buildbot success in on tomcat-85-trunk
The Buildbot has detected a restored build on builder tomcat-85-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-85-trunk/builds/2151 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-85-commit' triggered this build Build Source Stamp: [branch 8.5.x] e303c8e560a1d0bfccbdc6985e4164bdb8f7303e Blamelist: Mark Thomas Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in on tomcat-9-trunk
The Buildbot has detected a restored build on builder tomcat-9-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-9-trunk/builds/31 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-9-commit' triggered this build Build Source Stamp: [branch 9.0.x] 4f471ad77121bfe3971a1f71a7b98c3a7d95c982 Blamelist: Mark Thomas Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix typo. Update for change to attribute name.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 4f471ad Fix typo. Update for change to attribute name. 4f471ad is described below commit 4f471ad77121bfe3971a1f71a7b98c3a7d95c982 Author: Mark Thomas AuthorDate: Tue Feb 4 21:13:10 2020 + Fix typo. Update for change to attribute name. --- webapps/docs/changelog.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 561e87c..948505b 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -191,8 +191,8 @@ a non-null, non-zero length String. (markt) -Add a new attribute, allowedArbitraryRequestAttributes to -the AJP/1.3 Connector. Requests with unreconised attributes will be +Add a new attribute, allowedRequestAttributesPattern to +the AJP/1.3 Connector. Requests with unrecognised attributes will be blocked with a 403. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix typo. Update for change to attribute name.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new e303c8e Fix typo. Update for change to attribute name. e303c8e is described below commit e303c8e560a1d0bfccbdc6985e4164bdb8f7303e Author: Mark Thomas AuthorDate: Tue Feb 4 21:13:10 2020 + Fix typo. Update for change to attribute name. --- webapps/docs/changelog.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 1f6c84d..b640408 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -196,8 +196,8 @@ a non-null, non-zero length String. (markt) -Add a new attribute, allowedArbitraryRequestAttributes to -the AJP/1.3 Connector. Requests with unreconised attributes will be +Add a new attribute, allowedRequestAttributesPattern to +the AJP/1.3 Connector. Requests with unrecognised attributes will be blocked with a 403. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Tweak AJP improvements
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 64159aa Tweak AJP improvements 64159aa is described below commit 64159aa1d7cdc2c118fcb5eac098e70129d54a19 Author: Mark Thomas AuthorDate: Tue Feb 4 21:07:02 2020 + Tweak AJP improvements Better attribute name for allowedRequestAttributesPattern Add explicit address attribute to commented out AJP connector --- conf/server.xml | 5 - java/org/apache/coyote/ajp/AbstractAjpProtocol.java | 16 java/org/apache/coyote/ajp/AjpProcessor.java | 10 +- test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java | 2 +- webapps/docs/config/ajp.xml | 4 ++-- webapps/docs/security-howto.xml | 2 +- 6 files changed, 21 insertions(+), 18 deletions(-) diff --git a/conf/server.xml b/conf/server.xml index 5d9d57a..bd3ed3e 100644 --- a/conf/server.xml +++ b/conf/server.xml @@ -114,7 +114,10 @@
[tomcat] branch 9.0.x updated: Tweak AJP improvements
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 7a1406a Tweak AJP improvements 7a1406a is described below commit 7a1406a3cd20fdd90656add6cd8f27ef8f24e957 Author: Mark Thomas AuthorDate: Tue Feb 4 21:07:02 2020 + Tweak AJP improvements Better attribute name for allowedRequestAttributesPattern Add explicit address attribute to commented out AJP connector --- conf/server.xml | 5 - java/org/apache/coyote/ajp/AbstractAjpProtocol.java | 14 +++--- java/org/apache/coyote/ajp/AjpProcessor.java | 2 +- test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java | 2 +- webapps/docs/config/ajp.xml | 4 ++-- webapps/docs/security-howto.xml | 2 +- 6 files changed, 16 insertions(+), 13 deletions(-) diff --git a/conf/server.xml b/conf/server.xml index 5d9d57a..bd3ed3e 100644 --- a/conf/server.xml +++ b/conf/server.xml @@ -114,7 +114,10 @@
[tomcat] branch master updated: Tweak AJP improvements
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new 35f6d6e Tweak AJP improvements 35f6d6e is described below commit 35f6d6e52aca0a6e5ace2572a8bae3b9f77babc4 Author: Mark Thomas AuthorDate: Tue Feb 4 21:07:02 2020 + Tweak AJP improvements Better attribute name for allowedRequestAttributesPattern Add explicit address attribute to commented out AJP connector --- conf/server.xml | 5 - java/org/apache/coyote/ajp/AbstractAjpProtocol.java | 14 +++--- java/org/apache/coyote/ajp/AjpProcessor.java | 2 +- test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java | 2 +- webapps/docs/config/ajp.xml | 4 ++-- webapps/docs/security-howto.xml | 2 +- 6 files changed, 16 insertions(+), 13 deletions(-) diff --git a/conf/server.xml b/conf/server.xml index 5d9d57a..bd3ed3e 100644 --- a/conf/server.xml +++ b/conf/server.xml @@ -114,7 +114,10 @@
buildbot success in on tomcat-trunk
The Buildbot has detected a restored build on builder tomcat-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/4916 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch master] 4bf9160d345e6076d26b03c6b29b9e7fc7c87e6c Blamelist: Mark Thomas Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot exception in on tomcat-85-trunk
The Buildbot has detected a build exception on builder tomcat-85-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-85-trunk/builds/2150 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-85-commit' triggered this build Build Source Stamp: [branch 8.5.x] bd7006679a864b195c0870852b9c9dba2c09c4a3 Blamelist: Mark Thomas BUILD FAILED: exception upload_2 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot exception in on tomcat-9-trunk
The Buildbot has detected a build exception on builder tomcat-9-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-9-trunk/builds/30 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-9-commit' triggered this build Build Source Stamp: [branch 9.0.x] a07476e1749130deaf41a0b521151abd54ba727d Blamelist: Mark Thomas BUILD FAILED: exception upload_2 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix failing test
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new bd70066 Fix failing test bd70066 is described below commit bd7006679a864b195c0870852b9c9dba2c09c4a3 Author: Mark Thomas AuthorDate: Tue Feb 4 19:28:11 2020 + Fix failing test --- test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java | 13 + 1 file changed, 13 insertions(+) diff --git a/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java b/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java index 7f98001..a93da60 100644 --- a/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java +++ b/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java @@ -33,14 +33,27 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.junit.Assert; +import org.junit.Before; import org.junit.Test; import org.apache.catalina.Context; +import org.apache.catalina.connector.Connector; import org.apache.catalina.startup.Tomcat; import org.apache.catalina.startup.TomcatBaseTest; public class TestAbstractAjpProcessor extends TomcatBaseTest { +@Before +@Override +public void setUp() throws Exception { +super.setUp(); + +Connector c = getTomcatInstance().getConnector(); +c.setProperty("secretRequired", "false"); +c.setProperty("allowedArbitraryRequestAttributes", "MYATTRIBUTE.*"); +} + + @Override protected String getProtocol() { /* - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix failing test
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new a07476e Fix failing test a07476e is described below commit a07476e1749130deaf41a0b521151abd54ba727d Author: Mark Thomas AuthorDate: Tue Feb 4 19:28:11 2020 + Fix failing test --- test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java | 13 + 1 file changed, 13 insertions(+) diff --git a/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java b/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java index 3d4f7f0..e3bf7d9 100644 --- a/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java +++ b/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java @@ -33,14 +33,27 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.junit.Assert; +import org.junit.Before; import org.junit.Test; import org.apache.catalina.Context; +import org.apache.catalina.connector.Connector; import org.apache.catalina.startup.Tomcat; import org.apache.catalina.startup.TomcatBaseTest; public class TestAbstractAjpProcessor extends TomcatBaseTest { +@Before +@Override +public void setUp() throws Exception { +super.setUp(); + +Connector c = getTomcatInstance().getConnector(); +c.setProperty("secretRequired", "false"); +c.setProperty("allowedArbitraryRequestAttributes", "MYATTRIBUTE.*"); +} + + @Override protected String getProtocol() { /* - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Fix failing test
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new 4bf9160 Fix failing test 4bf9160 is described below commit 4bf9160d345e6076d26b03c6b29b9e7fc7c87e6c Author: Mark Thomas AuthorDate: Tue Feb 4 19:28:11 2020 + Fix failing test --- test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java | 13 + 1 file changed, 13 insertions(+) diff --git a/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java b/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java index d145911..431bd81 100644 --- a/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java +++ b/test/org/apache/coyote/ajp/TestAbstractAjpProcessor.java @@ -33,14 +33,27 @@ import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import org.junit.Assert; +import org.junit.Before; import org.junit.Test; import org.apache.catalina.Context; +import org.apache.catalina.connector.Connector; import org.apache.catalina.startup.Tomcat; import org.apache.catalina.startup.TomcatBaseTest; public class TestAbstractAjpProcessor extends TomcatBaseTest { +@Before +@Override +public void setUp() throws Exception { +super.setUp(); + +Connector c = getTomcatInstance().getConnector(); +c.setProperty("secretRequired", "false"); +c.setProperty("allowedArbitraryRequestAttributes", "MYATTRIBUTE.*"); +} + + @Override protected String getProtocol() { /* - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in on tomcat-9-trunk
The Buildbot has detected a new failure on builder tomcat-9-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-9-trunk/builds/29 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-9-commit' triggered this build Build Source Stamp: [branch 9.0.x] 9c9a4748bfb5907c7bebfeb35f280350a378dd6c Blamelist: Mark Thomas BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in on tomcat-85-trunk
The Buildbot has detected a new failure on builder tomcat-85-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-85-trunk/builds/2148 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-85-commit' triggered this build Build Source Stamp: [branch 8.5.x] 2becbfd3228942a18b663ca715ee9c9b80743120 Blamelist: Mark Thomas BUILD FAILED: failed compile Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix broken back-port
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 9be5760 Fix broken back-port 9be5760 is described below commit 9be57601efb8a81e3832feb0dd60b1eb9d2b61d5 Author: Mark Thomas AuthorDate: Tue Feb 4 19:18:08 2020 + Fix broken back-port --- java/org/apache/coyote/ajp/AbstractAjpProtocol.java | 1 + java/org/apache/coyote/ajp/AjpProcessor.java| 11 --- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java index 1d42c36..bba4d6a 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java @@ -253,6 +253,7 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { processor.setKeepAliveTimeout(getKeepAliveTimeout()); processor.setClientCertProvider(getClientCertProvider()); processor.setSendReasonPhrase(getSendReasonPhrase()); + processor.setAllowedArbitraryRequestAttributesPattern(getAllowedArbitraryRequestAttributesPattern()); return processor; } diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index a14a960..06c25b7 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -360,6 +360,7 @@ public class AjpProcessor extends AbstractProcessor { this.clientCertProvider = clientCertProvider; } + @Deprecated private boolean sendReasonPhrase = false; @Deprecated @@ -368,6 +369,11 @@ public class AjpProcessor extends AbstractProcessor { } +private Pattern allowedArbitraryRequestAttributesPattern; +public void setAllowedArbitraryRequestAttributesPattern(Pattern allowedArbitraryRequestAttributesPattern) { +this.allowedArbitraryRequestAttributesPattern = allowedArbitraryRequestAttributesPattern; +} + // - Public Methods @Override @@ -838,12 +844,11 @@ public class AjpProcessor extends AbstractProcessor { } else { // All 'known' attributes will be processed by the previous // blocks. Any remaining attribute is an 'arbitrary' one. -Pattern pattern = protocol.getAllowedArbitraryRequestAttributesPattern(); -if (pattern == null) { +if (allowedArbitraryRequestAttributesPattern == null) { response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, null); } else { -Matcher m = pattern.matcher(n); +Matcher m = allowedArbitraryRequestAttributesPattern.matcher(n); if (m.matches()) { request.setAttribute(n, v); } else { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in on tomcat-trunk
The Buildbot has detected a new failure on builder tomcat-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/4915 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch master] 38a0fd9bb287e9e70eb61a5d8ea12cf602fb6398 Blamelist: Mark Thomas BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/05: Disable AJP connector by default
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit bd5ebb63e438a253bbd9b035425ece915d3feb21 Author: Mark Thomas AuthorDate: Tue Jan 21 12:41:01 2020 + Disable AJP connector by default --- conf/server.xml | 3 ++- res/tomcat.nsi | 21 - webapps/docs/changelog.xml | 4 webapps/docs/manager-howto.xml | 2 -- webapps/docs/security-howto.xml | 8 webapps/docs/setup.xml | 1 - 6 files changed, 10 insertions(+), 29 deletions(-) diff --git a/conf/server.xml b/conf/server.xml index 2cd78df..5d9d57a 100644 --- a/conf/server.xml +++ b/conf/server.xml @@ -113,8 +113,9 @@ --> +
[tomcat] 02/05: Change the default bind address for AJP to the loopback address
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 69c56080fb3355507e1b55d014ec0ee6767a6150 Author: Mark Thomas AuthorDate: Tue Jan 21 13:02:13 2020 + Change the default bind address for AJP to the loopback address --- java/org/apache/coyote/ajp/AbstractAjpProtocol.java | 4 webapps/docs/changelog.xml | 4 webapps/docs/config/ajp.xml | 5 + 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java index 872dbe6..eb9c4dc 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java @@ -16,6 +16,8 @@ */ package org.apache.coyote.ajp; +import java.net.InetAddress; + import org.apache.coyote.AbstractProtocol; import org.apache.coyote.Processor; import org.apache.coyote.UpgradeProtocol; @@ -46,6 +48,8 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { setConnectionTimeout(Constants.DEFAULT_CONNECTION_TIMEOUT); // AJP does not use Send File getEndpoint().setUseSendfile(false); +// AJP listens on loopback by default +getEndpoint().setAddress(InetAddress.getLoopbackAddress()); ConnectionHandler cHandler = new ConnectionHandler<>(this); setHandler(cHandler); getEndpoint().setHandler(cHandler); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 6cc6001..8091e04 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -183,6 +183,10 @@ Disable (comment out in server.xml) the AJP/1.3 connector by default. (markt) + +Change the default bind address for the AJP/1.3 connector to be the +loopback address. (markt) + diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index 93ed918..80a7fe4 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -316,10 +316,7 @@ For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified - port. By default, this port will be used on all IP addresses - associated with the server. A value of 127.0.0.1 - indicates that the Connector will only listen on the loopback - interface. + port. By default, the loopback address will be used. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 03/05: Rename requiredSecret to secret and add secretRequired
