Re: Movie
My understanding was that this is more applicable to senders' ISPs, rather than the receiving side. The best other option i could think of is using signatures, like Thawte's, however, this only appears to be a viable option on a voluntary basis (i.e., a subscriber could say, don't accept emails from me unless signed with ...). Many people might not like the idea of this being required. My 2 cents... David Rees wrote: Remy Maucherat wrote: I'm going to unsubscribe Gal from tomcat-dev for now, since a lot of spam is coming through this old email. Subscribe again if you'd like to be on the list (but with a slightly different email so we don't get the spam ;) ). (Apache really needs to add competent spam filtering ...) Getting mail servers to start using something like SPF (http://spf.pobox.com/) would go a long ways to keeping all these forged emails with viruses from being spread around. Seems like large mailing lists would be a great candidate for running SPF checks on incoming email. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: Spam vulnerability at apache
I'm glad to hear that this doesn't involve DNS issues. From this discussion, do i understand correctly that the following 2 addresses should be blocked? 1) [EMAIL PROTECTED] 2) [EMAIL PROTECTED] If yes, it would be nice to somehow make this stuff systematic, so that the regular lists don't have to be involved. Would it be correct to just forward these incidents to moderators quietly? P.S. I hope not to receive anything this time. :) P.P.S. And yes, i should consider having special accounts for risky usage, if there is at all any hope to keep a low-profile email account these days. :) Thanks, rsa/ Paul Speed wrote: I think this is a combination of a misconfigured mail server at one800.net and a bad e-mail address subscribed to the list. The mail server is badly configured because it replied to sender instead of the reply-to address. If it had replied to the reply-to address you would never have seen it and the mailing list software would likely have disabled the address. It's probably also a recent thing. -Paul Reshat Sabiq wrote: I'm sorry to report that sending the message below, caused the following to show up in my mail box. There is definitely something fishy with the apache mail servers. This does not happen when i send an email to a non-apache address. Please, let's fix this: Your Mail has been bounced from the OutPost/1.800eMail Server Because [EMAIL PROTECTED] is not a valid username Original message, less any attachments, follows: ... Reshat Sabiq wrote: Hi, I extremely apologize for this message, but i think this needs to be figured out. I just yesterday registered my new email address with tomcat-dev, and i received the spam below almost immediately thereafter. Only a few people are aware of this email address, so the origin of spam info 99% appears to be tomcat-dev registration. Is there any chance that DNS gets resolved to one of several IPs, one of which collects these emails and uses them for spam (or perhaps is infected with a virus)? I would look for any IPs based in russia as the prime suspects, because this email contains russian text and appears to be originated there. What's worse is that 25 minutes after this spam, i received another one of similar content. Please help save me and others from this plague of the Internet. I entrusted apache.org with this address, and hope we can keep it between us. P.S. If there are other people who received similar emails, please let me, the admins, or the list know. If you let only me know, i will accumulate the number of people affected and forward this to an admin. P.P.S. I see that emails are protected in the archives publicly published, and i think this issue is in the same category. Thanks, rsa/ [EMAIL PROTECTED] wrote: russian(win-1251): ! Photo document, . . , [TID#4977]. , : [TID#4977] (subject) . (reply). C , -10 http://www.m-10.ru english: Greetings, This message has been automatically generated in response to your message regarding Photo document, the content of which appears below. There is no need to reply to it now. Support has received your message and it has been assigned a ticket ID of [TID#4977]. Please include the string: [TID#4977] in the subject line of all future correspondence about this problem. To do so, you may reply to this message. WBR, Support Team Hosting Operator M-10 http://www.m-10.ru Original Message- Please, photo document. Yours sincerely +++ X-Attachment-Type: document +++ X-Attachment-Status: no virus found +++ Powered by the new F-Secure OnlineAntiVirus +++ Visit us: www.f-secure.com -Headers Follow-- Received: from [EMAIL PROTECTED] by office.m-10.ru (CommuniGate Pro GROUP 4.1.8) with GROUP id 1745058; Mon, 12 Apr 2004 17:13:05 +0400 Received: from [62.5.188.222] (HELO office.m-10.ru) by office.m-10.ru (CommuniGate Pro SMTP 4.1.8) with ESMTP id 1745042 for [EMAIL PROTECTED]; Mon, 12 Apr 2004 17:12:58 +0400 X-Antivirus: Checked by Dr.Web (http://www.drweb.net) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Photo document Date: Mon, 12 Apr 2004 17:11:48 +0400 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0016=_NextPart_000_0016 X-Priority: 3 X-Msmail-Priority: Normal Message-Id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Spam vulnerability at apache (was: Re: Photo document [TID#4977])
Hi, I extremely apologize for this message, but i think this needs to be figured out. I just yesterday registered my new email address with tomcat-dev, and i received the spam below almost immediately thereafter. Only a few people are aware of this email address, so the origin of spam info 99% appears to be tomcat-dev registration. Is there any chance that DNS gets resolved to one of several IPs, one of which collects these emails and uses them for spam (or perhaps is infected with a virus)? I would look for any IPs based in russia as the prime suspects, because this email contains russian text and appears to be originated there. What's worse is that 25 minutes after this spam, i received another one of similar content. Please help save me and others from this plague of the Internet. I entrusted apache.org with this address, and hope we can keep it between us. P.S. If there are other people who received similar emails, please let me, the admins, or the list know. If you let only me know, i will accumulate the number of people affected and forward this to an admin. P.P.S. I see that emails are protected in the archives publicly published, and i think this issue is in the same category. Thanks, rsa/ [EMAIL PROTECTED] wrote: russian(win-1251): ! Photo document, . . , [TID#4977]. , : [TID#4977] (subject) . (reply). C , -10 http://www.m-10.ru english: Greetings, This message has been automatically generated in response to your message regarding Photo document, the content of which appears below. There is no need to reply to it now. Support has received your message and it has been assigned a ticket ID of [TID#4977]. Please include the string: [TID#4977] in the subject line of all future correspondence about this problem. To do so, you may reply to this message. WBR, Support Team Hosting Operator M-10 http://www.m-10.ru Original Message- Please, photo document. Yours sincerely +++ X-Attachment-Type: document +++ X-Attachment-Status: no virus found +++ Powered by the new F-Secure OnlineAntiVirus +++ Visit us: www.f-secure.com -Headers Follow-- Received: from [EMAIL PROTECTED] by office.m-10.ru (CommuniGate Pro GROUP 4.1.8) with GROUP id 1745058; Mon, 12 Apr 2004 17:13:05 +0400 Received: from [62.5.188.222] (HELO office.m-10.ru) by office.m-10.ru (CommuniGate Pro SMTP 4.1.8) with ESMTP id 1745042 for [EMAIL PROTECTED]; Mon, 12 Apr 2004 17:12:58 +0400 X-Antivirus: Checked by Dr.Web (http://www.drweb.net) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Photo document Date: Mon, 12 Apr 2004 17:11:48 +0400 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0016=_NextPart_000_0016 X-Priority: 3 X-Msmail-Priority: Normal Message-Id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: Spam vulnerability at apache
I'm sorry to report that sending the message below, caused the following to show up in my mail box. There is definitely something fishy with the apache mail servers. This does not happen when i send an email to a non-apache address. Please, let's fix this: Your Mail has been bounced from the OutPost/1.800eMail Server Because "[EMAIL PROTECTED]" is not a valid username Original message, less any attachments, follows: ==== ... Reshat Sabiq wrote: Hi, I extremely apologize for this message, but i think this needs to be figured out. I just yesterday registered my new email address with tomcat-dev, and i received the spam below almost immediately thereafter. Only a few people are aware of this email address, so the origin of spam info 99% appears to be tomcat-dev registration. Is there any chance that DNS gets resolved to one of several IPs, one of which collects these emails and uses them for spam (or perhaps is infected with a virus)? I would look for any IPs based in russia as the prime suspects, because this email contains russian text and appears to be originated there. What's worse is that 25 minutes after this spam, i received another one of similar content. Please help save me and others