[Bug 65498] If-None-Match header causes 400 with static file
https://bz.apache.org/bugzilla/show_bug.cgi?id=65498 dzab...@rampecdn.com changed: What|Removed |Added Resolution|--- |CLOSED Status|NEW |RESOLVED --- Comment #6 from dzab...@rampecdn.com --- Found the issue. com.github.ziplet.filter.compression.CompressingFilter causes the creation of invalid ETags. Don't use it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65498] If-None-Match header causes 400 with static file
https://bz.apache.org/bugzilla/show_bug.cgi?id=65498 --- Comment #5 from dzab...@rampecdn.com --- So I guess the bug is bad ETag generation: curl -v -s -H 'Accept-Encoding: gzip' http://localhost:8080/example/example.js 2>&1 > /dev/null * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 8080 (#0) > GET /vdms/rr.js HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.64.1 > Accept: */* > Accept-Encoding: gzip > < HTTP/1.1 200 < Vary: Accept-Encoding < X-Altimeter-Host: my-computer.local < X-Altimeter-Generated: Thu, 12 Aug 2021 19:57:48 GMT < X-Frame-Options: SAMEORIGIN < X-Content-Type-Options: nosniff < X-XSS-Protection: 1; mode=block < Accept-Ranges: bytes < ETag: W/"73631-1628790416370"-gzip < Last-Modified: Thu, 12 Aug 2021 17:46:56 GMT < Cache-Control: max-age=0 < Expires: Thu, 12 Aug 2021 19:57:48 GMT < Content-Encoding: gzip < Content-Type: application/javascript < Transfer-Encoding: chunked < Date: Thu, 12 Aug 2021 19:57:47 GMT < -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65498] If-None-Match header causes 400 with static file
https://bz.apache.org/bugzilla/show_bug.cgi?id=65498 --- Comment #4 from Michael Osipov --- (In reply to dzabner from comment #2) > Any E-Tag I use seems to cause the issue. > > i.e. 'If-None-Match: W/"8176-1626385749844"-gzip' This ETag 8s invalid too -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65498] If-None-Match header causes 400 with static file
https://bz.apache.org/bugzilla/show_bug.cgi?id=65498 --- Comment #3 from dzab...@rampecdn.com --- (In reply to dzabner from comment #2) > Any E-Tag I use seems to cause the issue. > > i.e. 'If-None-Match: W/"8176-1626385749844"-gzip' Interestingly, removing the -gzip fixes the issue. So maybe this is somehow tied to my expires filter and the creation of the ETag? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65498] If-None-Match header causes 400 with static file
https://bz.apache.org/bugzilla/show_bug.cgi?id=65498 --- Comment #2 from dzab...@rampecdn.com --- Any E-Tag I use seems to cause the issue. i.e. 'If-None-Match: W/"8176-1626385749844"-gzip' -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65498] If-None-Match header causes 400 with static file
https://bz.apache.org/bugzilla/show_bug.cgi?id=65498 --- Comment #1 from Michael Osipov --- Where is the bug? The ETag us invalid, hence the 400. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65498] If-None-Match header causes 400 with static file
https://bz.apache.org/bugzilla/show_bug.cgi?id=65498 dzab...@rampecdn.com changed: What|Removed |Added CC||dzab...@rampecdn.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65498] New: If-None-Match header causes 400 with static file
https://bz.apache.org/bugzilla/show_bug.cgi?id=65498 Bug ID: 65498 Summary: If-None-Match header causes 400 with static file Product: Tomcat 9 Version: 9.0.46 Hardware: PC OS: Mac OS X 10.1 Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: dzab...@rampecdn.com Target Milestone: - Any request for static files I, or Chrome, make that includes the 'If-None-Match' header causes Tomcat to return a 400. curl -v -s -H 'If-None-Match: W' http://localhost:8080/example/example.css 2>&1 > /dev/null * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 8080 (#0) > GET /vdms/rr.css HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.64.1 > Accept: */* > If-None-Match: W > < HTTP/1.1 400 < Vary: Accept-Encoding < X-Altimeter-Host: my-computer.local < X-Altimeter-Generated: Thu, 12 Aug 2021 18:58:02 GMT < X-Frame-Options: SAMEORIGIN < X-Content-Type-Options: nosniff < X-XSS-Protection: 1; mode=block < Content-Type: text/html;charset=utf-8 < Content-Language: en < Content-Length: 762 < Date: Thu, 12 Aug 2021 18:58:02 GMT < Connection: close -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] rrodewald commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
rrodewald commented on pull request #444: URL: https://github.com/apache/tomcat/pull/444#issuecomment-897703572 Will have to look at that in detail, which will take some time. I have to postpone this for 2 weeks because I am on vacation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
michael-o commented on pull request #444: URL: https://github.com/apache/tomcat/pull/444#issuecomment-897565545 This needs to analyzed whether the tests are invalid or not. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] rrodewald edited a comment on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
rrodewald edited a comment on pull request #444: URL: https://github.com/apache/tomcat/pull/444#issuecomment-897549391 The removal of the preemptive capability of the `SSLAuthenticator` makes multiple tests fail: ``` [junit] Test org.apache.catalina.valves.rewrite.TestResolverSSL FAILED [junit] Test org.apache.tomcat.util.net.TestClientCertTls13 FAILED [junit] Test org.apache.tomcat.util.net.TestClientCert FAILED [junit] Test org.apache.tomcat.util.net.TestCustomSsl FAILED ``` Before I change all these tests I'd like to confirm that it is worth it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.70
