Re: Time for 8.0.4
On 17/03/2014 15:08, Mark Thomas wrote: On 17/03/2014 14:42, Konstantin Kolinko wrote: 2014-03-17 16:19 GMT+04:00 Mark Thomas ma...@apache.org: Hi, It has been a while since 8.0.3 and the change log is looking rather long. I've a few things left I want to look at but I expect to be in a position to tag 8.0.4 late today / early tomorrow. There is https://issues.apache.org/bugzilla/show_bug.cgi?id=56265 Unexpected escaping in the values of dynamic tag attributes containing EL expressions Regarding my v1 patch attached there, I think there is more to it. That is: in the method changed by that patch, I think the 'false' branch of if (el.containsEL()) { needs to have the same xmlEscaping processing as the 'true' branch does for if (n instanceof Node.UninterpretedTag n.getRoot().isXmlSyntax()) nodes. As of now attributes of uninterpreted XML tags that are plain text without EL expressions are either escaped elsewhere (I have not found where, but that would split the escaping logic between two places in the code), or not at all. Looking at Generator.java L1806 ( Generator$GenerateVisitor.visit(Node.UninterpretedTag n) ), it does escape double quotes there, but nothing else. I'll work on test cases. I'll add this to my things to look at before I tag 8.0.4. This has been fixed with Konstantin's patch. I'm currently running the unit tests on Windows, Linix and OSX. I plan to tag 8.0.4 once those tests all pass. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Time for 8.0.4
Konstantin, On 3/18/14, 4:11 PM, Konstantin Kolinko wrote: 2014-03-18 23:46 GMT+04:00 Christopher Schultz ch...@christopherschultz.net: Mark, On 3/17/14, 8:19 AM, Mark Thomas wrote: It has been a while since 8.0.3 and the change log is looking rather long. I've a few things left I want to look at but I expect to be in a position to tag 8.0.4 late today / early tomorrow. Any objections to adding the fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there has been a tcnative release? I needed a tcnative release to include some support code to allow the APR listener to allow FIPS mode when OpenSSL had already been initialized in FIPS mode before the APR listener tries to enter it. (Wow, that sentence is awful. Read the bug for a long-winded explanation). According to tc-native changelog, the new function you are calling there will be in 1.1.30. The recent release was of mod_jk, not of tc-native. As soon as I realized my mistake re: mod_jk vc tcnative, I tried to post a recant. For some reason, it was either not sent or not received. Weird. Anyway, apologies for the confusion. I *am* aware that no tcnative version has shipped, and therefore this patch is not yet appropriate. (BTW, no announcement article on tomcat.a.o). Thus '-1'. -1 for what specifically? Regarding the patch: 1) Why in the on case you are calling SSL.fipsModeGet()? If you hadn't done that, I think it would work with older library versions. The idea is to avoid attempting to enter FIPS mode if the library is already in FIPS mode. I didn't know this was possible, but evidently the whole OS can be put into FIPS mode such that any time OpenSSL is loaded into a running program, it's already in FIPS mode. Attempting to enter FIPS mode when already in FIPS mode causes an error which, if you can't call FIPS_mode() (get), is indistinguishable from failing to enable FIPS mode. Thus, I've added a few options regarding what to do given the current state of FIPS mode versus what the user intends. Please see comment #3 from the bug to see what the general intent is. 2) In documentation part: update required version of tc-native in description of this feature. I will add that, but not until I know what version will be required. It will most likely be 1.1.30 but it may be i.e. 1.1.31 if 1.1.30 never ships. 3) Update recommended/required versions in APRLifecycleListener? Ditto. 4) Code style: position of opening '{'. Ok. Thanks, -chris signature.asc Description: OpenPGP digital signature
Re: Time for 8.0.4