from this plague of the Internet. I entrusted apache.org with this address, and hope we can keep it between us. P.S. If there are other people who received similar emails, please let me, the admins, or the list know. If you let only me know, i will accumulate the number of people affected and forward this to an admin. P.P.S. I see that emails are protected in the archives publicly published, and i think this issue is in the same category. Thanks, rsa/ [EMAIL PROTECTED] wrote: russian(win-1251): ! "Photo document", . . , [TID#4977]. , : [TID#4977] (subject) . (reply). C , -10 http://www.m-10.ru english: Greetings, This message has been automatically generated in response to your message regarding "Photo document", the content of which appears below. There is no need to reply to it now. Support has received your message and it has been assigned a ticket ID of [TID#4977]. Please include the string: [TID#4977] in the subject line of all future correspondence about this problem. To do so, you may reply to this message. WBR, Support Team Hosting Operator M-10 http://www.m-10.ru Original Message- Please, photo document. Yours sincerely +++ X-Attachment-Type: document +++ X-Attachment-Status: no virus found +++ Powered by the new F-Secure OnlineAntiVirus +++ Visit us: www.f-secure.com -Headers Follow-- Received: from [EMAIL PROTECTED] by office.m-10.ru (CommuniGate Pro GROUP 4.1.8) with GROUP id 1745058; Mon, 12 Apr 2004 17:13:05 +0400 Received: from [62.5.188.222] (HELO office.m-10.ru) by office.m-10.ru (CommuniGate Pro SMTP 4.1.8) with ESMTP id 1745042 for [EMAIL PROTECTED]; Mon, 12 Apr 2004 17:12:58 +0400 X-Antivirus: Checked by Dr.Web (http://www.drweb.net) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Photo document Date: Mon, 12 Apr 2004 17:11:48 +0400 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_NextPart_000_0016=_NextPart_000_0016" X-Priority: 3 X-Msmail-Priority: Normal Message-Id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: http://www-106.ibm.com/developerworks/library/j-nioserver/
Samuel Cheung wrote: Sorry, I have a newbie question on this subject. If the servlet API adds support for java.nio library (described in section 3.3 here) http://www.coredevelopers.net/library/j2ee/servlet24/ar01s03.jsp#d0e533, then will it make sense for servlet container (e.g. Tomcat ) to use the nio the way described in the article? Thanks. -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 04, 2004 2:34 PM To: Tomcat Developers List Subject: RE: http://www-106.ibm.com/developerworks/library/j-nioserver/ Howdy, I would have to agree with Remy here. The example given doesn't really prove anything in my mind. That's what I was thinking too as I read the article. It's not representative of the real world. But I wanted to see if I was alone in my skepticism or not. (And I remember we've discussed NIO multiple times in the past). Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] What would this benchmark look like if Tomcat also was configured to use a max of x threads, just like sse? If the difference was negligible/none, then IMHO NIO effect is no different than playing with max threads value. However, if there was still a considerable difference for heavy loads, i would be inclined to changing the API to make it compatible w/ both, so that the container could toggle between using IO and NIO based on a config, load, etc. My undeserved 2 cents. :) -- Sincerely, Reshat. --- If you see my certificate with this message, you should be able to send me encrypted e-mail. Please consult your e-mail client for details if you would like to do that. smime.p7s Description: S/MIME Cryptographic Signature
Re: [OT] Re: http://www-106.ibm.com/developerworks/library/j-nioserver/
Peter Lin wrote: I'm inclined to wait until JCP comes up with a good way to migrate/support non-blocking approach within a servlet container. Event driven technique isn't new by any measure and has been proven to scale well. But most cases actually do not require the added complexity. Unless an application has to support a large number of concurrent requests/users in the 5K+ range, it's usually not cost effective. take SEDA for example, it breaks request processing into stages, so that each stage is profiled. If a request is for the same resource, the queue handler can by-pass the database call and just return the result. If you read Matt's paper on SEDA, you'll see the design goal was to handle /. like effect where a large number of users are requesting the same resource. The approach is powerful, but it would be difficult for someone with only ASP and CGI experience. Ideally, an API that hides the complexity