are a couple
of slightly risky changes (the async write of the write buffer, and
delaying setting the read/writeNotify flags until after getting the
semaphores) that could cause CI instability again (as usual the
testsuite passes for me ...).
---
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 215 +++---
webapps/docs/changelog.xml| 3 +-
2 files changed, 107 insertions(+), 111 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
index b56cbad..8f2de8d 100644
--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
@@ -37,6 +37,7 @@ import java.nio.file.StandardOpenOption;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future;
+import java.util.concurrent.RejectedExecutionException;
import java.util.concurrent.Semaphore;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
@@ -953,22 +954,23 @@ public class Nio2Endpoint extends
AbstractJsseEndpoint {
-private final boolean read;
-private final ByteBuffer[] buffers;
-private final int offset;
-private final int length;
-private final A attachment;
-private final long timeout;
-private final TimeUnit unit;
-private final BlockingMode block;
-private final CompletionCheck check;
-private final CompletionHandler handler;
-private final Semaphore semaphore;
-private OperationState(boolean read, ByteBuffer[] buffers, int
offset, int length,
+protected class OperationState implements Runnable {
+protected final boolean read;
+protected final ByteBuffer[] buffers;
+protected final int offset;
+protected final int length;
+protected final A attachment;
+protected final long timeout;
+protected final TimeUnit unit;
+protected final BlockingMode block;
+protected final CompletionCheck check;
+protected final CompletionHandler handler;
+protected final Semaphore semaphore;
+protected final VectoredIOCompletionHandler completion;
+protected OperationState(boolean read, ByteBuffer[] buffers, int
offset, int length,
BlockingMode block, long timeout, TimeUnit unit, A
attachment,
CompletionCheck check, CompletionHandler
handler,
-Semaphore semaphore) {
+Semaphore semaphore, VectoredIOCompletionHandler
completion) {
this.read = read;
this.buffers = buffers;
this.offset = offset;
@@ -980,102 +982,115 @@ public class Nio2Endpoint extends
AbstractJsseEndpoint CompletionState read(ByteBuffer[] dsts, int offset, int
length,
-BlockingMode block, long timeout, TimeUnit unit, A attachment,
-CompletionCheck check, CompletionHandler
handler) {
-IOException ioe = getError();
-if (ioe != null) {
-handler.failed(ioe, attachment);
-return CompletionState.ERROR;
-}
-if (timeout == -1) {
-timeout = toTimeout(getReadTimeout());
+public boolean isInline() {
+return Nio2Endpoint.isInline();
}
-// Disable any regular read notifications caused by
registerReadInterest
-readNotify = true;
-if (block == BlockingMode.BLOCK || block ==
BlockingMode.SEMI_BLOCK) {
+
+public boolean process() {
try {
-if (!readPending.tryAcquire(timeout, unit)) {
-handler.failed(new SocketTimeoutException(),
attachment);
-return CompletionState.ERROR;
-}
-} catch (InterruptedException e) {
-handler.failed(e, attachment);
-return CompletionState.ERROR;
-}
-} else {
-if (!readPending.tryAcquire()) {
-if (block == BlockingMode.NON_BLOCK)
[tomcat] branch master updated: Improve BoM detection for rarely used UTF-32
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 8607e1a Improve BoM detection for rarely used UTF-32
8607e1a is described below
commit 8607e1a0d2c283e443ce1ba2ccfb55b1884a580e
Author: Mark Thomas
AuthorDate: Tue May 14 14:50:43 2019 +0100
Improve BoM detection for rarely used UTF-32
Identified by Coverity Scan which reported unreachable code.
---
java/org/apache/catalina/servlets/DefaultServlet.java | 12 +++-
webapps/docs/changelog.xml| 5 +
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 205d302..2e669d4 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -1212,7 +1212,9 @@ public class DefaultServlet extends HttpServlet {
skip(is, 2);
return StandardCharsets.UTF_16BE;
}
-if (b0 == 0xFF && b1 == 0xFE) {
+// Delay the UTF_16LE check if there are more that 2 bytes since it
+// overlaps with UTF32-LE.