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit b962835f98b905286b78c414d5aaec2d0e711f75 Author: Mark Thomas AuthorDate: Tue Jan 21 14:24:33 2020 + Rename requiredSecret to secret and add secretRequired AJP Connector will not start if secretRequired="true" and secret is set to null or zero length String. --- .../org/apache/coyote/ajp/AbstractAjpProtocol.java | 52 -- java/org/apache/coyote/ajp/AjpProcessor.java | 18 +--- java/org/apache/coyote/ajp/LocalStrings.properties | 1 + webapps/docs/changelog.xml | 8 webapps/docs/config/ajp.xml| 12 - 5 files changed, 80 insertions(+), 11 deletions(-) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java index eb9c4dc..7403db0 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java @@ -143,14 +143,48 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { } -private String requiredSecret = null; +private String secret = null; +/** + * Set the secret that must be included with every request. + * + * @param secret The required secret + */ +public void setSecret(String secret) { +this.secret = secret; +} +protected String getSecret() { +return secret; +} /** * Set the required secret that must be included with every request. * * @param requiredSecret The required secret + * + * @deprecated Replaced by {@link #setSecret(String)}. + * Will be removed in Tomcat 11 onwards */ +@Deprecated public void setRequiredSecret(String requiredSecret) { -this.requiredSecret = requiredSecret; +setSecret(requiredSecret); +} +/** + * @return The current secret + * + * @deprecated Replaced by {@link #getSecret()}. + * Will be removed in Tomcat 11 onwards + */ +@Deprecated +protected String getRequiredSecret() { +return getSecret(); +} + + +private boolean secretRequired = true; +public void setSecretRequired(boolean secretRequired) { +this.secretRequired = secretRequired; +} +public boolean getSecretRequired() { +return secretRequired; } @@ -202,7 +236,7 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { processor.setAjpFlush(getAjpFlush()); processor.setTomcatAuthentication(getTomcatAuthentication()); processor.setTomcatAuthorization(getTomcatAuthorization()); -processor.setRequiredSecret(requiredSecret); +processor.setSecret(secret); processor.setKeepAliveTimeout(getKeepAliveTimeout()); processor.setClientCertProvider(getClientCertProvider()); processor.setSendReasonPhrase(getSendReasonPhrase()); @@ -216,4 +250,16 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { throw new IllegalStateException(sm.getString("ajpprotocol.noUpgradeHandler", upgradeToken.getHttpUpgradeHandler().getClass().getName())); } + + +@Override +public void init() throws Exception { +if (getSecretRequired()) { +String secret = getSecret(); +if (secret == null || secret.length() == 0) { +throw new IllegalArgumentException(sm.getString("ajpprotocol.nosecret")); +} +} +super.init(); +} } diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index c827455..745cc6f 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -322,9 +322,13 @@ public class AjpProcessor extends AbstractProcessor { /** * Required secret. */ -private String requiredSecret = null; +private String secret = null; +@Deprecated public void setRequiredSecret(String requiredSecret) { -this.requiredSecret = requiredSecret; +setSecret(requiredSecret); +} +public void setSecret(String secret) { +this.secret = secret; } @@ -782,7 +786,7 @@ public class AjpProcessor extends AbstractProcessor { } // Decode extra attributes -boolean secret = false; +boolean secretPresentInRequest = false; byte attributeCode; while ((attributeCode = requestHeaderMessage.getByte()) != Constants.SC_A_ARE_DONE) { @@ -883,9 +887,9 @@ public class AjpProcessor extends AbstractProcessor { case Constants.SC_A_SECRET: requestHeaderMessage.getBytes(tmpMB); -if (requiredSecret != null) { -secret = true; -
[tomcat] branch 8.5.x updated (8fbe2e9 -> 2becbfd)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git. from 8fbe2e9 Stricter header value parsing new bd5ebb6 Disable AJP connector by default new 69c5608 Change the default bind address for AJP to the loopback address new b962835 Rename requiredSecret to secret and add secretRequired new 5a5494f Add new AJP attribute allowedArbitraryRequestAttributes new 2becbfd Add security information for the AJP Connector. The 5 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: conf/server.xml| 3 +- .../org/apache/coyote/ajp/AbstractAjpProtocol.java | 69 +- java/org/apache/coyote/ajp/AjpProcessor.java | 54 ++--- java/org/apache/coyote/ajp/LocalStrings.properties | 1 + res/tomcat.nsi | 21 --- webapps/docs/changelog.xml | 24 webapps/docs/config/ajp.xml| 46 +-- webapps/docs/manager-howto.xml | 2 - webapps/docs/security-howto.xml| 16 +++-- webapps/docs/setup.xml | 1 - 10 files changed, 191 insertions(+), 46 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 05/05: Add security information for the AJP Connector.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 2becbfd3228942a18b663ca715ee9c9b80743120 Author: Mark Thomas AuthorDate: Tue Jan 21 15:18:04 2020 + Add security information for the AJP Connector. --- webapps/docs/changelog.xml | 3 +++ webapps/docs/config/ajp.xml | 10 +- webapps/docs/security-howto.xml | 8 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 7538af1..1f6c84d 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -237,6 +237,9 @@ example includes ii18n support, the Locale used should be based on the request locale and not the server locale. (markt) + +Add additional information on securing AJP/1.3 Connectors. (markt) + diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index 3fa0203..6189f23 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -44,6 +44,13 @@ contained in the web application, and/or utilize Apache's SSL processing. + Use of the AJP protocol requires additional security considerations because + it allows greater direct manipulation of Tomcat's internal data structures + than the HTTP connectors. Particular attention should be paid to the values + used for the address, secret, + secretRequired and allowedArbitraryRequestAttributes + attributes. + This connector supports load balancing when used in conjunction with the jvmRoute attribute of the Engine. @@ -468,7 +475,8 @@ If this attribute is true, the AJP Connector will only start if the secret attribute is configured with a non-null, non-zero length value. The default value is true. - + This attributue should only be set to false when the + Connector is used on a trusted network. diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index a9b2ec8..5961cd0 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -249,6 +249,14 @@ By default, a non-TLS, HTTP/1.1 connector is configured on port 8080. Connectors that will not be used should be removed from server.xml. + AJP Connectors should only be used on trusted networks or be + appropriately secured with a suitable secret attribute. + + AJP Connectors block forwarded requests with unknown request + attributes. Known safe and/or expected attributes may be allowed by + configuration an appropriate regular expression for the + allowedArbitraryRequestAttributes attribute. + The address attribute may be used to control which IP address a connector listens on for connections. By default, a connector listens on all configured IP addresses. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 04/05: Add new AJP attribute allowedArbitraryRequestAttributes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 5a5494f023e81aa353e262fb14fff4cd0338a67c Author: Mark Thomas AuthorDate: Tue Jan 21 15:04:12 2020 + Add new AJP attribute allowedArbitraryRequestAttributes Requests with unrecognised attributes will be blocked with a 403 --- .../org/apache/coyote/ajp/AbstractAjpProtocol.java | 13 java/org/apache/coyote/ajp/AjpProcessor.java | 36 +- webapps/docs/changelog.xml | 5 +++ webapps/docs/config/ajp.xml| 19 4 files changed, 72 insertions(+), 1 deletion(-) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java index 7403db0..1d42c36 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java @@ -17,6 +17,7 @@ package org.apache.coyote.ajp; import java.net.InetAddress; +import java.util.regex.Pattern; import org.apache.coyote.AbstractProtocol; import org.apache.coyote.Processor; @@ -188,6 +189,18 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { } +private Pattern allowedArbitraryRequestAttributesPattern; +public void setAllowedArbitraryRequestAttributes(String allowedArbitraryRequestAttributes) { +this.allowedArbitraryRequestAttributesPattern = Pattern.compile(allowedArbitraryRequestAttributes); +} +public String getAllowedArbitraryRequestAttributes() { +return allowedArbitraryRequestAttributesPattern.pattern(); +} +protected Pattern getAllowedArbitraryRequestAttributesPattern() { +return allowedArbitraryRequestAttributesPattern; +} + + /** * AJP packet size. */ diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index 745cc6f..a14a960 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -25,6 +25,11 @@ import java.nio.ByteBuffer; import java.security.NoSuchProviderException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import javax.servlet.http.HttpServletResponse; @@ -79,6 +84,9 @@ public class AjpProcessor extends AbstractProcessor { private static final byte[] pongMessageArray; +private static final Set javaxAttributes; + + static { // Allocate the end message array AjpMessage endMessage = new AjpMessage(16); @@ -119,6 +127,14 @@ public class AjpProcessor extends AbstractProcessor { pongMessageArray = new byte[pongMessage.getLen()]; System.arraycopy(pongMessage.getBuffer(), 0, pongMessageArray, 0, pongMessage.getLen()); + +// Build the Set of javax attributes +Set s = new HashSet<>(); +s.add("javax.servlet.request.cipher_suite"); +s.add("javax.servlet.request.key_size"); +s.add("javax.servlet.request.ssl_session"); +s.add("javax.servlet.request.X509Certificate"); +javaxAttributes= Collections.unmodifiableSet(s); } @@ -815,8 +831,26 @@ public class AjpProcessor extends AbstractProcessor { } } else if(n.equals(Constants.SC_A_SSL_PROTOCOL)) { request.setAttribute(SSLSupport.PROTOCOL_VERSION_KEY, v); +} else if (n.equals("JK_LB_ACTIVATION")) { +request.setAttribute(n, v); +} else if (javaxAttributes.contains(n)) { +request.setAttribute(n, v); } else { -request.setAttribute(n, v ); +// All 'known' attributes will be processed by the previous +// blocks. Any remaining attribute is an 'arbitrary' one. +Pattern pattern = protocol.getAllowedArbitraryRequestAttributesPattern(); +if (pattern == null) { +response.setStatus(403); +setErrorState(ErrorState.CLOSE_CLEAN, null); +} else { +Matcher m = pattern.matcher(n); +if (m.matches()) { +request.setAttribute(n, v); +} else { +response.setStatus(403); +setErrorState(ErrorState.CLOSE_CLEAN, null); +} +} } break; diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index bee08d8..7538af1 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog
[tomcat] 01/05: Disable AJP connector by default
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 4c933d80e340b4a841a672060351b2190b326782 Author: Mark Thomas AuthorDate: Tue Jan 21 12:41:01 2020 + Disable AJP connector by default --- conf/server.xml | 3 ++- res/tomcat.nsi | 21 - webapps/docs/changelog.xml | 4 webapps/docs/manager-howto.xml | 2 -- webapps/docs/security-howto.xml | 8 webapps/docs/setup.xml | 1 - 6 files changed, 10 insertions(+), 29 deletions(-) diff --git a/conf/server.xml b/conf/server.xml index 2cd78df..5d9d57a 100644 --- a/conf/server.xml +++ b/conf/server.xml @@ -113,8 +113,9 @@ --> +
[tomcat] branch 9.0.x updated (8bfb0ff -> 9c9a474)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git. from 8bfb0ff Stricter header value parsing new 4c933d8 Disable AJP connector by default new 0e8a50f Change the default bind address for AJP to the loopback address new 9ac9053 Rename requiredSecret to secret and add secretRequired new 64fa5b9 Add new AJP attribute allowedArbitraryRequestAttributes new 9c9a474 Add security information for the AJP Connector. The 5 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: conf/server.xml| 3 +- .../org/apache/coyote/ajp/AbstractAjpProtocol.java | 66 +- java/org/apache/coyote/ajp/AjpProcessor.java | 48 +--- java/org/apache/coyote/ajp/LocalStrings.properties | 1 + res/tomcat.nsi | 21 --- webapps/docs/changelog.xml | 24 webapps/docs/config/ajp.xml| 46 +-- webapps/docs/manager-howto.xml | 2 - webapps/docs/security-howto.xml| 16 -- webapps/docs/setup.xml | 1 - 10 files changed, 183 insertions(+), 45 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 03/05: Rename requiredSecret to secret and add secretRequired
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 9ac90532e9a7d239f90952edb229b07c80a9a3eb Author: Mark Thomas AuthorDate: Tue Jan 21 14:24:33 2020 + Rename requiredSecret to secret and add secretRequired AJP Connector will not start if secretRequired="true" and secret is set to null or zero length String. --- .../org/apache/coyote/ajp/AbstractAjpProtocol.java | 49 -- java/org/apache/coyote/ajp/AjpProcessor.java | 12 +++--- java/org/apache/coyote/ajp/LocalStrings.properties | 1 + webapps/docs/changelog.xml | 8 webapps/docs/config/ajp.xml| 12 +- 5 files changed, 72 insertions(+), 10 deletions(-) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java index 8e0593b..81da7da 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java @@ -143,17 +143,48 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { } -private String requiredSecret = null; +private String secret = null; +/** + * Set the secret that must be included with every request. + * + * @param secret The required secret + */ +public void setSecret(String secret) { +this.secret = secret; +} +protected String getSecret() { +return secret; +} /** * Set the required secret that must be included with every request. * * @param requiredSecret The required secret + * + * @deprecated Replaced by {@link #setSecret(String)}. + * Will be removed in Tomcat 11 onwards */ +@Deprecated public void setRequiredSecret(String requiredSecret) { -this.requiredSecret = requiredSecret; +setSecret(requiredSecret); } +/** + * @return The current secret + * + * @deprecated Replaced by {@link #getSecret()}. + * Will be removed in Tomcat 11 onwards + */ +@Deprecated protected String getRequiredSecret() { -return requiredSecret; +return getSecret(); +} + + +private boolean secretRequired = true; +public void setSecretRequired(boolean secretRequired) { +this.secretRequired = secretRequired; +} +public boolean getSecretRequired() { +return secretRequired; } @@ -210,4 +241,16 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { throw new IllegalStateException(sm.getString("ajpprotocol.noUpgradeHandler", upgradeToken.getHttpUpgradeHandler().getClass().getName())); } + + +@Override +public void init() throws Exception { +if (getSecretRequired()) { +String secret = getSecret(); +if (secret == null || secret.length() == 0) { +throw new IllegalArgumentException(sm.getString("ajpprotocol.nosecret")); +} +} +super.init(); +} } diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index a3e628d..d466de2 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -698,8 +698,8 @@ public class AjpProcessor extends AbstractProcessor { } // Decode extra attributes -String requiredSecret = protocol.getRequiredSecret(); -boolean secret = false; +String secret = protocol.getSecret(); +boolean secretPresentInRequest = false; byte attributeCode; while ((attributeCode = requestHeaderMessage.getByte()) != Constants.SC_A_ARE_DONE) { @@ -801,9 +801,9 @@ public class AjpProcessor extends AbstractProcessor { case Constants.SC_A_SECRET: requestHeaderMessage.getBytes(tmpMB); -if (requiredSecret != null) { -secret = true; -if (!tmpMB.equals(requiredSecret)) { +if (secret != null) { +secretPresentInRequest = true; +if (!tmpMB.equals(secret)) { response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, null); } @@ -819,7 +819,7 @@ public class AjpProcessor extends AbstractProcessor { } // Check if secret was submitted if required -if ((requiredSecret != null) && !secret) { +if ((secret != null) && !secretPresentInRequest) { response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, null); } diff --git a/java/org/apache/coyote/ajp/LocalStrings.properties b/java/org/apache/coyote/ajp/LocalStrings.properties index 9b569bb..01de92a 100644 --- a/java/org/apache/co