of call-backs, thread sync and gives the appearance of single threaded processing would make it easier to develop and debug. For the last year I've been working on projects that have to support major scalability. Educating the other developers about async processing has been sufficiently difficult and a headache. My biased perspective :) peter lin Yes, if it's really worth the trouble, then perhaps this could be an option for behind-the-scene implementation, w/o changing the existing API. If this is at all worthwhile, in the ideal scenario, the container could toggle its mode from "thread-per-user", to NIO, to what SEDA does, depending on load, and some optional config settings. But i still don't know if NIO is just an equivalent of a fancy way of playing w/ max threads. :) Reshat Sabiq [EMAIL PROTECTED] wrote: What would this benchmark look like if Tomcat also was configured to use a max of x threads, just like sse? If the difference was negligible/none, then IMHO NIO effect is no different than playing with max threads value. However, if there was still a considerable difference for heavy loads, i would be inclined to changing the API to make it compatible w/ both, so that the container could toggle between using IO and NIO based on a config, load, etc. My undeserved 2 cents. :) -- Sincerely,Reshat.---If you see my certificate with this message, you should be able to send me encrypted e-mail. Please consult your e-mail client for details if you would like to do that. ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s - Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online -- Sincerely, Reshat. --- If you see my certificate with this message, you should be able to send me encrypted e-mail. Please consult your e-mail client for details if you would like to do that. smime.p7s Description: S/MIME Cryptographic Signature
Re: DO NOT REPLY [Bug 25681] - HTTP request params lost when sent with a URL ending with a folder w/o '/' at the end of URL
[EMAIL PROTECTED] wrote: DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25681. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25681 HTTP request params lost when sent with a URL ending with a folder w/o '/' at the end of URL [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Additional Comments From [EMAIL PROTECTED] 2003-12-22 03:22 --- This has already been fixed in the CVS. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] I guess this means i can get the fix in the latest nightly build? I would think this issue alone justifies release of 5.0.17 soon. When could i expect it? Thanks. -- Sincerely, Reshat. --- If you see my certificate with this message, you should be able to send me encrypted e-mail. Please consult your e-mail client for details if you would like to do that. smime.p7s Description: S/MIME Cryptographic Signature
Re: Likely bug in org.apache.jasper.servlet.JspServlet (Tomcat 5)
Remy Maucherat wrote:
Reshat Sabiq wrote:
Remy Maucherat wrote:
Reshat Sabiq wrote:
I think i found a bug in Tomcat 5 implementation (J2EE 1.4-DR). I
would highly appreciate if somebody could provide a brief
description of what includeUri, and requestUri below stand for. I
looked at the comments in Constants, but can't make out a lot out
of them. Please see my comment below.
org.apache.jasper.servlet.JspServlet.service() starting on line 190:
String includeUri
= (String)
request.getAttribute(Constants.INC_SERVLET_PATH);
String requestUri
= (String)
request.getAttribute(Constants.INC_REQUEST_URI);
String jspUri;
// When jsp-property-group/url-matching is
used, and when the
// jsp is not defined with servlet-name, the url
// as to be passed as it is to the JSP container (since
// Catalina doesn't know anything about the requested JSP
// The first scenario occurs when the jsp is
not directly under /
// example: /utf16/foo.jsp
if (requestUri != null){
// This is pretty unsafe syntax, and i do
get an exception here, which is the only reason why i can't migrate
my app to J2EE 1.4-DR! ///
String currentIncludedUri
=
requestUri.substring(requestUri.indexOf(includeUri));
if ( !includeUri.equals(currentIncludedUri) ) {
includeUri = currentIncludedUri;
}
}
P.S. On a positive note, the custom error pages do work in DR, as
opposed to Beta 2.
This works fine for me. How about telling us what kind of include
causes your bug, and the exception you get ?
Rémy
I confirmed that it is a bug. It went further along after i put a
conditional.
Now i'm getting an exception in:
fmt:message key=better bundle=${lc} /
where lc is an instance variable of the jsp servlet: apparently it
can't be resolved. It was working in Beta 2, so this might be a bug too.