+if (count == 2 && b0 == 0xFF && b1 == 0xFE) {
skip(is, 2);
return StandardCharsets.UTF_16LE;
}
@@ -1244,6 +1246,14 @@ public class DefaultServlet extends HttpServlet {
return Charset.forName("UTF32-LE");
}
+// Now we can check for UTF16-LE. There is an assumption here that we
+// won't see a UTF16-LE file with a BOM where the first real data is
+// 0x00 0x00
+if (b0 == 0xFF && b1 == 0xFE) {
+skip(is, 2);
+return StandardCharsets.UTF_16LE;
+}
+
skip(is, 0);
return null;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 92f2aa0..4f83bb2 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -63,6 +63,11 @@
Make a best efforts attempt to clean-up if a request fails during
processing due to an OutOfMemoryException. (markt)
+
+Improve the BoM detection for static files handled by the default
+servlet for the rarely used UTF-32 encodings. Identified by Coverity
+Scan. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Fix comment typo
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 2de31a7 Fix comment typo
2de31a7 is described below
commit 2de31a7f7daedd96b88f12f73f182ebc6c1be5cc
Author: Mark Thomas
AuthorDate: Tue May 14 14:13:41 2019 +0100
Fix comment typo
---
java/org/apache/catalina/servlets/DefaultServlet.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 3d15a4a..205d302 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -1235,7 +1235,7 @@ public class DefaultServlet extends HttpServlet {
return null;
}
-// Look for 4-bute BOMs
+// Look for 4-byte BOMs
int b3 = bom[3] & 0xFF;
if (b0 == 0x00 && b1 == 0x00 && b2 == 0xFE && b3 == 0xFF) {
return Charset.forName("UTF32-BE");
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Refactor
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 667fade Refactor
667fade is described below
commit 667fadee59524b0e0996592fe7c14dbedee7c744
Author: remm
AuthorDate: Tue May 14 14:20:03 2019 +0200
Refactor
---
java/org/apache/tomcat/util/net/AprEndpoint.java | 103 ---
1 file changed, 35 insertions(+), 68 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java
b/java/org/apache/tomcat/util/net/AprEndpoint.java
index bff1dda..ad8e16d 100644
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -2850,12 +2850,12 @@ public class AprEndpoint extends
AbstractEndpoint implements SNICallB
}
return;
}
+
if (!read && flush(false)) {
inline = false;
registerWriteInterest();
return;
}
-
// Find the buffer on which the operation will be
performed (no vectoring with APR)
ByteBuffer buffer = null;
for (int i = 0; i < length; i++) {
@@ -2874,6 +2874,15 @@ public class AprEndpoint extends
AbstractEndpoint implements SNICallB
int remaining = buffer.remaining();
writeNonBlockingDirect(buffer);
nBytes = remaining - buffer.remaining();
+if (nBytes > 0) {
+try {
+if (flush(false)) {
+registerWriteInterest();
+}
+} catch (IOException e) {
+// Ignore, will be delayed to later
+}
+}
}
if (nBytes != 0) {
completionDone = false;
@@ -2884,13 +2893,6 @@ public class AprEndpoint extends
AbstractEndpoint implements SNICallB
}
}
if (nBytes > 0) {
-try {
-if (!read && flush(false)) {
-registerWriteInterest();
-}
-} catch (IOException e) {
-// Ignore, will be delayed to later
-}
// The bytes read are only updated in the completion
handler
completion.completed(Long.valueOf(nBytes), this);
} else if (nBytes < 0 || getError() != null) {
@@ -2916,76 +2918,37 @@ public class AprEndpoint extends
AbstractEndpoint implements SNICallB
public CompletionState read(ByteBuffer[] dsts, int offset, int
length,
BlockingMode block, long timeout, TimeUnit unit, A attachment,
CompletionCheck check, CompletionHandler
handler) {
-IOException ioe = getError();
-if (ioe != null) {
-handler.failed(ioe, attachment);
-return CompletionState.ERROR;
-}
-if (timeout == -1) {
-timeout = toTimeout(getReadTimeout());
-} else if (unit.toMillis(timeout) != getReadTimeout()) {