[tomcat] 02/05: Change the default bind address for AJP to the loopback address
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 0e8a50f0a5958744bea1fd6768c862e04d3b7e75 Author: Mark Thomas AuthorDate: Tue Jan 21 13:02:13 2020 + Change the default bind address for AJP to the loopback address --- java/org/apache/coyote/ajp/AbstractAjpProtocol.java | 4 webapps/docs/changelog.xml | 4 webapps/docs/config/ajp.xml | 5 + 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java index 2500abd..8e0593b 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java @@ -16,6 +16,8 @@ */ package org.apache.coyote.ajp; +import java.net.InetAddress; + import org.apache.coyote.AbstractProtocol; import org.apache.coyote.Processor; import org.apache.coyote.UpgradeProtocol; @@ -46,6 +48,8 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { setConnectionTimeout(Constants.DEFAULT_CONNECTION_TIMEOUT); // AJP does not use Send File getEndpoint().setUseSendfile(false); +// AJP listens on loopback by default +getEndpoint().setAddress(InetAddress.getLoopbackAddress()); ConnectionHandler cHandler = new ConnectionHandler<>(this); setHandler(cHandler); getEndpoint().setHandler(cHandler); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index b5730c7..5351cb0 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -178,6 +178,10 @@ Disable (comment out in server.xml) the AJP/1.3 connector by default. (markt) + +Change the default bind address for the AJP/1.3 connector to be the +loopback address. (markt) + diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index c70af91..5535a06 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -308,10 +308,7 @@ For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified - port. By default, this port will be used on all IP addresses - associated with the server. A value of 127.0.0.1 - indicates that the Connector will only listen on the loopback - interface. + port. By default, the loopback address will be used. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 05/05: Add security information for the AJP Connector.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 9c9a4748bfb5907c7bebfeb35f280350a378dd6c Author: Mark Thomas AuthorDate: Tue Jan 21 15:18:04 2020 + Add security information for the AJP Connector. --- webapps/docs/changelog.xml | 3 +++ webapps/docs/config/ajp.xml | 10 +- webapps/docs/security-howto.xml | 8 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 46fa42f..561e87c 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -232,6 +232,9 @@ example includes ii18n support, the Locale used should be based on the request locale and not the server locale. (markt) + +Add additional information on securing AJP/1.3 Connectors. (markt) + diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index 69348a1..dbecf7a 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -44,6 +44,13 @@ contained in the web application, and/or utilize Apache's SSL processing. + Use of the AJP protocol requires additional security considerations because + it allows greater direct manipulation of Tomcat's internal data structures + than the HTTP connectors. Particular attention should be paid to the values + used for the address, secret, + secretRequired and allowedArbitraryRequestAttributes + attributes. + This connector supports load balancing when used in conjunction with the jvmRoute attribute of the Engine. @@ -459,7 +466,8 @@ If this attribute is true, the AJP Connector will only start if the secret attribute is configured with a non-null, non-zero length value. The default value is true. - + This attributue should only be set to false when the + Connector is used on a trusted network. diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 9844ec0..947a162 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -249,6 +249,14 @@ By default, a non-TLS, HTTP/1.1 connector is configured on port 8080. Connectors that will not be used should be removed from server.xml. + AJP Connectors should only be used on trusted networks or be + appropriately secured with a suitable secret attribute. + + AJP Connectors block forwarded requests with unknown request + attributes. Known safe and/or expected attributes may be allowed by + configuration an appropriate regular expression for the + allowedArbitraryRequestAttributes attribute. + The address attribute may be used to control which IP address a connector listens on for connections. By default, a connector listens on all configured IP addresses. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 04/05: Add new AJP attribute allowedArbitraryRequestAttributes
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 64fa5b99442589ef0bf2a7fcd71ad2bc68b35fad Author: Mark Thomas AuthorDate: Tue Jan 21 15:04:12 2020 + Add new AJP attribute allowedArbitraryRequestAttributes Requests with unrecognised attributes will be blocked with a 403 --- .../org/apache/coyote/ajp/AbstractAjpProtocol.java | 13 java/org/apache/coyote/ajp/AjpProcessor.java | 36 +- webapps/docs/changelog.xml | 5 +++ webapps/docs/config/ajp.xml| 19 4 files changed, 72 insertions(+), 1 deletion(-) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java index 81da7da..a2f5e28 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java @@ -17,6 +17,7 @@ package org.apache.coyote.ajp; import java.net.InetAddress; +import java.util.regex.Pattern; import org.apache.coyote.AbstractProtocol; import org.apache.coyote.Processor; @@ -188,6 +189,18 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { } +private Pattern allowedArbitraryRequestAttributesPattern; +public void setAllowedArbitraryRequestAttributes(String allowedArbitraryRequestAttributes) { +this.allowedArbitraryRequestAttributesPattern = Pattern.compile(allowedArbitraryRequestAttributes); +} +public String getAllowedArbitraryRequestAttributes() { +return allowedArbitraryRequestAttributesPattern.pattern(); +} +protected Pattern getAllowedArbitraryRequestAttributesPattern() { +return allowedArbitraryRequestAttributesPattern; +} + + /** * AJP packet size. */ diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index d466de2..f3d783f 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -25,6 +25,11 @@ import java.nio.ByteBuffer; import java.security.NoSuchProviderException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import javax.servlet.http.HttpServletResponse; @@ -78,6 +83,9 @@ public class AjpProcessor extends AbstractProcessor { private static final byte[] pongMessageArray; +private static final Set javaxAttributes; + + static { // Allocate the end message array AjpMessage endMessage = new AjpMessage(16); @@ -118,6 +126,14 @@ public class AjpProcessor extends AbstractProcessor { pongMessageArray = new byte[pongMessage.getLen()]; System.arraycopy(pongMessage.getBuffer(), 0, pongMessageArray, 0, pongMessage.getLen()); + +// Build the Set of javax attributes +Set s = new HashSet<>(); +s.add("javax.servlet.request.cipher_suite"); +s.add("javax.servlet.request.key_size"); +s.add("javax.servlet.request.ssl_session"); +s.add("javax.servlet.request.X509Certificate"); +javaxAttributes= Collections.unmodifiableSet(s); } @@ -728,8 +744,26 @@ public class AjpProcessor extends AbstractProcessor { } } else if(n.equals(Constants.SC_A_SSL_PROTOCOL)) { request.setAttribute(SSLSupport.PROTOCOL_VERSION_KEY, v); +} else if (n.equals("JK_LB_ACTIVATION")) { +request.setAttribute(n, v); +} else if (javaxAttributes.contains(n)) { +request.setAttribute(n, v); } else { -request.setAttribute(n, v ); +// All 'known' attributes will be processed by the previous +// blocks. Any remaining attribute is an 'arbitrary' one. +Pattern pattern = protocol.getAllowedArbitraryRequestAttributesPattern(); +if (pattern == null) { +response.setStatus(403); +setErrorState(ErrorState.CLOSE_CLEAN, null); +} else { +Matcher m = pattern.matcher(n); +if (m.matches()) { +request.setAttribute(n, v); +} else { +response.setStatus(403); +setErrorState(ErrorState.CLOSE_CLEAN, null); +} +} } break; diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 5d0cf7e..46fa42f 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog
[tomcat] 01/05: Disable AJP connector by default
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 86768e423a6ca0ae32e64acb65c9ae8dccf52256 Author: Mark Thomas AuthorDate: Tue Jan 21 12:41:01 2020 + Disable AJP connector by default --- TOMCAT-NEXT.txt | 2 -- conf/server.xml | 3 ++- res/tomcat.nsi | 21 - webapps/docs/manager-howto.xml | 2 -- webapps/docs/security-howto.xml | 8 webapps/docs/setup.xml | 1 - 6 files changed, 6 insertions(+), 31 deletions(-) diff --git a/TOMCAT-NEXT.txt b/TOMCAT-NEXT.txt index 95d6376..3be3e12 100644 --- a/TOMCAT-NEXT.txt +++ b/TOMCAT-NEXT.txt @@ -47,8 +47,6 @@ New items for 10.0.0.x onwards: 7. Refactor DefaultServlet to use Ranges in parseRanges(). - 8. Consider disabling the AJP connector by default. - Deferred until 10.0.x: diff --git a/conf/server.xml b/conf/server.xml index 2cd78df..5d9d57a 100644 --- a/conf/server.xml +++ b/conf/server.xml @@ -113,8 +113,9 @@ --> +
[tomcat] 03/05: Rename requiredSecret to secret and add secretRequired
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit a41145cc0c564a7f5feff9ac4263a46ba8c0f4e7 Author: Mark Thomas AuthorDate: Tue Jan 21 14:24:33 2020 + Rename requiredSecret to secret and add secretRequired AJP Connector will not start if secretRequired="true" and secret is set to null or zero length String. --- .../org/apache/coyote/ajp/AbstractAjpProtocol.java | 49 -- java/org/apache/coyote/ajp/AjpProcessor.java | 12 +++--- java/org/apache/coyote/ajp/LocalStrings.properties | 1 + webapps/docs/config/ajp.xml| 12 +- 4 files changed, 64 insertions(+), 10 deletions(-) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java index 8e0593b..81da7da 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java @@ -143,17 +143,48 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { } -private String requiredSecret = null; +private String secret = null; +/** + * Set the secret that must be included with every request. + * + * @param secret The required secret + */ +public void setSecret(String secret) { +this.secret = secret; +} +protected String getSecret() { +return secret; +} /** * Set the required secret that must be included with every request. * * @param requiredSecret The required secret + * + * @deprecated Replaced by {@link #setSecret(String)}. + * Will be removed in Tomcat 11 onwards */ +@Deprecated public void setRequiredSecret(String requiredSecret) { -this.requiredSecret = requiredSecret; +setSecret(requiredSecret); } +/** + * @return The current secret + * + * @deprecated Replaced by {@link #getSecret()}. + * Will be removed in Tomcat 11 onwards + */ +@Deprecated protected String getRequiredSecret() { -return requiredSecret; +return getSecret(); +} + + +private boolean secretRequired = true; +public void setSecretRequired(boolean secretRequired) { +this.secretRequired = secretRequired; +} +public boolean getSecretRequired() { +return secretRequired; } @@ -210,4 +241,16 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { throw new IllegalStateException(sm.getString("ajpprotocol.noUpgradeHandler", upgradeToken.getHttpUpgradeHandler().getClass().getName())); } + + +@Override +public void init() throws Exception { +if (getSecretRequired()) { +String secret = getSecret(); +if (secret == null || secret.length() == 0) { +throw new IllegalArgumentException(sm.getString("ajpprotocol.nosecret")); +} +} +super.init(); +} } diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index 0c593ba..128c1a0 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -712,8 +712,8 @@ public class AjpProcessor extends AbstractProcessor { } // Decode extra attributes -String requiredSecret = protocol.getRequiredSecret(); -boolean secret = false; +String secret = protocol.getSecret(); +boolean secretPresentInRequest = false; byte attributeCode; while ((attributeCode = requestHeaderMessage.getByte()) != Constants.SC_A_ARE_DONE) { @@ -819,9 +819,9 @@ public class AjpProcessor extends AbstractProcessor { case Constants.SC_A_SECRET: requestHeaderMessage.getBytes(tmpMB); -if (requiredSecret != null) { -secret = true; -if (!tmpMB.equals(requiredSecret)) { +if (secret != null) { +secretPresentInRequest = true; +if (!tmpMB.equals(secret)) { response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, null); } @@ -837,7 +837,7 @@ public class AjpProcessor extends AbstractProcessor { } // Check if secret was submitted if required -if ((requiredSecret != null) && !secret) { +if ((secret != null) && !secretPresentInRequest) { response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, null); } diff --git a/java/org/apache/coyote/ajp/LocalStrings.properties b/java/org/apache/coyote/ajp/LocalStrings.properties index 9b569bb..01de92a 100644 --- a/java/org/apache/coyote/ajp/LocalStrings.properties +++ b/java/org/apache/coyote
[tomcat] 02/05: Change the default bind address for AJP to the loopback address
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit aba0c9a488a7d7e5063779e88f652cdca439cd24 Author: Mark Thomas AuthorDate: Tue Jan 21 13:02:13 2020 + Change the default bind address for AJP to the loopback address --- java/org/apache/coyote/ajp/AbstractAjpProtocol.java | 4 webapps/docs/config/ajp.xml | 5 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java index 2500abd..8e0593b 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java @@ -16,6 +16,8 @@ */ package org.apache.coyote.ajp; +import java.net.InetAddress; + import org.apache.coyote.AbstractProtocol; import org.apache.coyote.Processor; import org.apache.coyote.UpgradeProtocol; @@ -46,6 +48,8 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { setConnectionTimeout(Constants.DEFAULT_CONNECTION_TIMEOUT); // AJP does not use Send File getEndpoint().setUseSendfile(false); +// AJP listens on loopback by default +getEndpoint().setAddress(InetAddress.getLoopbackAddress()); ConnectionHandler cHandler = new ConnectionHandler<>(this); setHandler(cHandler); getEndpoint().setHandler(cHandler); diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index c70af91..5535a06 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -308,10 +308,7 @@ For servers with more than one IP address, this attribute specifies which address will be used for listening on the specified - port. By default, this port will be used on all IP addresses - associated with the server. A value of 127.0.0.1 - indicates that the Connector will only listen on the loopback - interface. + port. By default, the loopback address will be used. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 05/05: Add security information for the AJP Connector.