Thanks.
P.S. I'll post the details later.
Great: I really don't understand what you're trying to explain, and I
don't see how this is related to the include issue mentioned above. So
try to make it understandable if you want your bug to live longer than
5 minutes ;-)
BTW, there could be changes between PFD 3 and the final spec.
Rémy
OK. I believe the fmt is a non-issue: el does not consider instance
variables in fmt. It probably worked in Beta 2 out of luck
(implementation defaulted to default localization attribute name, or
something like that). I resolved that.
The last problem i'm having is that when requesting a folder with a
parameter (e.g., /folder?param=value), when index.jsp for that folder is
served it does not receive the parameter. This sounds simple, but makes
applications unusable. Because of this, my migration to J2EE 1.4-DR is
still in progress. It will probably be harder for me to fix this on my
own, not knowing Tomcat's architecture and all. Has anybody else come
across this?
P.S. In the next couple of days I will be submitting a bug and at least
one suggested fix for the 2 issues mentioned above.
Thanks.
--
Sincerely,
Reshat.
---
If you see my certificate with this message, you should be able to send me encrypted e-mail.
Please consult your e-mail client for details if you would like to do that.
smime.p7s
Description: S/MIME Cryptographic Signature
Re: Likely bug in org.apache.jasper.servlet.JspServlet (Tomcat 5)
Remy Maucherat wrote:
Reshat Sabiq wrote:
I think i found a bug in Tomcat 5 implementation (J2EE 1.4-DR). I
would highly appreciate if somebody could provide a brief description
of what includeUri, and requestUri below stand for. I looked at the
comments in Constants, but can't make out a lot out of them. Please
see my comment below.
org.apache.jasper.servlet.JspServlet.service() starting on line 190:
String includeUri
= (String)
request.getAttribute(Constants.INC_SERVLET_PATH);
String requestUri
= (String)
request.getAttribute(Constants.INC_REQUEST_URI);
String jspUri;
// When jsp-property-group/url-matching is used,
and when the
// jsp is not defined with servlet-name, the url
// as to be passed as it is to the JSP container (since
// Catalina doesn't know anything about the requested JSP
// The first scenario occurs when the jsp is not
directly under /
// example: /utf16/foo.jsp
if (requestUri != null){
// This is pretty unsafe syntax, and i do get
an exception here, which is the only reason why i can't migrate my
app to J2EE 1.4-DR! ///
String currentIncludedUri
=
requestUri.substring(requestUri.indexOf(includeUri));
if ( !includeUri.equals(currentIncludedUri) ) {
includeUri = currentIncludedUri;
}
}
P.S. On a positive note, the custom error pages do work in DR, as
opposed to Beta 2.
This works fine for me. How about telling us what kind of include
causes your bug, and the exception you get ?
Rémy
I confirmed that it is a bug. It went further along after i put a
conditional.
Now i'm getting an exception in:
fmt:message key=better bundle=${lc} /
where lc is an instance variable of the jsp servlet: apparently it can't
be resolved. It was working in Beta 2, so this might be a bug too.
Thanks.
P.S. I'll post the details later.
--
Sincerely,
Reshat.
---
If you see my certificate with this message, you should be able to send me encrypted e-mail.
Please consult your e-mail client for details if you would like to do that.
smime.p7s
Description: S/MIME Cryptographic Signature
Likely bug in org.apache.jasper.servlet.JspServlet (Tomcat 5)
I think i found a bug in Tomcat 5 implementation (J2EE 1.4-DR). I would
highly appreciate if somebody could provide a brief description of what
includeUri, and requestUri below stand for. I looked at the comments in
Constants, but can't make out a lot out of them. Please see my comment
below.
