[tomcat] branch 8.5.x updated: Code clean-up. No functional change.

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new 85c4f5f5e3 Code clean-up. No functional change.
85c4f5f5e3 is described below

commit 85c4f5f5e3d1fb14eb2f3ba6740ec38f2e6aa88d
Author: Mark Thomas 
AuthorDate: Mon Jun 19 18:43:30 2023 +0100

Code clean-up. No functional change.

Align with 9.0.x/10.1.x/11.0.x
---
 .../catalina/core/ApplicationContextFacade.java|  1 -
 .../catalina/core/ApplicationHttpRequest.java  | 21 +
 java/org/apache/catalina/core/ContainerBase.java   | 14 +++---
 .../core/JreMemoryLeakPreventionListener.java  |  2 +
 .../apache/catalina/core/LocalStrings.properties   |  9 
 .../catalina/core/LocalStrings_fr.properties   |  9 
 .../catalina/core/LocalStrings_ja.properties   |  9 
 .../catalina/core/LocalStrings_ko.properties   |  9 
 java/org/apache/catalina/core/StandardContext.java | 50 +++---
 java/org/apache/catalina/core/StandardEngine.java  |  6 +--
 java/org/apache/catalina/core/StandardServer.java  | 13 +++---
 java/org/apache/catalina/core/StandardWrapper.java |  1 -
 12 files changed, 67 insertions(+), 77 deletions(-)

diff --git a/java/org/apache/catalina/core/ApplicationContextFacade.java 
b/java/org/apache/catalina/core/ApplicationContextFacade.java
index cde889a013..aa28ddac97 100644
--- a/java/org/apache/catalina/core/ApplicationContextFacade.java
+++ b/java/org/apache/catalina/core/ApplicationContextFacade.java
@@ -71,7 +71,6 @@ public class ApplicationContextFacade implements 
ServletContext {
 
 // --- Constructors
 
-
 /**
  * Construct a new instance of this class, associated with the specified 
Context instance.
  *
diff --git a/java/org/apache/catalina/core/ApplicationHttpRequest.java 
b/java/org/apache/catalina/core/ApplicationHttpRequest.java
index 20c0bd74b9..c7f61d816b 100644
--- a/java/org/apache/catalina/core/ApplicationHttpRequest.java
+++ b/java/org/apache/catalina/core/ApplicationHttpRequest.java
@@ -43,6 +43,7 @@ import org.apache.catalina.Manager;
 import org.apache.catalina.Session;
 import org.apache.catalina.connector.RequestFacade;
 import org.apache.catalina.util.ParameterMap;
+import org.apache.catalina.util.RequestUtil;
 import org.apache.catalina.util.URLEncoder;
 import org.apache.tomcat.util.buf.B2CConverter;
 import org.apache.tomcat.util.buf.MessageBytes;
@@ -469,25 +470,7 @@ class ApplicationHttpRequest extends 
HttpServletRequestWrapper {
  */
 @Override
 public StringBuffer getRequestURL() {
-
-StringBuffer url = new StringBuffer();
-String scheme = getScheme();
-int port = getServerPort();
-if (port < 0) {
-port = 80; // Work around java.net.URL bug
-}
-
-url.append(scheme);
-url.append("://");
-url.append(getServerName());
-if ((scheme.equals("http") && (port != 80)) || (scheme.equals("https") 
&& (port != 443))) {
-url.append(':');
-url.append(port);
-}
-url.append(getRequestURI());
-
-return (url);
-
+return RequestUtil.getRequestURL(this);
 }
 
 
diff --git a/java/org/apache/catalina/core/ContainerBase.java 
b/java/org/apache/catalina/core/ContainerBase.java
index da690e37cd..610baf054c 100644
--- a/java/org/apache/catalina/core/ContainerBase.java
+++ b/java/org/apache/catalina/core/ContainerBase.java
@@ -148,7 +148,6 @@ public abstract class ContainerBase extends 
LifecycleMBeanBase implements Contai
 
 // - Instance Variables
 
-
 /**
  * The child Containers belonging to this Container, keyed by name.
  */
@@ -430,7 +429,7 @@ public abstract class ContainerBase extends 
LifecycleMBeanBase implements Contai
 this.cluster = cluster;
 
 // Stop the old component if necessary
-if (getState().isAvailable() && (oldCluster != null) && 
(oldCluster instanceof Lifecycle)) {
+if (getState().isAvailable() && (oldCluster instanceof Lifecycle)) 
{
 try {
 ((Lifecycle) oldCluster).stop();
 } catch (LifecycleException e) {
@@ -443,7 +442,7 @@ public abstract class ContainerBase extends 
LifecycleMBeanBase implements Contai
 cluster.setContainer(this);
 }
 
-if (getState().isAvailable() && (cluster != null) && (cluster 
instanceof Lifecycle)) {
+if (getState().isAvailable() && (cluster instanceof Lifecycle)) {
 try {
 ((Lifecycle) cluster).start();
 } catch (LifecycleException e) {
@@ -633,7 +632,7 @@ public abstract class ContainerBase extends 
LifecycleMBeanBase implements Contai
 

[Bug 66658] New: Reference GitHub Actions and Docker Images by SHA

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=66658

Bug ID: 66658
   Summary: Reference GitHub Actions and Docker Images by SHA
   Product: Tomcat 11
   Version: unspecified
  Hardware: All
OS: All
Status: NEW
  Severity: enhancement
  Priority: P2
 Component: Packaging
  Assignee: dev@tomcat.apache.org
  Reporter: diogote...@google.com
  Target Milestone: ---

Hi!