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 38a0fd9bb287e9e70eb61a5d8ea12cf602fb6398 Author: Mark Thomas AuthorDate: Tue Jan 21 15:18:04 2020 + Add security information for the AJP Connector. --- webapps/docs/config/ajp.xml | 10 +- webapps/docs/security-howto.xml | 8 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index 69348a1..dbecf7a 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -44,6 +44,13 @@ contained in the web application, and/or utilize Apache's SSL processing. + Use of the AJP protocol requires additional security considerations because + it allows greater direct manipulation of Tomcat's internal data structures + than the HTTP connectors. Particular attention should be paid to the values + used for the address, secret, + secretRequired and allowedArbitraryRequestAttributes + attributes. + This connector supports load balancing when used in conjunction with the jvmRoute attribute of the Engine. @@ -459,7 +466,8 @@ If this attribute is true, the AJP Connector will only start if the secret attribute is configured with a non-null, non-zero length value. The default value is true. - + This attributue should only be set to false when the + Connector is used on a trusted network. diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 4d5726d..dfc03cc 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -249,6 +249,14 @@ By default, a non-TLS, HTTP/1.1 connector is configured on port 8080. Connectors that will not be used should be removed from server.xml. + AJP Connectors should only be used on trusted networks or be + appropriately secured with a suitable secret attribute. + + AJP Connectors block forwarded requests with unknown request + attributes. Known safe and/or expected attributes may be allowed by + configuration an appropriate regular expression for the + allowedArbitraryRequestAttributes attribute. + The address attribute may be used to control which IP address a connector listens on for connections. By default, a connector listens on all configured IP addresses. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated (ae8c82e -> 38a0fd9)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git. from ae8c82e Stricter header value parsing new 86768e4 Disable AJP connector by default new aba0c9a Change the default bind address for AJP to the loopback address new a41145c Rename requiredSecret to secret and add secretRequired new 2e10858 Add new AJP attribute allowedArbitraryRequestAttribute new 38a0fd9 Add security information for the AJP Connector. The 5 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: TOMCAT-NEXT.txt| 2 - conf/server.xml| 3 +- .../org/apache/coyote/ajp/AbstractAjpProtocol.java | 66 +- java/org/apache/coyote/ajp/AjpProcessor.java | 32 --- java/org/apache/coyote/ajp/LocalStrings.properties | 1 + res/tomcat.nsi | 21 --- webapps/docs/config/ajp.xml| 46 +-- webapps/docs/manager-howto.xml | 2 - webapps/docs/security-howto.xml| 16 -- webapps/docs/setup.xml | 1 - 10 files changed, 143 insertions(+), 47 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 04/05: Add new AJP attribute allowedArbitraryRequestAttribute
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 2e108583e8665fdc61970137a409f15c4df3a36f Author: Mark Thomas AuthorDate: Tue Jan 21 15:04:12 2020 + Add new AJP attribute allowedArbitraryRequestAttribute Requests with unrecognised attributes will be blocked with a 403 --- java/org/apache/coyote/ajp/AbstractAjpProtocol.java | 13 + java/org/apache/coyote/ajp/AjpProcessor.java| 20 +++- webapps/docs/config/ajp.xml | 19 +++ 3 files changed, 51 insertions(+), 1 deletion(-) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java index 81da7da..a2f5e28 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java @@ -17,6 +17,7 @@ package org.apache.coyote.ajp; import java.net.InetAddress; +import java.util.regex.Pattern; import org.apache.coyote.AbstractProtocol; import org.apache.coyote.Processor; @@ -188,6 +189,18 @@ public abstract class AbstractAjpProtocol extends AbstractProtocol { } +private Pattern allowedArbitraryRequestAttributesPattern; +public void setAllowedArbitraryRequestAttributes(String allowedArbitraryRequestAttributes) { +this.allowedArbitraryRequestAttributesPattern = Pattern.compile(allowedArbitraryRequestAttributes); +} +public String getAllowedArbitraryRequestAttributes() { +return allowedArbitraryRequestAttributesPattern.pattern(); +} +protected Pattern getAllowedArbitraryRequestAttributesPattern() { +return allowedArbitraryRequestAttributesPattern; +} + + /** * AJP packet size. */ diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index 128c1a0..226d210 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -28,6 +28,8 @@ import java.security.cert.X509Certificate; import java.util.Collections; import java.util.HashMap; import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import jakarta.servlet.http.HttpServletResponse; @@ -742,12 +744,28 @@ public class AjpProcessor extends AbstractProcessor { } } else if(n.equals(Constants.SC_A_SSL_PROTOCOL)) { request.setAttribute(SSLSupport.PROTOCOL_VERSION_KEY, v); +} else if (n.equals("JK_LB_ACTIVATION")) { +request.setAttribute(n, v); } else if (jakartaAttributeMapping.containsKey(n)) { // AJP uses the Java Servlet attribute names. // Need to convert these to Jakarta SAervlet. request.setAttribute(jakartaAttributeMapping.get(n), v); } else { -request.setAttribute(n, v ); +// All 'known' attributes will be processed by the previous +// blocks. Any remaining attribute is an 'arbitrary' one. +Pattern pattern = protocol.getAllowedArbitraryRequestAttributesPattern(); +if (pattern == null) { +response.setStatus(403); +setErrorState(ErrorState.CLOSE_CLEAN, null); +} else { +Matcher m = pattern.matcher(n); +if (m.matches()) { +request.setAttribute(n, v); +} else { +response.setStatus(403); +setErrorState(ErrorState.CLOSE_CLEAN, null); +} +} } break; diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index 3999a13..69348a1 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -311,6 +311,25 @@ port. By default, the loopback address will be used. + + The AJP protocol passes some information from the reverse proxy to the + AJP connector using request attributes. These attributes are: + +javax.servlet.request.cipher_suite +javax.servlet.request.key_size +javax.servlet.request.ssl_session +javax.servlet.request.X509Certificate +AJP_LOCAL_ADDR +AJP_REMOTE_PORT +AJP_SSL_PROTOCOL +JK_LB_ACTIVATION + + The AJP protocol supports the passing of arbitrary request attributes. + Requests containing arbitrary request attributes will be rejected with a + 403 response unless the entire attribute name matches this regular + expression. If not specified, the default value is null. + + Controls when the socket used by the co
[tomcat] branch 7.0.x updated: Stricter header value parsing
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/7.0.x by this push: new 702bf15 Stricter header value parsing 702bf15 is described below commit 702bf15bea292915684d931526d95d4990b2e73d Author: Mark Thomas AuthorDate: Mon Jan 6 20:53:25 2020 + Stricter header value parsing --- .../coyote/http11/AbstractHttp11Protocol.java | 51 +-- .../apache/coyote/http11/AbstractInputBuffer.java | 5 + .../apache/coyote/http11/Http11AprProcessor.java | 4 +- .../apache/coyote/http11/Http11AprProtocol.java| 2 +- .../apache/coyote/http11/Http11NioProcessor.java | 4 +- .../apache/coyote/http11/Http11NioProtocol.java| 2 +- java/org/apache/coyote/http11/Http11Processor.java | 4 +- java/org/apache/coyote/http11/Http11Protocol.java | 2 +- .../coyote/http11/InternalAprInputBuffer.java | 50 -- .../apache/coyote/http11/InternalInputBuffer.java | 54 +-- .../coyote/http11/InternalNioInputBuffer.java | 43 -- java/org/apache/tomcat/util/http/MimeHeaders.java | 2 +- .../apache/tomcat/util/http/parser/HttpParser.java | 11 ++ .../coyote/http11/TestInternalInputBuffer.java | 167 +++-- webapps/docs/changelog.xml | 5 + webapps/docs/config/http.xml | 11 +- 16 files changed, 345 insertions(+), 72 deletions(-) diff --git a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java index 8009380..632760c 100644 --- a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java +++ b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java @@ -83,27 +83,56 @@ public abstract class AbstractHttp11Protocol extends AbstractProtocol { } -private boolean rejectIllegalHeaderName = false; +private boolean rejectIllegalHeader = false; /** - * If an HTTP request is received that contains an illegal header name (i.e. - * the header name is not a token) will the request be rejected (with a 400 - * response) or will the illegal header be ignored. + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) will the request be rejected + * (with a 400 response) or will the illegal header be ignored? * * @return {@code true} if the request will be rejected or {@code false} if * the header will be ignored */ -public boolean getRejectIllegalHeaderName() { return rejectIllegalHeaderName; } +public boolean getRejectIllegalHeader() { return rejectIllegalHeader; } /** - * If an HTTP request is received that contains an illegal header name (i.e. - * the header name is not a token) should the request be rejected (with a - * 400 response) or should the illegal header be ignored. + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) should the request be + * rejected (with a 400 response) or should the illegal header be ignored? + * + * @param rejectIllegalHeader {@code true} to reject requests with illegal + * header names or values, {@code false} to + * ignore the header + */ +public void setRejectIllegalHeader(boolean rejectIllegalHeader) { +this.rejectIllegalHeader = rejectIllegalHeader; +} +/** + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) will the request be rejected + * (with a 400 response) or will the illegal header be ignored? + * + * @return {@code true} if the request will be rejected or {@code false} if + * the header will be ignored + * + * @deprecated Now an alias for {@link #getRejectIllegalHeader()}. Will be + * removed in Tomcat 10 onwards. + */ +@Deprecated +public boolean getRejectIllegalHeaderName() { return rejectIllegalHeader; } +/** + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) should the request be + * rejected (with a 400 response) or should the illegal header be ignored? * * @param rejectIllegalHeaderName {@code true} to reject requests with - * illegal header names, {@code false} to - * ignore the header + * illegal header names or values, + * {@code false} to ignore the header + * + * @deprecated Now an alias for {@link #setRejectIllegalHeader(boolean)}. + * Will be removed in Tomcat 10 onwar
[Bug 64116] New: Incorrect expanstion of JAVA_OPTS in tool-wrapper.sh when JAVA_OPT is empty
https://bz.apache.org/bugzilla/show_bug.cgi?id=64116 Bug ID: 64116 Summary: Incorrect expanstion of JAVA_OPTS in tool-wrapper.sh when JAVA_OPT is empty Product: Tomcat 9 Version: 9.0.29 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: alexandre.penk...@gmail.com Target Milestone: - A call for digest.sh results in the following error: Error: Could not find or load main class -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager This comes from digest.sh (line 145 onwards): JAVA_OPTS="$JAVA_OPTS -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager" exec "$_RUNJAVA" "$JAVA_OPTS" $TOOL_OPTS \ -D$ENDORSED_PROP="$JAVA_ENDORSED_DIRS" \ -classpath "$CLASSPATH" \ -Dcatalina.home="$CATALINA_HOME" \ org.apache.catalina.startup.Tool "$@" If JAVA_OPTS is unset (which it is our case as verified through bash -x) the commandline becomes: + JAVA_OPTS=' -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager' + exec /opt/java/jdk8/bin/java ' -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager' -Dignore.endorsed.dirs= -classpath /logiciels/tomcat/tomcat-9.0/bin/bootstrap.jar:/logiciels/tomcat/tomcat-9.0/bin/tomcat-juli.jar:/logiciels/tomcat/tomcat-9.0/lib/servlet-api.jar:/logiciels/tomcat/tomcat-9.0/lib/tomcat-util.jar -Dcatalina.home=/logiciels/tomcat/tomcat-9.0 org.apache.catalina.startup.Tool -server org.apache.catalina.realm.RealmBase Error: Could not find or load main class -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager This bug seems to have been introduced through the fix for bug: 63815 Currently I am using a workaround by setting some bogus option to JAVA_OPTS before running the script -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64112] RewriteValve rules not applied in HTTPS
https://bz.apache.org/bugzilla/show_bug.cgi?id=64112 --- Comment #5 from Hua Zhang --- Clear, I will do it via users list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64112] RewriteValve rules not applied in HTTPS
https://bz.apache.org/bugzilla/show_bug.cgi?id=64112 --- Comment #4 from Hua Zhang --- Clear, I will do it via users list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64112] RewriteValve rules not applied in HTTPS
https://bz.apache.org/bugzilla/show_bug.cgi?id=64112 --- Comment #3 from Remy Maucherat --- As requested, please investigate on the users list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64112] RewriteValve rules not applied in HTTPS
https://bz.apache.org/bugzilla/show_bug.cgi?id=64112 --- Comment #2 from Hua Zhang --- Are you sure that the test has been done against version 9.0? I have a very simple configuration. It works in 8.0 but not in 9.0. I can make some screenshots if needed. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Stricter header value parsing