org.apache.jasper.servlet.JspServlet.service() starting on line 190:
String includeUri
= (String) request.getAttribute(Constants.INC_SERVLET_PATH);
String requestUri
= (String) request.getAttribute(Constants.INC_REQUEST_URI);
String jspUri;
// When jsp-property-group/url-matching is used, and when the
// jsp is not defined with servlet-name, the url
// as to be passed as it is to the JSP container (since
// Catalina doesn't know anything about the requested JSP
// The first scenario occurs when the jsp is not directly
under /
// example: /utf16/foo.jsp
if (requestUri != null){
// This is pretty unsafe syntax, and i do get an
exception here, which is the only reason why i can't migrate my app to
J2EE 1.4-DR! ///
String currentIncludedUri
=
requestUri.substring(requestUri.indexOf(includeUri));
if ( !includeUri.equals(currentIncludedUri) ) {
includeUri = currentIncludedUri;
}
}
P.S. On a positive note, the custom error pages do work in DR, as
opposed to Beta 2.
--
Sincerely,
Reshat.
---
If you see my certificate with this message, you should be able to send me encrypted e-mail.
Please consult your e-mail client for details if you would like to do that.
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [5.0] Schedule change
Remy Maucherat wrote: Reshat Sabiq wrote: I'm a newbie on this list, but i think 2.4/2.0 draft 3 5.0.14 is a good idea. At least it's more specific than Beta. P.S. Btw, as far as bugs i couldn't use custom error pages in Sun's 1.4 Beta 2 (Tomcat 5). Reported to Sun, and they forwarded me to Apache, and i didn't have time. Could report that on BZ. It might of course all be my fault, but it works in 4.1, and 4.2. There are tests for that in both the tester and watchdog, so you'll have to submit a test WAR. (BTW, there's no 4.2) My bad. I meant 4.1.1, and 4.1.2 (i've used 4.1.8, 4.1.9, 4.1.12, and 4.1.24). How do i submit a test war to tester or watchdog (i only know Bugzilla). Thanks. -- Sincerely, Reshat. --- If you see my certificate with this message, you should be able to send me encrypted e-mail. Please consult your e-mail client for details if you would like to do that. smime.p7s Description: S/MIME Cryptographic Signature
Re: [5.0] Schedule change
I'm a newbie on this list, but i think 2.4/2.0 draft 3 5.0.14 is a good idea. At least it's more specific than Beta. P.S. Btw, as far as bugs i couldn't use custom error pages in Sun's 1.4 Beta 2 (Tomcat 5). Reported to Sun, and they forwarded me to Apache, and i didn't have time. Could report that on BZ. It might of course all be my fault, but it works in 4.1, and 4.2. Chad Johnson wrote: I might be off base, but whats the problem with releasing TC 5 under the banner of supporting a draft spec. Servlet/JSP Spec Tomcat version 2.4/2.0 draft 3 5.0.14 2.3/1.2 4.1.27 2.2/1.1 3.3.1a Chad Johnson Web Services Developer WS Packaging Group, Inc. -Original Message- From: Remy Maucherat [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 30, 2003 1:28 PM To: Tomcat Developers List Subject: [5.0] Schedule change Hi, The signals I'm getting from Sun about the schedule of the specifications is highly confusing. Since I'm tired of having Tomcat depend on these, I propose taking advantage of the backwards compatibility of the spec, and replacing the TC 5 statement phrase with: The 5.x releases implement the Servlet 2.3 and JSP 1.2 specifications, and will add support for the Servlet 2.4 and JSP 2.0 as soon as they are officially available. That would allow making a timely 5.0 release, rather than expecting stuff for an indefinite amount of time ... If I don't get yelled at too much, I'll call for a vote on this. Comments ? Remy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Sincerely, Reshat. --- If you see my certificate with this message, you should be able to send me encrypted e-mail. Please consult your e-mail client for details if you would like to do that. smime.p7s Description: S/MIME Cryptographic Signature
Re: IP address Assignment problem