I'm Diogo and I work on Google's Open Source Security
Team([GOSST](https://github.com/diogoteles08#about-gosst-ghost)) in cooperation
with the Open Source Security Foundation ([OpenSSF](https://openssf.org/)). My
core job is to suggest and implement security changes on widely used open
source projects 

I'm here to ask if you are interested in a PR to hash pin the Actions you call
in your GitHub Workflows, and the docker images you use on your docker files.
This is the only way to guarantee that you're using an immutable version of the
code, which might protect you from tags being moved to malicious or buggy
commits. 

The changes would be similar to those:

For the docker files, `From busybox:glibc` would become `From
busybox:glibc@sha256:2a6835efa6f7ba15d30e1118e72e9ba180e4ae8253bfe80e97628df85f3aad8f`

For the GitHub Actions, `- uses: actions/setup-java@v3` would become
`- uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0`

It would make it a bit more difficult to manually update the versions, but
Dependabot is able to do it automatically -- and it also makes sure to keep the
human-readable version as a comment  . Do you already have Dependabot enabled?
I've found this [dependabot PR](https://github.com/apache/tomcat/pull/603), but
haven't found the dependabot.yml file, so I couldn't tell.

Both changes are recommended by security tools like
[Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies).
The GitHub Actions change are also recommended by [GitHub
itself](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions),
and you can read  about a practical impact of the Docker image change on this
[blogpost](https://rockbag.medium.com/why-you-should-pin-your-docker-images-with-sha-instead-of-tags-fd132443b8a6).
 

Thanks!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] markt-asf commented on pull request #628: Change style

[via GitHub]

markt-asf commented on PR #628:
URL: https://github.com/apache/tomcat/pull/628#issuecomment-1597337218

   Please provide an updated screenshot showing the results of all your changes 
as there have been additional changes since the PR was opened.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Tomcat 11, Java 21 and Windows 32-bit support

[Emmanuel Bourg]

On 16/06/2023 21:42, Mark Thomas wrote:

There are lots of interesting things about those numbers but in terms of 
32-bit Windows support there still looks to be a demand for it all the 
way up to Tomcat 10. If we were to drop it for one we might as well drop 
it for all but I think there is enough demand to keep producing the 
32-bit binaries for now.


We don't know if there is a real demand for 32-bit binaries or if this 
simply reflects random clicks on the download page. The 32-bit zip is 
listed before the 64-bit one, this might inflate the numbers.


Running Tomcat on Windows with less than 4GB RAM doesn't make much sense 
nowadays in my opinion. If someone really has a memory constrained 
server he would run Linux and not Windows.


I'm +1 for releasing Tomcat 11 with 64-bit binaries only, but I wouldn't 
wait until 2025 to drop the 32-bit distribution for the previous 
releases. If nobody complains about the lack of 32-bit support in Tomcat 
11 by the end of 2023, I would suggest dropping the 32-bit binary 
distribution for Tomcat 10 as well.


Emmanuel Bourg

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat-native] branch main updated: native: Fix the build with rlibtool

[Mark Thomas]

On 18/06/2023 13:45, Rainer Jung wrote:

Am 06.06.23 um 12:57 schrieb Mark Thomas:

On 05/06/2023 21:20, Rainer Jung wrote:
Something is wrong with our regeneration of configure in the release 
process, at least for the 2.x branch (main). The configure script 
contains "LT_INIT" verbatim instead of LT_INIT being replaced by its 
script implementation. I can't actually say what is wrong :(


If I run "autoreconf --force --install" on my system LT_INIT gets 
resolved but configure also get much bigger (more than double the size).


Let me know if you have no good idea and I should investigate deeper.


Sorry, no idea here. I tested the PR to the extent I check I could 
still build with the PR applied but went no deeper. Linux build 
systems are mostly a mystery to me.


I hope I fixed it today without breaking other stuff. I tested with 
generating a release tarball from the main branch and the tarball deltas 
to 2.0.4 looked reasonable. Also the Makefile generated by configure 
looks consistent. As always things ight vary a bit depending on the 
system used for releases.


Builds looks OK to me here.

Thanks.

Mark




Best regards,

Rainer


Am 31.10.22 um 21:02 schrieb ma...@apache.org:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git


The following commit(s) were added to refs/heads/main by this push:
  new 54dccd3a4 native: Fix the build with rlibtool
  new 4f7fb7f44 Merge pull request #14 from orbea/slibtool
54dccd3a4 is described below

commit 54dccd3a4dc01801d9311b3160808305ec9fc2cf
Author: orbea 
AuthorDate: Thu Jul 21 17:59:14 2022 -0700

 native: Fix the build with rlibtool
 When building tomcat-native with slibtool using the rlibtool 
symlink the
 build will fail. This is because rlibtool requires the 
generated libtool

 script to determine if the build is shared, static or both.
 Gentoo bug: https://bugs.gentoo.org/778914
---
  native/configure.in | 3 +++
  1 file changed, 3 insertions(+)

diff --git a/native/configure.in b/native/configure.in
index 567894b10..e082ae6d2 100644
--- a/native/configure.in
+++ b/native/configure.in
@@ -50,6 +50,9 @@ AC_SUBST(TCN_CONFIG_LOCATION)
  AC_CANONICAL_TARGET
  AC_PROG_INSTALL
+dnl Generate the libtool script which is needed for rlibtool
+LT_INIT
+
  dnl
  dnl compute the top directory of the build
  dnl note: this is needed for LIBTOOL and exporting the bundled Expat


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org