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 8fbe2e9 Stricter header value parsing 8fbe2e9 is described below commit 8fbe2e962f0ea138d92361921643fe5abe0c4f56 Author: Mark Thomas AuthorDate: Mon Jan 6 20:53:25 2020 + Stricter header value parsing --- .../coyote/http11/AbstractHttp11Protocol.java | 51 +++ .../apache/coyote/http11/Http11InputBuffer.java| 51 ++- java/org/apache/coyote/http11/Http11Processor.java | 2 +- java/org/apache/tomcat/util/http/MimeHeaders.java | 2 +- .../apache/tomcat/util/http/parser/HttpParser.java | 11 .../coyote/http11/TestHttp11InputBuffer.java | 72 ++ webapps/docs/changelog.xml | 5 ++ webapps/docs/config/http.xml | 11 +++- 8 files changed, 163 insertions(+), 42 deletions(-) diff --git a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java index 5332f9b..c94c1bd 100644 --- a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java +++ b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java @@ -145,27 +145,56 @@ public abstract class AbstractHttp11Protocol extends AbstractProtocol { } -private boolean rejectIllegalHeaderName = false; +private boolean rejectIllegalHeader = false; /** - * If an HTTP request is received that contains an illegal header name (i.e. - * the header name is not a token) will the request be rejected (with a 400 - * response) or will the illegal header be ignored. + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) will the request be rejected + * (with a 400 response) or will the illegal header be ignored? * * @return {@code true} if the request will be rejected or {@code false} if * the header will be ignored */ -public boolean getRejectIllegalHeaderName() { return rejectIllegalHeaderName; } +public boolean getRejectIllegalHeader() { return rejectIllegalHeader; } /** - * If an HTTP request is received that contains an illegal header name (i.e. - * the header name is not a token) should the request be rejected (with a - * 400 response) or should the illegal header be ignored. + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) should the request be + * rejected (with a 400 response) or should the illegal header be ignored? + * + * @param rejectIllegalHeader {@code true} to reject requests with illegal + * header names or values, {@code false} to + * ignore the header + */ +public void setRejectIllegalHeader(boolean rejectIllegalHeader) { +this.rejectIllegalHeader = rejectIllegalHeader; +} +/** + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) will the request be rejected + * (with a 400 response) or will the illegal header be ignored? + * + * @return {@code true} if the request will be rejected or {@code false} if + * the header will be ignored + * + * @deprecated Now an alias for {@link #getRejectIllegalHeader()}. Will be + * removed in Tomcat 10 onwards. + */ +@Deprecated +public boolean getRejectIllegalHeaderName() { return rejectIllegalHeader; } +/** + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) should the request be + * rejected (with a 400 response) or should the illegal header be ignored? * * @param rejectIllegalHeaderName {@code true} to reject requests with - * illegal header names, {@code false} to - * ignore the header + * illegal header names or values, + * {@code false} to ignore the header + * + * @deprecated Now an alias for {@link #setRejectIllegalHeader(boolean)}. + * Will be removed in Tomcat 10 onwards. */ +@Deprecated public void setRejectIllegalHeaderName(boolean rejectIllegalHeaderName) { -this.rejectIllegalHeaderName = rejectIllegalHeaderName; +this.rejectIllegalHeader = rejectIllegalHeaderName; } diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java b/java/org/apache/coyote/http11/Http11InputBuffer.java index ef0b498..daecc72 100644 --- a/java/org/apache/coyote/http11/Http11InputBuffer.java +++ b/java/org/apache/c
[tomcat] branch 9.0.x updated: Stricter header value parsing
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 8bfb0ff Stricter header value parsing 8bfb0ff is described below commit 8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26 Author: Mark Thomas AuthorDate: Mon Jan 6 20:53:25 2020 + Stricter header value parsing --- .../coyote/http11/AbstractHttp11Protocol.java | 51 +++ .../apache/coyote/http11/Http11InputBuffer.java| 51 ++- java/org/apache/coyote/http11/Http11Processor.java | 2 +- java/org/apache/tomcat/util/http/MimeHeaders.java | 2 +- .../apache/tomcat/util/http/parser/HttpParser.java | 11 .../coyote/http11/TestHttp11InputBuffer.java | 72 ++ webapps/docs/changelog.xml | 5 ++ webapps/docs/config/http.xml | 11 +++- 8 files changed, 163 insertions(+), 42 deletions(-) diff --git a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java index 9189b59..55c7dc8 100644 --- a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java +++ b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java @@ -145,27 +145,56 @@ public abstract class AbstractHttp11Protocol extends AbstractProtocol { } -private boolean rejectIllegalHeaderName = true; +private boolean rejectIllegalHeader = true; /** - * If an HTTP request is received that contains an illegal header name (i.e. - * the header name is not a token) will the request be rejected (with a 400 - * response) or will the illegal header be ignored. + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) will the request be rejected + * (with a 400 response) or will the illegal header be ignored? * * @return {@code true} if the request will be rejected or {@code false} if * the header will be ignored */ -public boolean getRejectIllegalHeaderName() { return rejectIllegalHeaderName; } +public boolean getRejectIllegalHeader() { return rejectIllegalHeader; } /** - * If an HTTP request is received that contains an illegal header name (i.e. - * the header name is not a token) should the request be rejected (with a - * 400 response) or should the illegal header be ignored. + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) should the request be + * rejected (with a 400 response) or should the illegal header be ignored? + * + * @param rejectIllegalHeader {@code true} to reject requests with illegal + * header names or values, {@code false} to + * ignore the header + */ +public void setRejectIllegalHeader(boolean rejectIllegalHeader) { +this.rejectIllegalHeader = rejectIllegalHeader; +} +/** + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) will the request be rejected + * (with a 400 response) or will the illegal header be ignored? + * + * @return {@code true} if the request will be rejected or {@code false} if + * the header will be ignored + * + * @deprecated Now an alias for {@link #getRejectIllegalHeader()}. Will be + * removed in Tomcat 10 onwards. + */ +@Deprecated +public boolean getRejectIllegalHeaderName() { return rejectIllegalHeader; } +/** + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) should the request be + * rejected (with a 400 response) or should the illegal header be ignored? * * @param rejectIllegalHeaderName {@code true} to reject requests with - * illegal header names, {@code false} to - * ignore the header + * illegal header names or values, + * {@code false} to ignore the header + * + * @deprecated Now an alias for {@link #setRejectIllegalHeader(boolean)}. + * Will be removed in Tomcat 10 onwards. */ +@Deprecated public void setRejectIllegalHeaderName(boolean rejectIllegalHeaderName) { -this.rejectIllegalHeaderName = rejectIllegalHeaderName; +this.rejectIllegalHeader = rejectIllegalHeaderName; } diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java b/java/org/apache/coyote/http11/Http11InputBuffer.java index 7eb0669..04543ef 100644 --- a/java/org/apache/coyote/http11/Http11InputBuffer.java +++ b/java/org/apache/coy
[tomcat] branch master updated: Stricter header value parsing
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new ae8c82e Stricter header value parsing ae8c82e is described below commit ae8c82eff96990878e79691819ae941538ee62fd Author: Mark Thomas AuthorDate: Mon Jan 6 20:53:25 2020 + Stricter header value parsing --- .../coyote/http11/AbstractHttp11Protocol.java | 26 .../apache/coyote/http11/Http11InputBuffer.java| 51 ++- java/org/apache/coyote/http11/Http11Processor.java | 2 +- java/org/apache/tomcat/util/http/MimeHeaders.java | 2 +- .../apache/tomcat/util/http/parser/HttpParser.java | 11 .../coyote/http11/TestHttp11InputBuffer.java | 72 ++ webapps/docs/config/http.xml | 6 +- 7 files changed, 126 insertions(+), 44 deletions(-) diff --git a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java index fd3ab74..3aecff6 100644 --- a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java +++ b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java @@ -145,27 +145,27 @@ public abstract class AbstractHttp11Protocol extends AbstractProtocol { } -private boolean rejectIllegalHeaderName = true; +private boolean rejectIllegalHeader = true; /** - * If an HTTP request is received that contains an illegal header name (i.e. - * the header name is not a token) will the request be rejected (with a 400 - * response) or will the illegal header be ignored. + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) will the request be rejected + * (with a 400 response) or will the illegal header be ignored? * * @return {@code true} if the request will be rejected or {@code false} if * the header will be ignored */ -public boolean getRejectIllegalHeaderName() { return rejectIllegalHeaderName; } +public boolean getRejectIllegalHeader() { return rejectIllegalHeader; } /** - * If an HTTP request is received that contains an illegal header name (i.e. - * the header name is not a token) should the request be rejected (with a - * 400 response) or should the illegal header be ignored. + * If an HTTP request is received that contains an illegal header name or + * value (e.g. the header name is not a token) should the request be + * rejected (with a 400 response) or should the illegal header be ignored? * - * @param rejectIllegalHeaderName {@code true} to reject requests with - * illegal header names, {@code false} to - * ignore the header + * @param rejectIllegalHeader {@code true} to reject requests with illegal + * header names or values, {@code false} to + * ignore the header */ -public void setRejectIllegalHeaderName(boolean rejectIllegalHeaderName) { -this.rejectIllegalHeaderName = rejectIllegalHeaderName; +public void setRejectIllegalHeader(boolean rejectIllegalHeader) { +this.rejectIllegalHeader = rejectIllegalHeader; } diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java b/java/org/apache/coyote/http11/Http11InputBuffer.java index 7eb0669..04543ef 100644 --- a/java/org/apache/coyote/http11/Http11InputBuffer.java +++ b/java/org/apache/coyote/http11/Http11InputBuffer.java @@ -66,7 +66,7 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler private final MimeHeaders headers; -private final boolean rejectIllegalHeaderName; +private final boolean rejectIllegalHeader; /** * State. @@ -152,13 +152,13 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler // --- Constructors public Http11InputBuffer(Request request, int headerBufferSize, -boolean rejectIllegalHeaderName, HttpParser httpParser) { +boolean rejectIllegalHeader, HttpParser httpParser) { this.request = request; headers = request.getMimeHeaders(); this.headerBufferSize = headerBufferSize; -this.rejectIllegalHeaderName = rejectIllegalHeaderName; +this.rejectIllegalHeader = rejectIllegalHeader; this.httpParser = httpParser; filterLibrary = new InputFilter[0]; @@ -762,6 +762,8 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler // byte chr = 0; +byte prevChr = 0; + while (headerParsePos == HeaderParsePosition.HEADER_START) { // Read new bytes if needed @@
[tomcat] branch 7.0.x updated: Correct a regression in transfer-encoding parsing
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/7.0.x by this push: new b191a0d Correct a regression in transfer-encoding parsing b191a0d is described below commit b191a0d9cf06f4e04257c221bfe41d2b108a9cc8 Author: Mark Thomas AuthorDate: Tue Dec 17 09:27:49 2019 + Correct a regression in transfer-encoding parsing Invalid tokens are an error --- .../coyote/http11/AbstractHttp11Processor.java | 12 ++- .../apache/coyote/http11/LocalStrings.properties | 1 + .../apache/tomcat/util/http/parser/TokenList.java | 43 +++--- .../tomcat/util/http/parser/TestTokenList.java | 95 ++ webapps/docs/changelog.xml | 5 ++ 5 files changed, 123 insertions(+), 33 deletions(-) diff --git a/java/org/apache/coyote/http11/AbstractHttp11Processor.java b/java/org/apache/coyote/http11/AbstractHttp11Processor.java index 787d388..e5dacca 100644 --- a/java/org/apache/coyote/http11/AbstractHttp11Processor.java +++ b/java/org/apache/coyote/http11/AbstractHttp11Processor.java @@ -1534,10 +1534,14 @@ public abstract class AbstractHttp11Processor extends AbstractProcessor { } if (transferEncodingValueMB != null) { List encodingNames = new ArrayList(); -TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames); -for (String encodingName : encodingNames) { -// "identity" codings are ignored -addInputFilter(inputFilters, encodingName); +if (TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames)) { +for (String encodingName : encodingNames) { +// "identity" codings are ignored +addInputFilter(inputFilters, encodingName); +} +} else { +// Invalid transfer encoding +badRequest("http11processor.request.invalidTransferEncoding"); } } diff --git a/java/org/apache/coyote/http11/LocalStrings.properties b/java/org/apache/coyote/http11/LocalStrings.properties index 292e2c1..b12dd2e 100644 --- a/java/org/apache/coyote/http11/LocalStrings.properties +++ b/java/org/apache/coyote/http11/LocalStrings.properties @@ -27,6 +27,7 @@ http11processor.regexp.error=Error parsing regular expression [{0}] http11processor.request.finish=Error finishing request