Mark, On 3/17/14, 8:19 AM, Mark Thomas wrote: It has been a while since 8.0.3 and the change log is looking rather long. I've a few things left I want to look at but I expect to be in a position to tag 8.0.4 late today / early tomorrow. Any objections to adding the fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there has been a tcnative release? I needed a tcnative release to include some support code to allow the APR listener to allow FIPS mode when OpenSSL had already been initialized in FIPS mode before the APR listener tries to enter it. (Wow, that sentence is awful. Read the bug for a long-winded explanation). Thanks, -chris signature.asc Description: OpenPGP digital signature
RE: Time for 8.0.4
TCN was updated? I still see 1.1.29 (15 October 2013) on the tomcat.apache.org links (both docs and download). or am I missing something (likely). -Rob From: Christopher Schultz [ch...@christopherschultz.net] Sent: Tuesday, March 18, 2014 3:46 PM To: Tomcat Developers List Subject: Re: Time for 8.0.4 Mark, On 3/17/14, 8:19 AM, Mark Thomas wrote: It has been a while since 8.0.3 and the change log is looking rather long. I've a few things left I want to look at but I expect to be in a position to tag 8.0.4 late today / early tomorrow. Any objections to adding the fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there has been a tcnative release? I needed a tcnative release to include some support code to allow the APR listener to allow FIPS mode when OpenSSL had already been initialized in FIPS mode before the APR listener tries to enter it. (Wow, that sentence is awful. Read the bug for a long-winded explanation). Thanks, -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Time for 8.0.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18/03/2014 19:46, Christopher Schultz wrote: Mark, On 3/17/14, 8:19 AM, Mark Thomas wrote: It has been a while since 8.0.3 and the change log is looking rather long. I've a few things left I want to look at but I expect to be in a position to tag 8.0.4 late today / early tomorrow. Any objections to adding the fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there has been a tcnative release? There hasn't. There was a mod_jk release. Mark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTKKb/AAoJEBDAHFovYFnnnpQQAK6lahP7sHVBkxr1mj4f3J9o VTqWcfx/IgyNfHPiO7mjcelh8c0iq9K22RbT+xFdFrMS1Ncuk1Avy1HNm0fiZPHo PvP6XWDc/0sFlrE+KOduk2Pt32PVWtmysGYPWUOPejwwqpRGRXPFPnuIXK6/eZh4 TMxFzm4Vm2XgXBWf4OySX4AY2ZeQ+hVvdYZTQj8fBWDWbcEmGhD+c+lTGGK5bY84 G1mzZ5rvRss2/txGF/dE0LakWHrI43+dQoHcVG0//Nm23mYfiEPNJR6/R29bdhSZ wtJxVFcfdQzoB36/n0qBOfAHpgSF1ocLiyzOt/HNSnhELcG4M7gflygwvL1NsuX3 TS+L/G2O3QPd6XzRYf/I+ZuS1yPMDrgscnIDpn/4Mn6aQ1A1d9rdNDzETsrKcCk0 N+y7OeH/zI0QZ4Rq+u2rNfIDk3DD38CyRKm4AtOkKONU3q4VhuKpptxwMHjXOWVS 9S+2bz80j5LjZbMOI3ZsvdWo7aJwnsKfxIy1Hi5SE7zVn4RavWFva/Zr/0Hs67IG EELM97XVZ+bzbg116mZZ1VDQ+F0AD/unrhXM8S0A2bsgqV2L1GV0/PlCbzOvsQ8u hIVQ+6enhUFOEg4Eq9KkaigYKV87YPk9KTJO4a5POCMk5/bTHCPRnX7V7gJMBO0L F8a31bVN/lijBRG7HOoh =lEnv -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Time for 8.0.4
2014-03-18 23:46 GMT+04:00 Christopher Schultz ch...@christopherschultz.net: Mark, On 3/17/14, 8:19 AM, Mark Thomas wrote: It has been a while since 8.0.3 and the change log is looking rather long. I've a few things left I want to look at but I expect to be in a position to tag 8.0.4 late today / early tomorrow. Any objections to adding the fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there has been a tcnative release? I needed a tcnative release to include some support code to allow the APR listener to allow FIPS mode when OpenSSL had already been initialized in FIPS mode before the APR listener tries to enter it. (Wow, that sentence is awful. Read the bug for a long-winded explanation). According to tc-native changelog, the new function you are calling there will be in 1.1.30. The recent release was of mod_jk, not of tc-native. (BTW, no announcement article on tomcat.a.o). Thus '-1'. Regarding the patch: 1) Why in the on case you are calling SSL.fipsModeGet()? If you hadn't done that, I think it would work with older library versions. 2) In documentation part: update required version of tc-native in description of this feature. 3) Update recommended/required versions in APRLifecycleListener? 4) Code style: position of opening '{'. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
RE: Time for 8.0.4