-setReadTimeout(unit.toMillis(timeout));
-}
-if (block == BlockingMode.BLOCK || block ==
BlockingMode.SEMI_BLOCK) {
-try {
-if (!readPending.tryAcquire(timeout, unit)) {
-handler.failed(new SocketTimeoutException(),
attachment);
-return CompletionState.ERROR;
-}
-} catch (InterruptedException e) {
-handler.failed(e, attachment);
-return CompletionState.ERROR;
-}
-} else {
-if (!readPending.tryAcquire()) {
-if (block == BlockingMode.NON_BLOCK) {
-return CompletionState.NOT_DONE;
-} else {
-handler.failed(new ReadPendingException(), attachment);
-return CompletionState.ERROR;
-}
-}
-}
-VectoredIOCompletionHandler completion = new
VectoredIOCompletionHandler<>();
-OperationState state = new OperationState<>(true, dsts, offset,
length, block,
-attachment, check, handler, readPending,
[tomcat] branch master updated: Checkstyle nag
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new e348f8b Checkstyle nag e348f8b is described below commit e348f8bce3be8515c87d424fec458089caa91dc9 Author: remm AuthorDate: Tue May 14 13:56:59 2019 +0200 Checkstyle nag --- res/findbugs/filter-false-positives.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/res/findbugs/filter-false-positives.xml b/res/findbugs/filter-false-positives.xml index 6878214..1c290b2 100644 --- a/res/findbugs/filter-false-positives.xml +++ b/res/findbugs/filter-false-positives.xml @@ -1211,7 +1211,7 @@ - +
Re: [Bug 63428] New: (spam removed)
On 14/05/2019 11:50, bugzi...@apache.org wrote: > https://bz.apache.org/bugzilla/show_bug.cgi?id=63428 Bug deleted. Account locked for the idiot that created it. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63428] New: How can Field Engineer help businesses in site survey & readiness?
https://bz.apache.org/bugzilla/show_bug.cgi?id=63428 Bug ID: 63428 Summary: How can Field Engineer help businesses in site survey & readiness? Product: Taglibs Version: unspecified Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Cache Taglib Assignee: dev@tomcat.apache.org Reporter: dayanandabr...@gmail.com Target Milestone: --- Field Engineer can help businesses find site survey engineers via our extensive pool of qualified and experienced on-demand engineers. All you have to do is post a site survey & readiness job via our platform, and we’ll find the best engineers for you. It’s a way for you to utilize the best of the local workforce without going through all the trouble of posting job adverts, conducting interviews, and choosing who to hire. We do all the hard work for you, and all of our registered engineers are vetter and background checked. You only pay the engineers for the time they need onsite, meaning you can save a fortune as well. So, if you need someone to carry out site survey and readiness, then join Field Engineer today and post a job to be connected with an expert engineer. Read more; https://www.fieldengineer.com/field-services/site-survey-readiness -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated (15549ad -> 4e5a5f8)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git. from 15549ad Keep SpotBugs happy add 4e5a5f8 Fix some false positives No new revisions were added by this update. Summary of changes: res/findbugs/filter-false-positives.xml | 27 +-- 1 file changed, 25 insertions(+), 2 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Keep SpotBugs happy
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 15549ad Keep SpotBugs happy
15549ad is described below
commit 15549ad7264f0b82a711730afabe28166496a8e1
Author: Mark Thomas
AuthorDate: Tue May 14 11:02:14 2019 +0100
Keep SpotBugs happy
Code should have been fine but refactor to be safe
---
java/org/apache/tomcat/util/compat/GraalCompat.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/compat/GraalCompat.java
b/java/org/apache/tomcat/util/compat/GraalCompat.java