http11processor.request.inconsistentHosts=The host specified in the request line is not consistent with the host header http11processor.request.invalidScheme=The HTTP request contained an absolute URI with an invalid scheme +http11processor.request.invalidTransferEncoding=The HTTP request contained an invalid Transfer-Encoding header http11processor.request.invalidUri=The HTTP request contained an invalid URI http11processor.request.invalidUserInfo=The HTTP request contained an absolute URI with an invalid userinfo http11processor.request.multipleContentLength=The request contained multiple content-length headers diff --git a/java/org/apache/tomcat/util/http/parser/TokenList.java b/java/org/apache/tomcat/util/http/parser/TokenList.java index 7ba886c..90b0233 100644 --- a/java/org/apache/tomcat/util/http/parser/TokenList.java +++ b/java/org/apache/tomcat/util/http/parser/TokenList.java @@ -36,19 +36,26 @@ public class TokenList { * Parses an enumeration of header values of the form 1#token, forcing all * parsed values to lower case. * - * @param inputs The headers to parse - * @param result The Collection (usually a list of a set) to which the - * parsed tokens should be added + * @param inputs The headers to parse + * @param collection The Collection (usually a list of a set) to which the + * parsed tokens should be added + * + * @return {@code} true if the header values were parsed cleanly, otherwise + * {@code false} (e.g. if a non-token value was encountered) * * @throws IOException If an I/O error occurs reading the header */ -public static void parseTokenList(Enumeration inputs, Collection result) throws IOException { +public static boolean parseTokenList(Enumeration inputs, Collection collection) throws IOException { +boolean result = true; while (inputs.hasMoreElements()) { String nextHeaderValue = inputs.nextElement(); if (nextHeaderValue != null) { -TokenList.parseTokenList(new StringReader(nextHeaderValue), result); +if (!TokenList.parseTokenList(new StringReader(nextHeaderValue), collection)) { +result = false; +} } } +return result; } @@ -56,17 +63,24 @@ public class TokenL
[tomcat] branch 8.5.x updated: Correct a regression in transfer-encoding parsing
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 959f1df Correct a regression in transfer-encoding parsing 959f1df is described below commit 959f1dfd767bf3cb64776b44f7395d1d8d8f7ab3 Author: Mark Thomas AuthorDate: Tue Dec 17 09:27:49 2019 + Correct a regression in transfer-encoding parsing Invalid tokens are an error --- java/org/apache/coyote/http11/Http11Processor.java | 12 ++- .../apache/coyote/http11/LocalStrings.properties | 1 + .../apache/tomcat/util/http/parser/TokenList.java | 43 +++--- .../tomcat/util/http/parser/TestTokenList.java | 95 ++ webapps/docs/changelog.xml | 5 ++ 5 files changed, 123 insertions(+), 33 deletions(-) diff --git a/java/org/apache/coyote/http11/Http11Processor.java b/java/org/apache/coyote/http11/Http11Processor.java index 99be5f9..7091f49 100644 --- a/java/org/apache/coyote/http11/Http11Processor.java +++ b/java/org/apache/coyote/http11/Http11Processor.java @@ -965,10 +965,14 @@ public class Http11Processor extends AbstractProcessor { MessageBytes transferEncodingValueMB = headers.getValue("transfer-encoding"); if (transferEncodingValueMB != null) { List encodingNames = new ArrayList<>(); -TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames); -for (String encodingName : encodingNames) { -// "identity" codings are ignored -addInputFilter(inputFilters, encodingName); +if (TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames)) { +for (String encodingName : encodingNames) { +// "identity" codings are ignored +addInputFilter(inputFilters, encodingName); +} +} else { +// Invalid transfer encoding + badRequest("http11processor.request.invalidTransferEncoding"); } } } diff --git a/java/org/apache/coyote/http11/LocalStrings.properties b/java/org/apache/coyote/http11/LocalStrings.properties index 40a037c..e375b27 100644 --- a/java/org/apache/coyote/http11/LocalStrings.properties +++ b/java/org/apache/coyote/http11/LocalStrings.properties @@ -23,6 +23,7 @@ http11processor.header.parse=Error parsing HTTP request header http11processor.request.finish=Error finishing request http11processor.request.inconsistentHosts=The host specified in the request line is not consistent with the host header http11processor.request.invalidScheme=The HTTP request contained an absolute URI with an invalid scheme +http11processor.request.invalidTransferEncoding=The HTTP request contained an invalid Transfer-Encoding header http11processor.request.invalidUri=The HTTP request contained an invalid URI http11processor.request.invalidUserInfo=The HTTP request contained an absolute URI with an invalid userinfo http11processor.request.multipleContentLength=The request contained multiple content-length headers diff --git a/java/org/apache/tomcat/util/http/parser/TokenList.java b/java/org/apache/tomcat/util/http/parser/TokenList.java index db40877..0ab7ce1 100644 --- a/java/org/apache/tomcat/util/http/parser/TokenList.java +++ b/java/org/apache/tomcat/util/http/parser/TokenList.java @@ -34,19 +34,26 @@ public class TokenList { * Parses an enumeration of header values of the form 1#token, forcing all * parsed values to lower case. * - * @param inputs The headers to parse - * @param result The Collection (usually a list of a set) to which the - * parsed tokens should be added + * @param inputs The headers to parse + * @param collection The Collection (usually a list of a set) to which the + * parsed tokens should be added + * + * @return {@code} true if the header values were parsed cleanly, otherwise + * {@code false} (e.g. if a non-token value was encountered) * * @throws IOException If an I/O error occurs reading the header */ -public static void parseTokenList(Enumeration inputs, Collection result) throws IOException { +public static boolean parseTokenList(Enumeration inputs, Collection collection) throws IOException { +boolean result = true; while (inputs.hasMoreElements()) { String nextHeaderValue = inputs.nextElement(); if (nextHeaderValue != null) { -TokenList.parseTokenList(new StringReader(nextHeaderValue), result); +if (!TokenList.parseTokenList(new StringReader(nextHeaderValue), collection)) { +result = false; +}
[tomcat] branch 9.0.x updated: Correct a regression in transfer-encoding parsing
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 060ecc5 Correct a regression in transfer-encoding parsing 060ecc5 is described below commit 060ecc5eb839208687b7fcc9e35287ac8eb46998 Author: Mark Thomas AuthorDate: Tue Dec 17 09:27:49 2019 + Correct a regression in transfer-encoding parsing Invalid tokens are an error --- java/org/apache/coyote/http11/Http11Processor.java | 12 ++- .../apache/coyote/http11/LocalStrings.properties | 1 + .../apache/tomcat/util/http/parser/TokenList.java | 43 +++--- .../tomcat/util/http/parser/TestTokenList.java | 95 ++ webapps/docs/changelog.xml | 5 ++ 5 files changed, 123 insertions(+), 33 deletions(-) diff --git a/java/org/apache/coyote/http11/Http11Processor.java b/java/org/apache/coyote/http11/Http11Processor.java index c627f19..5296243 100644 --- a/java/org/apache/coyote/http11/Http11Processor.java +++ b/java/org/apache/coyote/http11/Http11Processor.java @@ -723,10 +723,14 @@ public class Http11Processor extends AbstractProcessor { MessageBytes transferEncodingValueMB = headers.getValue("transfer-encoding"); if (transferEncodingValueMB != null) { List encodingNames = new ArrayList<>(); -TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames); -for (String encodingName : encodingNames) { -// "identity" codings are ignored -addInputFilter(inputFilters, encodingName); +if (TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames)) { +for (String encodingName : encodingNames) { +// "identity" codings are ignored +addInputFilter(inputFilters, encodingName); +} +} else { +// Invalid transfer encoding + badRequest("http11processor.request.invalidTransferEncoding"); } } } diff --git a/java/org/apache/coyote/http11/LocalStrings.properties b/java/org/apache/coyote/http11/LocalStrings.properties index b7430fc..6765b87 100644 --- a/java/org/apache/coyote/http11/LocalStrings.properties +++ b/java/org/apache/coyote/http11/LocalStrings.properties @@ -23,6 +23,7 @@ http11processor.header.parse=Error parsing HTTP request header http11processor.request.finish=Error finishing request http11processor.request.inconsistentHosts=The host specified in the request line is not consistent with the host header http11processor.request.invalidScheme=The HTTP request contained an absolute URI with an invalid scheme +http11processor.request.invalidTransferEncoding=The HTTP request contained an invalid Transfer-Encoding header http11processor.request.invalidUri=The HTTP request contained an invalid URI http11processor.request.invalidUserInfo=The HTTP request contained an absolute URI with an invalid userinfo http11processor.request.multipleContentLength=The request contained multiple content-length headers diff --git a/java/org/apache/tomcat/util/http/parser/TokenList.java b/java/org/apache/tomcat/util/http/parser/TokenList.java index db40877..0ab7ce1 100644 --- a/java/org/apache/tomcat/util/http/parser/TokenList.java +++ b/java/org/apache/tomcat/util/http/parser/TokenList.java @@ -34,19 +34,26 @@ public class TokenList { * Parses an enumeration of header values of the form 1#token, forcing all * parsed values to lower case. * - * @param inputs The headers to parse - * @param result The Collection (usually a list of a set) to which the - * parsed tokens should be added + * @param inputs The headers to parse + * @param collection The Collection (usually a list of a set) to which the + * parsed tokens should be added + * + * @return {@code} true if the header values were parsed cleanly, otherwise + * {@code false} (e.g. if a non-token value was encountered) * * @throws IOException If an I/O error occurs reading the header */ -public static void parseTokenList(Enumeration inputs, Collection result) throws IOException { +public static boolean parseTokenList(Enumeration inputs, Collection collection) throws IOException { +boolean result = true; while (inputs.hasMoreElements()) { String nextHeaderValue = inputs.nextElement(); if (nextHeaderValue != null) { -TokenList.parseTokenList(new StringReader(nextHeaderValue), result); +if (!TokenList.parseTokenList(new StringReader(nextHeaderValue), collection)) { +result = false; +}
[tomcat] branch master updated: Correct a regression in transfer-encoding parsing
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new 3c295d9 Correct a regression in transfer-encoding parsing 3c295d9 is described below commit 3c295d913e1d82ce25b4ad66c800313994f4e530 Author: Mark Thomas AuthorDate: Tue Dec 17 09:27:49 2019 + Correct a regression in transfer-encoding parsing Invalid tokens are an error --- java/org/apache/coyote/http11/Http11Processor.java | 12 ++- .../apache/coyote/http11/LocalStrings.properties | 1 + .../apache/tomcat/util/http/parser/TokenList.java | 43 --- .../tomcat/util/http/parser/TestTokenList.java | 89 ++ 4 files changed, 115 insertions(+), 30 deletions(-) diff --git a/java/org/apache/coyote/http11/Http11Processor.java b/java/org/apache/coyote/http11/Http11Processor.java index 5c1e1a0..a365235 100644 --- a/java/org/apache/coyote/http11/Http11Processor.java +++ b/java/org/apache/coyote/http11/Http11Processor.java @@ -723,10 +723,14 @@ public class Http11Processor extends AbstractProcessor { MessageBytes transferEncodingValueMB = headers.getValue("transfer-encoding"); if (transferEncodingValueMB != null) { List encodingNames = new ArrayList<>(); -TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames); -for (String encodingName : encodingNames) { -// "identity" codings are ignored -addInputFilter(inputFilters, encodingName); +if (TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames)) { +for (String encodingName : encodingNames) { +// "identity" codings are ignored +addInputFilter(inputFilters, encodingName); +} +} else { +// Invalid transfer encoding + badRequest("http11processor.request.invalidTransferEncoding"); } } } diff --git a/java/org/apache/coyote/http11/LocalStrings.properties b/java/org/apache/coyote/http11/LocalStrings.properties index b7430fc..6765b87 100644 --- a/java/org/apache/coyote/http11/LocalStrings.properties +++ b/java/org/apache/coyote/http11/LocalStrings.properties @@ -23,6 +23,7 @@ http11processor.header.parse=Error parsing HTTP request header http11processor.request.finish=Error finishing request http11processor.request.inconsistentHosts=The host specified in the request line is not consistent with the host header http11processor.request.invalidScheme=The HTTP request contained an absolute URI with an invalid scheme +http11processor.request.invalidTransferEncoding=The HTTP request contained an invalid Transfer-Encoding header http11processor.request.invalidUri=The HTTP request contained an invalid URI http11processor.request.invalidUserInfo=The HTTP request contained an absolute URI with an invalid userinfo http11processor.request.multipleContentLength=The request contained multiple content-length headers diff --git a/java/org/apache/tomcat/util/http/parser/TokenList.java b/java/org/apache/tomcat/util/http/parser/TokenList.java index db40877..0ab7ce1 100644 --- a/java/org/apache/tomcat/util/http/parser/TokenList.java +++ b/java/org/apache/tomcat/util/http/parser/TokenList.java @@ -34,19 +34,26 @@ public class TokenList { * Parses an enumeration of header values of the form 1#token, forcing all * parsed values to lower case. * - * @param inputs The headers to parse - * @param result The Collection (usually a list of a set) to which the - * parsed tokens should be added + * @param inputs The headers to parse + * @param collection The Collection (usually a list of a set) to which the + * parsed tokens should be added + * + * @return {@code} true if the header values were parsed cleanly, otherwise + * {@code false} (e.g. if a non-token value was encountered) * * @throws IOException If an I/O error occurs reading the header */ -public static void parseTokenList(Enumeration inputs, Collection result) throws IOException { +public static boolean parseTokenList(Enumeration inputs, Collection collection) throws IOException { +boolean result = true; while (inputs.hasMoreElements()) { String nextHeaderValue = inputs.nextElement(); if (nextHeaderValue != null) { -TokenList.parseTokenList(new StringReader(nextHeaderValue), result); +if (!TokenList.parseTokenList(new StringReader(nextHeaderValue), collection)) { +result = false; +} } } +return result; }