On 09/08/2021 22:05, Mark Thomas wrote: [X] Stable - go ahead and release as 8.5.70 On fedora 34, I have the following failures: +++ [concat] Testsuites with failed tests: [concat] TEST-org.apache.catalina.valves.rewrite.TestResolverSSL.NIO.txt [concat] TEST-org.apache.catalina.valves.rewrite.TestResolverSSL.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.TestClientCert.NIO.txt [concat] TEST-org.apache.tomcat.util.net.TestClientCert.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.TestClientCertTls13.NIO.txt [concat] TEST-org.apache.tomcat.util.net.TestClientCertTls13.NIO2.txt [concat] TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO.txt [concat] TEST-org.apache.tomcat.util.net.TestCustomSsl.NIO2.txt +++ But that looks like a configuration problem... invalid certificate... -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] rrodewald commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
rrodewald commented on pull request #444: URL: https://github.com/apache/tomcat/pull/444#issuecomment-897549391 The removal of the preemptive capability of the `SSLAuthenticator` makes multiple tests fail: ``` [junit] Test org.apache.catalina.valves.rewrite.TestResolverSSL FAILED [junit] Test org.apache.tomcat.util.net.TestClientCertTls13 FAILED [junit] Test org.apache.tomcat.util.net.TestClientCert FAILED [junit] Test org.apache.tomcat.util.net.TestCustomSsl FAILED [junit] Test org.apache.catalina.valves.rewrite.TestResolverSSL FAILED [junit] Test org.apache.tomcat.util.net.TestClientCertTls13 FAILED [junit] Test org.apache.tomcat.util.net.TestClientCert FAILED [junit] Test org.apache.tomcat.util.net.TestCustomSsl FAILED [junit] Test org.apache.catalina.valves.rewrite.TestResolverSSL FAILED [junit] Test org.apache.tomcat.util.net.TestClientCertTls13 FAILED ``` Before I change all these tests I'd like to confirm that it is worth it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
michael-o commented on pull request #444: URL: https://github.com/apache/tomcat/pull/444#issuecomment-897500252 > > > That's a good point IMHO. Now that the check is in the individual `Authenticator`s it can easily be made more specific. I'm not too familiar with Digest and SPNEGO but I'll try. With SPNEGO is like with Basic: Base64 token. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] rrodewald commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
rrodewald commented on pull request #444: URL: https://github.com/apache/tomcat/pull/444#issuecomment-897494990 That's a good point IMHO. Now that the check is in the individual `Authenticator`s it can easily be made more specific. I'm not too familiar with Digest and SPNEGO but I'll try. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
michael-o commented on pull request #444: URL: https://github.com/apache/tomcat/pull/444#issuecomment-897492778 One more nit: I think the check in the header-based authenticators is too generic. Shouldn't they check for a value for their auth scheme only? Basic for `Basic `, etc.? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r687520920
##
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
}
@Override
-protected boolean isPreemptiveAuthRequest(Request request) {
+protected boolean isPreemptiveAuthPossible(Request request) {
Review comment:
Exactly, preemptive is forbidden/does not exist. Make it false/remove it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat-native] michael-o commented on pull request #9: Simplify Address#getInfo() native implementation
michael-o commented on pull request #9: URL: https://github.com/apache/tomcat-native/pull/9#issuecomment-897460099 @mturk Still waiting... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators
rrodewald commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r687513716
##
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
}
@Override
-protected boolean isPreemptiveAuthRequest(Request request) {
+protected boolean isPreemptiveAuthPossible(Request request) {
Review comment:
RFC 8466 is relatively clear about client certs sent to the server:
```
4.4.2. Certificate
[...]
The client MUST send a Certificate message if and only if the server
has requested client authentication via a CertificateRequest message
(Section 4.3.2).
```
So while it may be technically possible to start by sending client
certificates it is definitely not supported by the spec. I would opt for
deactivation of this "feature".
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat-jakartaee-migration] abdulmuqsith commented on issue #23: Vulnerability with Apache Commons Compress v1.20
abdulmuqsith commented on issue #23: URL: https://github.com/apache/tomcat-jakartaee-migration/issues/23#issuecomment-897404156 Thank you -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat-jakartaee-migration] markt-asf commented on issue #23: Vulnerability with Apache Commons Compress v1.20
markt-asf commented on issue #23: URL: https://github.com/apache/tomcat-jakartaee-migration/issues/23#issuecomment-897403716 No plans to update. Automated scanning tools (including those that look at dependencies without considering the context in which it is used) generate a large number of false positive vulnerability reports. The default position of the ASF is to reject all such reports unless accompanied by an explanation, PoC or similar that demonstrates a genuinely exploitable issue. We usually (but not always) look at dependencies and update them as part of release preparation. There are currently no plans for the next release. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat-jakartaee-migration] markt-asf closed issue #23: Vulnerability with Apache Commons Compress v1.20
markt-asf closed issue #23: URL: https://github.com/apache/tomcat-jakartaee-migration/issues/23 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