index bfa7b02..66263a1 100644
--- a/java/org/apache/tomcat/util/compat/GraalCompat.java
+++ b/java/org/apache/tomcat/util/compat/GraalCompat.java
@@ -26,7 +26,7 @@ class GraalCompat extends JreCompat {
boolean result = false;
try {
Class nativeImageClazz =
Class.forName("org.graalvm.nativeimage.ImageInfo");
-result = (nativeImageClazz.getMethod("inImageCode").invoke(null)
== Boolean.TRUE);
+result =
Boolean.TRUE.equals(nativeImageClazz.getMethod("inImageCode").invoke(null));
} catch (ClassNotFoundException e) {
// Must be Graal
} catch (ReflectiveOperationException | IllegalArgumentException e) {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated (cb5889e -> 7831f84)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git. from cb5889e Fix SpotBugs warnings add 7831f84 Update http2.Stream method name after refactoring No new revisions were added by this update. Summary of changes: res/findbugs/filter-false-positives.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] johnkdev commented on issue #162: Add support for same-site cookie attribute
johnkdev commented on issue #162: Add support for same-site cookie attribute URL: https://github.com/apache/tomcat/pull/162#issuecomment-492171504 I've moved the configuration to CookieProcessor and updated the docs. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated (e2c5671 -> cb5889e)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git. from e2c5671 Avoid a blocking write of the internal buffer add cb5889e Fix SpotBugs warnings No new revisions were added by this update. Summary of changes: java/org/apache/catalina/servlets/DefaultServlet.java | 16 1 file changed, 8 insertions(+), 8 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated (58a95c6 -> e2c5671)
This is an automated email from the ASF dual-hosted git repository. remm pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git. from 58a95c6 Add the async APR classes to preloading add e2c5671 Avoid a blocking write of the internal buffer No new revisions were added by this update. Summary of changes: java/org/apache/tomcat/util/net/NioEndpoint.java | 138 --- webapps/docs/changelog.xml | 4 + 2 files changed, 54 insertions(+), 88 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Add the async APR classes to preloading
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 58a95c6 Add the async APR classes to preloading
58a95c6 is described below
commit 58a95c6929e187711fcbb637c2df5e64a2bbaab2
Author: remm
AuthorDate: Tue May 14 09:48:49 2019 +0200
Add the async APR classes to preloading
Otherwise BZ63412 will likely occur.
---
java/org/apache/catalina/security/SecurityClassLoad.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/java/org/apache/catalina/security/SecurityClassLoad.java
b/java/org/apache/catalina/security/SecurityClassLoad.java
index 8e34f4e..05272f4 100644
--- a/java/org/apache/catalina/security/SecurityClassLoad.java
+++ b/java/org/apache/catalina/security/SecurityClassLoad.java
@@ -190,6 +190,8 @@ public final class SecurityClassLoad {
loader.loadClass(basePackage +
"util.net.NioBlockingSelector$BlockPoller$RunnableAdd");
loader.loadClass(basePackage +
"util.net.NioBlockingSelector$BlockPoller$RunnableCancel");
loader.loadClass(basePackage +
"util.net.NioBlockingSelector$BlockPoller$RunnableRemove");
+loader.loadClass(basePackage +
"util.net.AprEndpoint$AprSocketWrapper$OperationState");
+loader.loadClass(basePackage +
"util.net.AprEndpoint$AprSocketWrapper$VectoredIOCompletionHandler");
loader.loadClass(basePackage +
"util.net.NioEndpoint$NioSocketWrapper$OperationState");
loader.loadClass(basePackage +
"util.net.NioEndpoint$NioSocketWrapper$VectoredIOCompletionHandler");
loader.loadClass(basePackage +
"util.net.Nio2Endpoint$Nio2SocketWrapper$OperationState");
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