[Bug 64111] Exception while processing an asynchronous request NullPointerException at org.apache.catalina.core.AsyncContextImpl.timeout
https://bz.apache.org/bugzilla/show_bug.cgi?id=64111 Mark Thomas changed: What|Removed |Added OS||All Resolution|--- |WORKSFORME Status|NEW |RESOLVED --- Comment #1 from Mark Thomas --- The provided project does not produce the exception shown when the steps to reproduce the issue are followed. Looking at the application source code, I don't see anything registering any form of handler for ServletContext shutdown. And with a debugger, I don't see any calls at all to AsyncContextImpl.timeout(). I do see a log message indicating that the application has started, but failed to stop, a thread. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1873570 - in /tomcat/site/trunk: docs/ci.html xdocs/ci.xml
Author: mgrigorov Date: Tue Feb 4 12:27:54 2020 New Revision: 1873570 URL: http://svn.apache.org/viewvc?rev=1873570&view=rev Log: INFRA-19815 Add a link to TravisCI for Tomcat Connectors Modified: tomcat/site/trunk/docs/ci.html tomcat/site/trunk/xdocs/ci.xml Modified: tomcat/site/trunk/docs/ci.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/ci.html?rev=1873570&r1=1873569&r2=1873570&view=diff == --- tomcat/site/trunk/docs/ci.html (original) +++ tomcat/site/trunk/docs/ci.html Tue Feb 4 12:27:54 2020 @@ -998,6 +998,10 @@ prepared and published by ASF Buildbot, https://travis-ci.org/apache/tomcat";>Tomcat master + + +https://travis-ci.org/apache/tomcat-connectors";>Tomcat Connectors master + Modified: tomcat/site/trunk/xdocs/ci.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/ci.xml?rev=1873570&r1=1873569&r2=1873570&view=diff == --- tomcat/site/trunk/xdocs/ci.xml (original) +++ tomcat/site/trunk/xdocs/ci.xml Tue Feb 4 12:27:54 2020 @@ -294,6 +294,7 @@ prepared and published by ASF Buildbot, https://travis-ci.org/";>Travis CI is used to test Tomcat builds on ARM64 architecture https://travis-ci.org/apache/tomcat";>Tomcat master + https://travis-ci.org/apache/tomcat-connectors";>Tomcat Connectors master - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64112] RewriteValve rules not applied in HTTPS
https://bz.apache.org/bugzilla/show_bug.cgi?id=64112 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #1 from Mark Thomas --- This works as expected when tested. I suspect a configuration issue. Please use the users@ mailing list for further assistance. http://tomcat.apache.org/lists.html#tomcat-users -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat-connectors] branch master updated: Use Travis CI for building Tomcat Connectors on ARM64
This is an automated email from the ASF dual-hosted git repository. mgrigorov pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat-connectors.git The following commit(s) were added to refs/heads/master by this push: new 30b8db1 Use Travis CI for building Tomcat Connectors on ARM64 new e03b6a0 Merge pull request #4 from martin-g/feature/build-tomcat-connectors-on-arm64 30b8db1 is described below commit 30b8db127a9fe2c3df1f8a2710633f31238e1595 Author: Martin Tzvetanov Grigorov AuthorDate: Mon Feb 3 15:20:10 2020 +0200 Use Travis CI for building Tomcat Connectors on ARM64 --- .travis.yml | 72 + 1 file changed, 72 insertions(+) diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 000..fc15910 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,72 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dist: bionic +compiler: gcc +arch: arm64 + +addons: +apt: + packages: +- build-essential +- automake +- autoconf +- tar +- libssl-dev +- subversion +- git +- libtool-bin + +before_script: +- rm -rf $HOME/tmp +- mkdir $HOME/tmp +- export CURR_PWD=`pwd` +- echo "Going to build APR" +- svn co -q https://svn.apache.org/repos/asf/apr/apr/branches/1.7.x/ $HOME/tmp/apr +- cd $HOME/tmp/apr +- ./buildconf +- ./configure --prefix=$HOME/tmp/apr-build +- make +- make install +- echo "Going to build APR Util" +- svn co -q https://svn.apache.org/repos/asf/apr/apr-util/branches/1.7.x $HOME/tmp/apr-util +- cd $HOME/tmp/apr-util +- ./buildconf --with-apr=$HOME/tmp/apr +- ./configure --with-apr=$HOME/tmp/apr-build/bin/apr-1-config --prefix=$HOME/tmp/apr-util-build +- make +- make install +- echo "Going to build HTTPD" +- svn co -q http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x $HOME/tmp/httpd +- cd $HOME/tmp/httpd +- ./buildconf --with-apr=$HOME/tmp/apr --with-apr-util=$HOME/tmp/apr-util +- ./configure --prefix=$HOME/tmp/httpd-build --with-apr=$HOME/tmp/apr-build/bin/apr-1-config --with-apr-util=$HOME/tmp/apr-util-build/bin/apu-1-config +- make +- make install + +script: +- echo "Going to build Tomcat Connectors" +- cd $CURR_PWD +- cd native +- ./buildconf.sh +- ./configure --with-apxs=$HOME/tmp/httpd-build/bin/apxs --prefix=$HOME/tmp/tc-connectors-build +- make +- make install + +after_failure: +- ls -la $HOME/tmp + +notifications: +email: +- dev@tomcat.apache.org \ No newline at end of file - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 7.0.x updated: Fix copy/paste issues in Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/7.0.x by this push: new 5dbaead Fix copy/paste issues in Javadoc 5dbaead is described below commit 5dbaead9d829581470202c1faef2ac38517872c9 Author: Mark Thomas AuthorDate: Tue Feb 4 08:17:19 2020 + Fix copy/paste issues in Javadoc --- java/org/apache/catalina/AccessLog.java | 13 ++--- java/org/apache/catalina/valves/AccessLogValve.java | 2 +- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/java/org/apache/catalina/AccessLog.java b/java/org/apache/catalina/AccessLog.java index 7e6f28d..138f9f4 100644 --- a/java/org/apache/catalina/AccessLog.java +++ b/java/org/apache/catalina/AccessLog.java @@ -81,22 +81,21 @@ public interface AccessLog { public void log(Request request, Response response, long time); /** - * Should this valve set request attributes for IP address, hostname, - * protocol and port used for the request? This are typically used in - * conjunction with the {@link org.apache.catalina.valves.AccessLogValve} - * which will otherwise log the original values. + * Should this valve use request attributes for IP address, hostname, + * protocol and port used for the request? * - * The attributes set are: + * The attributes used are: * * org.apache.catalina.RemoteAddr * org.apache.catalina.RemoteHost * org.apache.catalina.Protocol + * org.apache.catalina.ServerName * org.apache.catalina.ServerPost * * * @param requestAttributesEnabled true causes the attributes - * to be set, false disables - * the setting of the attributes. + * to be used, false causes + * the original values to be used. */ public void setRequestAttributesEnabled(boolean requestAttributesEnabled); diff --git a/java/org/apache/catalina/valves/AccessLogValve.java b/java/org/apache/catalina/valves/AccessLogValve.java index d33f622..6dba9f1 100644 --- a/java/org/apache/catalina/valves/AccessLogValve.java +++ b/java/org/apache/catalina/valves/AccessLogValve.java @@ -563,7 +563,7 @@ public class AccessLogValve extends ValveBase implements AccessLog { protected AccessLogElement[] logElements = null; /** - * Should this valve set request attributes for IP address, hostname, + * Should this valve use request attributes for IP address, hostname, * protocol and port used for the request. * Default is false. * @see #setRequestAttributesEnabled(boolean) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Fix problem reported on users@ where some access log elements were empty
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit e9d7be7500326cc134267149736d59a33fb79ab1 Author: Mark Thomas AuthorDate: Tue Feb 4 09:28:13 2020 + Fix problem reported on users@ where some access log elements were empty --- .../catalina/valves/AbstractAccessLogValve.java| 62 -- webapps/docs/changelog.xml | 5 ++ 2 files changed, 64 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/valves/AbstractAccessLogValve.java b/java/org/apache/catalina/valves/AbstractAccessLogValve.java index fee6fac..a55b289 100644 --- a/java/org/apache/catalina/valves/AbstractAccessLogValve.java +++ b/java/org/apache/catalina/valves/AbstractAccessLogValve.java @@ -456,6 +456,12 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access protected AccessLogElement[] logElements = null; /** + * Array of elements where the value needs to be cached at the start of the + * request. + */ +protected CachedElement[] cachedElements = null; + +/** * Should this valve use request attributes for IP address, hostname, * protocol and port used for the request. * Default is false. @@ -563,6 +569,7 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access this.pattern = pattern; } logElements = createLogElements(); +cachedElements = createCachedElements(logElements); } /** @@ -675,6 +682,9 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access // to be cached in the request. request.getAttribute(Globals.CERTIFICATES_ATTR); } +for (CachedElement element : cachedElements) { +element.cache(request); +} getNext().invoke(request, response); } @@ -797,7 +807,20 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access protected interface AccessLogElement { public void addElement(CharArrayWriter buf, Date date, Request request, Response response, long time); +} +/** + * Marks an AccessLogElement as needing to be have the value cached at the + * start of the request rather than just recorded at the end as the source + * data for the element may not be available at the end of the request. This + * typically occurs for remote network information, such as ports, IP + * addresses etc. when the connection is closed unexpectedly. These elements + * take advantage of these values being cached elsewhere on first request + * and do not cache the value in the element since the elements are + * state-less. + */ +protected interface CachedElement { +public void cache(Request request); } /** @@ -849,7 +872,7 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access /** * write remote IP address - %a */ -protected class RemoteAddrElement implements AccessLogElement { +protected class RemoteAddrElement implements AccessLogElement, CachedElement { @Override public void addElement(CharArrayWriter buf, Date date, Request request, Response response, long time) { @@ -870,12 +893,19 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access } buf.append(value); } + +@Override +public void cache(Request request) { +if (!requestAttributesEnabled) { +request.getRemoteAddr(); +} +} } /** * write remote host name - %h */ -protected class HostElement implements AccessLogElement { +protected class HostElement implements AccessLogElement, CachedElement { @Override public void addElement(CharArrayWriter buf, Date date, Request request, Response response, long time) { @@ -898,6 +928,13 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access } buf.append(value); } + +@Override +public void cache(Request request) { +if (!requestAttributesEnabled) { +request.getRemoteHost(); +} +} } /** @@ -1183,7 +1220,7 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access /** * write local or remote port for request connection - %p and %{xxx}p */ -protected class PortElement implements AccessLogElement { +protected class PortElement implements AccessLogElement, CachedElement { /** * Type of port to log @@ -1230,6 +1267,13 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access