J Raf wrote: The machine is configured with different IP addresses. IIS was running on a differnt IP address then Tomcat. Both Tomcat on IIS were running on port 80. Using the IIS adminnstration module you can specify which IP address IiS should run on. Thank you for your help. From: Reshat Sabiq [EMAIL PROTECTED] Reply-To: Tomcat Developers List [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED] Subject: Re: IP address Assignment problem Date: Sat, 23 Aug 2003 13:16:31 -0500 Ayoub Raffoul wrote: Hello, I'm running Apache Tomcat ver. 4.1 on a Windows 2000 server. The machine has multipe IP addresses. I have configured Apache Tomcat in server.xml to run on a specific IP address port 80 as follows (fake IP address): Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=80 minProcessors=5 maxProcessors=75 enableLookups=true redirectPort=8443 acceptCount=100 debug=0 connectionTimeout=2 useURIValidationHack=false disableUploadTimeout=true address=205.200.21.30/ I also need to run IIS on the same machine though on a different IP IE: 205.200.21.31 and port 80. Each time I try to launch IIS I get an error message saying port is in use. If I shut down Tomcat then the port get released and I'm able to launch Tomcat. It seems that Tomcat is reserving all ports # 80 for all IP addresses on this machine. This configuration was working correctly in an older version of Tomcat. Even though Tomcat seems to be reserving all port 80 for all IP addresses it is only responding to 205.200.21.30. Vice Versa is also a problem. If I shut down Tomcat and start IIS on 205.200.21.31:80, Tomcat will no longer launch on 205.200.21.30:80. It will report that the port is in use. Has anybody encountered a similar issue? Your help is highly appreciated. Thank you ___ A port denotes an application, so i'm suprised you were previously able to have 2 applications on the same machine on the same port. In other words, the OS needs be aware and support different-IP-same-port distinction. I don't know if Win or others do that. -- Sincerely, Reshat. --- If you see my certificate with this message, you should be able to send me encrypted e-mail. Please consult your e-mail client for details if you would like to do that. smime.p7s OK, i remember reading somewhere that Win can be configured for 2 IPs. I think it may be a problem with the networking setup on that machine. My guess is that the machine's OS (TCP/IP stack in particular) isn't aware that you intend to use 2 IPs, and probably needs to be set up accordingly using some applet. Sorry, not really much help... -- Sincerely, Reshat. --- If you see my certificate with this message, you should be able to send me encrypted e-mail. Please consult your e-mail client for details if you would like to do that. smime.p7s Description: S/MIME Cryptographic Signature
Re: IP address Assignment problem
Ayoub Raffoul wrote: Hello, I'm running Apache Tomcat ver. 4.1 on a Windows 2000 server. The machine has multipe IP addresses. I have configured Apache Tomcat in server.xml to run on a specific IP address port 80 as follows (fake IP address): Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=80 minProcessors=5 maxProcessors=75 enableLookups=true redirectPort=8443 acceptCount=100 debug=0 connectionTimeout=2 useURIValidationHack=false disableUploadTimeout=true address=205.200.21.30/ I also need to run IIS on the same machine though on a different IP IE: 205.200.21.31 and port 80. Each time I try to launch IIS I get an error message saying port is in use. If I shut down Tomcat then the port get released and I'm able to launch Tomcat. It seems that Tomcat is reserving all ports # 80 for all IP addresses on this machine. This configuration was working correctly in an older version of Tomcat. Even though Tomcat seems to be reserving all port 80 for all IP addresses it is only responding to 205.200.21.30. Vice Versa is also a problem. If I shut down Tomcat and start IIS on 205.200.21.31:80, Tomcat will no longer launch on 205.200.21.30:80. It will report that the port is in use. Has anybody encountered a similar issue? Your help is highly appreciated. Thank you ___ A port denotes an application, so i'm suprised you were previously able to have 2 applications on the same machine on the same port. In other words, the OS needs be aware and support different-IP-same-port distinction. I don't know if Win or others do that. -- Sincerely, Reshat. --- If you see my certificate with this message, you should be able to send me encrypted e-mail. Please consult your e-mail client for details if you would like to do that. smime.p7s Description: S/MIME Cryptographic Signature
Re: Fwd: Re: security hole on windows tomcat?