Konstantin, Don't want to be putting words in Chris's mouth, but when I filed 56027 I did some poking around in the underlying openSSL code (at least on my RHEL6 box). Calling the openssl FIPS_mode_set() method twice causes an error. I'd proposed exposing an additional routine to check the current status and quietly skip calling FIPS_mode_set() if we were already in FIPS mode. -Rob From: Konstantin Kolinko [knst.koli...@gmail.com] Sent: Tuesday, March 18, 2014 4:11 PM To: Tomcat Developers List Subject: Re: Time for 8.0.4 2014-03-18 23:46 GMT+04:00 Christopher Schultz ch...@christopherschultz.net: Mark, On 3/17/14, 8:19 AM, Mark Thomas wrote: It has been a while since 8.0.3 and the change log is looking rather long. I've a few things left I want to look at but I expect to be in a position to tag 8.0.4 late today / early tomorrow. Any objections to adding the fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there has been a tcnative release? I needed a tcnative release to include some support code to allow the APR listener to allow FIPS mode when OpenSSL had already been initialized in FIPS mode before the APR listener tries to enter it. (Wow, that sentence is awful. Read the bug for a long-winded explanation). According to tc-native changelog, the new function you are calling there will be in 1.1.30. The recent release was of mod_jk, not of tc-native. (BTW, no announcement article on tomcat.a.o). Thus '-1'. Regarding the patch: 1) Why in the on case you are calling SSL.fipsModeGet()? If you hadn't done that, I think it would work with older library versions. 2) In documentation part: update required version of tc-native in description of this feature. 3) Update recommended/required versions in APRLifecycleListener? 4) Code style: position of opening '{'. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Time for 8.0.4
Hi, It has been a while since 8.0.3 and the change log is looking rather long. I've a few things left I want to look at but I expect to be in a position to tag 8.0.4 late today / early tomorrow. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Time for 8.0.4
2014-03-17 16:19 GMT+04:00 Mark Thomas ma...@apache.org: Hi, It has been a while since 8.0.3 and the change log is looking rather long. I've a few things left I want to look at but I expect to be in a position to tag 8.0.4 late today / early tomorrow. There is https://issues.apache.org/bugzilla/show_bug.cgi?id=56265 Unexpected escaping in the values of dynamic tag attributes containing EL expressions Regarding my v1 patch attached there, I think there is more to it. That is: in the method changed by that patch, I think the 'false' branch of if (el.containsEL()) { needs to have the same xmlEscaping processing as the 'true' branch does for if (n instanceof Node.UninterpretedTag n.getRoot().isXmlSyntax()) nodes. As of now attributes of uninterpreted XML tags that are plain text without EL expressions are either escaped elsewhere (I have not found where, but that would split the escaping logic between two places in the code), or not at all. Looking at Generator.java L1806 ( Generator$GenerateVisitor.visit(Node.UninterpretedTag n) ), it does escape double quotes there, but nothing else. I'll work on test cases. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Time for 8.0.4
On 17/03/2014 14:42, Konstantin Kolinko wrote: 2014-03-17 16:19 GMT+04:00 Mark Thomas ma...@apache.org: Hi, It has been a while since 8.0.3 and the change log is looking rather long. I've a few things left I want to look at but I expect to be in a position to tag 8.0.4 late today / early tomorrow. There is https://issues.apache.org/bugzilla/show_bug.cgi?id=56265 Unexpected escaping in the values of dynamic tag attributes containing EL expressions Regarding my v1 patch attached there, I think there is more to it. That is: in the method changed by that patch, I think the 'false' branch of if (el.containsEL()) { needs to have the same xmlEscaping processing as the 'true' branch does for if (n instanceof Node.UninterpretedTag n.getRoot().isXmlSyntax()) nodes. As of now attributes of uninterpreted XML tags that are plain text without EL expressions are either escaped elsewhere (I have not found where, but that would split the escaping logic between two places in the code), or not at all. Looking at Generator.java L1806 ( Generator$GenerateVisitor.visit(Node.UninterpretedTag n) ), it does escape double quotes there, but nothing else. I'll work on test cases. I'll add this to my things to look at before I tag 8.0.4. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org