If the bug was caused by adding %20 to a page/folder in URL, then i didn't reproduce it in Tomcat 5. I got 404 (the only bad thing is that 404's don't appear to be customizable with error-page directives in web.xml). What would be a good list to watch for these kinds of bugs in Tomcat? Thanks. Paul Sundling wrote: Yes, adding -Dsun.io.useCanonCaches=false to the tomcat seemed to fix the security hole I discovered on my 4.1.24 tomcat on Windows XP using JDK 1.4.2. Great job finding a solution. It's a testament to open source and cooperation. Fortunately it's JSP source it's showing and people should have anything worth seeing in their servlets or EJBs anyway. :) Paul Sundling Jeff Tulley wrote: I just wanted to make sure you saw this -- Jeanfrancois made the connection that this issue has a known workaround, so you don't have to backrev your JVM if you don't want to. I tried this on Windows XP and NetWare and it worked in both places... Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 7:08:50 PM Sorry I've just realize this thread may be related to bugtraq #4895132 (thanks to Jeff for the wake up mail on tomcat-dev ;-) ). The workaround is to add the following property when starting Tomcat: -Dsun.io.useCanonCaches=false Can someone try it and let me know if it change something. If this is not working, then point me to a very simple test case and I will file a new bugtraq bug. -- Jeanfrancois Eric J. Pinnell wrote: I think at this point this might be a worthwile canidate for Sun's bugparade. At least get it on their radars (if they don't know about it already). It's interesting that the bug doesn't show up in Tomcat 4.1.27. When 1.4.2 was released 4.1.24 was the latest stable build. Regardless the JDK/appserver/whatever should never puke it's guts and spit out the source code when it gets a request it doesn't know how to deal with. Upon failure it should result in some kind of error. Sun might care about this... -e On Tue, 12 Aug 2003, Jeff Tulley wrote: It is highly possible that this is dependent on the JVM you have installed. I actually finally WAS able to see this on Windows XP, but only if Tomcat was running on JVM 1.4.2. The problem did NOT happen with 1.4.1. Of course, JVM version is the one item I left off of my poll in my email below. :) I'm trying to verify this on other OS's and track down what the actual problem is. But, if you run Tomcat on JVM 1.4.2, verify if you have this problem. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 4:10:53 PM Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via either port 8080 or port 80 - pages return fine without the %20 suffix, always return http 404 with the suffix. Murray -Original Message- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 August 2003 02:41 To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat? So this issue is confusing. It seems that indeed there IS an issue, though most cannot see a problem. Talking to some people off-list, it seems that some think it is a JK2 / workers2.properties issue. But I'm pretty sure that others have seen this going directly to port 8080. We probably need to take a quick poll: If you have seen this security problem of being able to view JSP source, in what scenario(s)? Tomcat version OS version Directly to Tomcat (8080) or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen If you have seen this in multiple scenarios, and not in others, please list each separately. I have NOT seen it in the following scenarios: Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 Windows 2000 5.00.2195 Service Pack 4 Directly to port 8080 Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 Tomcat 4.1.18, 4.1.24, 4.1.26, fairly standard distributions (only adding one JNDIRealm beyond the default config) Novell NetWare 6.5 Directly to port 8080, and through Apache - mod_jk.nlm Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp%20 and https://(url)/tomcat/admin/index.jsp%20 Hopefully this mail gets through; I haven't been seeing my emails show up on tomcat-user for some reason (I un/resubscribed today...) It would be really good to get to the bottom of this! Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 6:02:55 AM
jsp:include
Hi, There's a bug in J2EE 1.4 RI Beta 2 that prevents me from using a custom tag: instanceof operator treats TagSupport subclass as SimpleTagSupport instance. This leaves me only one appropriate option: subclass the class that implements jsp:include tag, and overwrite a method in it. I'd appreciate a pointer as to what class implements that tag. I've been searching through taglibs and tomcat-5 nightly builds, and have not found a single class that is related to jsp:include. Thank you in advance. P.S. Yes, i will be reporting the bug on sun's website. But i need to work around at this time... -- Sincerely, Reshat. --- If you see my certificate with this message, you should be able to send me encrypted e-mail. Please consult your e-mail client for details if you would like to do that. smime.p7s Description: S/MIME Cryptographic Signature