[tomcat] 01/02: Fix copy/paste issues in Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 16ff3bfb93c965cce3ee9885331cb546ee9993ba Author: Mark Thomas AuthorDate: Tue Feb 4 08:17:19 2020 + Fix copy/paste issues in Javadoc --- java/org/apache/catalina/AccessLog.java | 13 ++--- java/org/apache/catalina/valves/AbstractAccessLogValve.java | 2 +- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/java/org/apache/catalina/AccessLog.java b/java/org/apache/catalina/AccessLog.java index 7e6f28d..138f9f4 100644 --- a/java/org/apache/catalina/AccessLog.java +++ b/java/org/apache/catalina/AccessLog.java @@ -81,22 +81,21 @@ public interface AccessLog { public void log(Request request, Response response, long time); /** - * Should this valve set request attributes for IP address, hostname, - * protocol and port used for the request? This are typically used in - * conjunction with the {@link org.apache.catalina.valves.AccessLogValve} - * which will otherwise log the original values. + * Should this valve use request attributes for IP address, hostname, + * protocol and port used for the request? * - * The attributes set are: + * The attributes used are: * * org.apache.catalina.RemoteAddr * org.apache.catalina.RemoteHost * org.apache.catalina.Protocol + * org.apache.catalina.ServerName * org.apache.catalina.ServerPost * * * @param requestAttributesEnabled true causes the attributes - * to be set, false disables - * the setting of the attributes. + * to be used, false causes + * the original values to be used. */ public void setRequestAttributesEnabled(boolean requestAttributesEnabled); diff --git a/java/org/apache/catalina/valves/AbstractAccessLogValve.java b/java/org/apache/catalina/valves/AbstractAccessLogValve.java index 9f700e3..fee6fac 100644 --- a/java/org/apache/catalina/valves/AbstractAccessLogValve.java +++ b/java/org/apache/catalina/valves/AbstractAccessLogValve.java @@ -456,7 +456,7 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access protected AccessLogElement[] logElements = null; /** - * Should this valve set request attributes for IP address, hostname, + * Should this valve use request attributes for IP address, hostname, * protocol and port used for the request. * Default is false. * @see #setRequestAttributesEnabled(boolean) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated (39b0a96 -> e9d7be7)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git. from 39b0a96 Do not exclude TravisCI files from RAT. new 16ff3bf Fix copy/paste issues in Javadoc new e9d7be7 Fix problem reported on users@ where some access log elements were empty The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: java/org/apache/catalina/AccessLog.java| 13 ++--- .../catalina/valves/AbstractAccessLogValve.java| 64 -- webapps/docs/changelog.xml | 5 ++ 3 files changed, 71 insertions(+), 11 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Fix problem reported on users@ where some access log elements were empty
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit fdcb3656239065654909ca55994787c027dbe583 Author: Mark Thomas AuthorDate: Tue Feb 4 09:28:13 2020 + Fix problem reported on users@ where some access log elements were empty --- .../catalina/valves/AbstractAccessLogValve.java| 62 -- webapps/docs/changelog.xml | 5 ++ 2 files changed, 64 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/valves/AbstractAccessLogValve.java b/java/org/apache/catalina/valves/AbstractAccessLogValve.java index fee6fac..a55b289 100644 --- a/java/org/apache/catalina/valves/AbstractAccessLogValve.java +++ b/java/org/apache/catalina/valves/AbstractAccessLogValve.java @@ -456,6 +456,12 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access protected AccessLogElement[] logElements = null; /** + * Array of elements where the value needs to be cached at the start of the + * request. + */ +protected CachedElement[] cachedElements = null; + +/** * Should this valve use request attributes for IP address, hostname, * protocol and port used for the request. * Default is false. @@ -563,6 +569,7 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access this.pattern = pattern; } logElements = createLogElements(); +cachedElements = createCachedElements(logElements); } /** @@ -675,6 +682,9 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access // to be cached in the request. request.getAttribute(Globals.CERTIFICATES_ATTR); } +for (CachedElement element : cachedElements) { +element.cache(request); +} getNext().invoke(request, response); } @@ -797,7 +807,20 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access protected interface AccessLogElement { public void addElement(CharArrayWriter buf, Date date, Request request, Response response, long time); +} +/** + * Marks an AccessLogElement as needing to be have the value cached at the + * start of the request rather than just recorded at the end as the source + * data for the element may not be available at the end of the request. This + * typically occurs for remote network information, such as ports, IP + * addresses etc. when the connection is closed unexpectedly. These elements + * take advantage of these values being cached elsewhere on first request + * and do not cache the value in the element since the elements are + * state-less. + */ +protected interface CachedElement { +public void cache(Request request); } /** @@ -849,7 +872,7 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access /** * write remote IP address - %a */ -protected class RemoteAddrElement implements AccessLogElement { +protected class RemoteAddrElement implements AccessLogElement, CachedElement { @Override public void addElement(CharArrayWriter buf, Date date, Request request, Response response, long time) { @@ -870,12 +893,19 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access } buf.append(value); } + +@Override +public void cache(Request request) { +if (!requestAttributesEnabled) { +request.getRemoteAddr(); +} +} } /** * write remote host name - %h */ -protected class HostElement implements AccessLogElement { +protected class HostElement implements AccessLogElement, CachedElement { @Override public void addElement(CharArrayWriter buf, Date date, Request request, Response response, long time) { @@ -898,6 +928,13 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access } buf.append(value); } + +@Override +public void cache(Request request) { +if (!requestAttributesEnabled) { +request.getRemoteHost(); +} +} } /** @@ -1183,7 +1220,7 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access /** * write local or remote port for request connection - %p and %{xxx}p */ -protected class PortElement implements AccessLogElement { +protected class PortElement implements AccessLogElement, CachedElement { /** * Type of port to log @@ -1230,6 +1267,13 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access
[tomcat] branch 9.0.x updated (f4cc6e1 -> fdcb365)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git. from f4cc6e1 Do not exclude TravisCI files from RAT. new 89f8165 Fix copy/paste issues in Javadoc new fdcb365 Fix problem reported on users@ where some access log elements were empty The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: java/org/apache/catalina/AccessLog.java| 13 ++--- .../catalina/valves/AbstractAccessLogValve.java| 64 -- webapps/docs/changelog.xml | 5 ++ 3 files changed, 71 insertions(+), 11 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/02: Fix copy/paste issues in Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 89f8165f183a8cde9ef30e8b98f82cf5c1561773 Author: Mark Thomas AuthorDate: Tue Feb 4 08:17:19 2020 + Fix copy/paste issues in Javadoc --- java/org/apache/catalina/AccessLog.java | 13 ++--- java/org/apache/catalina/valves/AbstractAccessLogValve.java | 2 +- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/java/org/apache/catalina/AccessLog.java b/java/org/apache/catalina/AccessLog.java index 7e6f28d..138f9f4 100644 --- a/java/org/apache/catalina/AccessLog.java +++ b/java/org/apache/catalina/AccessLog.java @@ -81,22 +81,21 @@ public interface AccessLog { public void log(Request request, Response response, long time); /** - * Should this valve set request attributes for IP address, hostname, - * protocol and port used for the request? This are typically used in - * conjunction with the {@link org.apache.catalina.valves.AccessLogValve} - * which will otherwise log the original values. + * Should this valve use request attributes for IP address, hostname, + * protocol and port used for the request? * - * The attributes set are: + * The attributes used are: * * org.apache.catalina.RemoteAddr * org.apache.catalina.RemoteHost * org.apache.catalina.Protocol + * org.apache.catalina.ServerName * org.apache.catalina.ServerPost * * * @param requestAttributesEnabled true causes the attributes - * to be set, false disables - * the setting of the attributes. + * to be used, false causes + * the original values to be used. */ public void setRequestAttributesEnabled(boolean requestAttributesEnabled); diff --git a/java/org/apache/catalina/valves/AbstractAccessLogValve.java b/java/org/apache/catalina/valves/AbstractAccessLogValve.java index 9f700e3..fee6fac 100644 --- a/java/org/apache/catalina/valves/AbstractAccessLogValve.java +++ b/java/org/apache/catalina/valves/AbstractAccessLogValve.java @@ -456,7 +456,7 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access protected AccessLogElement[] logElements = null; /** - * Should this valve set request attributes for IP address, hostname, + * Should this valve use request attributes for IP address, hostname, * protocol and port used for the request. * Default is false. * @see #setRequestAttributesEnabled(boolean) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated (2aa5f6b -> 07c9020)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git. from 2aa5f6b Share more configuration between HTTP/1.1 and nested HTTP/2 new 663b97f Fix copy/paste issues in Javadoc new 07c9020 Fix problem reported on users@ where some access log elements were empty The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: java/org/apache/catalina/AccessLog.java| 13 ++--- .../catalina/valves/AbstractAccessLogValve.java| 64 -- 2 files changed, 66 insertions(+), 11 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 02/02: Fix problem reported on users@ where some access log elements were empty
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 07c90206c6304b1a23d4139d81d9d7cefc6b68ae Author: Mark Thomas AuthorDate: Tue Feb 4 09:28:13 2020 + Fix problem reported on users@ where some access log elements were empty --- .../catalina/valves/AbstractAccessLogValve.java| 62 -- 1 file changed, 59 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/valves/AbstractAccessLogValve.java b/java/org/apache/catalina/valves/AbstractAccessLogValve.java index 245da90..47685ea 100644 --- a/java/org/apache/catalina/valves/AbstractAccessLogValve.java +++ b/java/org/apache/catalina/valves/AbstractAccessLogValve.java @@ -456,6 +456,12 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access protected AccessLogElement[] logElements = null; /** + * Array of elements where the value needs to be cached at the start of the + * request. + */ +protected CachedElement[] cachedElements = null; + +/** * Should this valve use request attributes for IP address, hostname, * protocol and port used for the request. * Default is false. @@ -563,6 +569,7 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access this.pattern = pattern; } logElements = createLogElements(); +cachedElements = createCachedElements(logElements); } /** @@ -675,6 +682,9 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access // to be cached in the request. request.getAttribute(Globals.CERTIFICATES_ATTR); } +for (CachedElement element : cachedElements) { +element.cache(request); +} getNext().invoke(request, response); } @@ -797,7 +807,20 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access protected interface AccessLogElement { public void addElement(CharArrayWriter buf, Date date, Request request, Response response, long time); +} +/** + * Marks an AccessLogElement as needing to be have the value cached at the + * start of the request rather than just recorded at the end as the source + * data for the element may not be available at the end of the request. This + * typically occurs for remote network information, such as ports, IP + * addresses etc. when the connection is closed unexpectedly. These elements + * take advantage of these values being cached elsewhere on first request + * and do not cache the value in the element since the elements are + * state-less. + */ +protected interface CachedElement { +public void cache(Request request); } /** @@ -849,7 +872,7 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access /** * write remote IP address - %a */ -protected class RemoteAddrElement implements AccessLogElement { +protected class RemoteAddrElement implements AccessLogElement, CachedElement { @Override public void addElement(CharArrayWriter buf, Date date, Request request, Response response, long time) { @@ -870,12 +893,19 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access } buf.append(value); } + +@Override +public void cache(Request request) { +if (!requestAttributesEnabled) { +request.getRemoteAddr(); +} +} } /** * write remote host name - %h */ -protected class HostElement implements AccessLogElement { +protected class HostElement implements AccessLogElement, CachedElement { @Override public void addElement(CharArrayWriter buf, Date date, Request request, Response response, long time) { @@ -898,6 +928,13 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access } buf.append(value); } + +@Override +public void cache(Request request) { +if (!requestAttributesEnabled) { +request.getRemoteHost(); +} +} } /** @@ -1183,7 +1220,7 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access /** * write local or remote port for request connection - %p and %{xxx}p */ -protected class PortElement implements AccessLogElement { +protected class PortElement implements AccessLogElement, CachedElement { /** * Type of port to log @@ -1230,6 +1267,13 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access } } } + +@Override +p
[tomcat] 01/02: Fix copy/paste issues in Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 663b97f3b8209a318aec4fd3bfcc3b4989b65248 Author: Mark Thomas AuthorDate: Tue Feb 4 08:17:19 2020 + Fix copy/paste issues in Javadoc --- java/org/apache/catalina/AccessLog.java | 13 ++--- java/org/apache/catalina/valves/AbstractAccessLogValve.java | 2 +- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/java/org/apache/catalina/AccessLog.java b/java/org/apache/catalina/AccessLog.java index 7e6f28d..138f9f4 100644 --- a/java/org/apache/catalina/AccessLog.java +++ b/java/org/apache/catalina/AccessLog.java @@ -81,22 +81,21 @@ public interface AccessLog { public void log(Request request, Response response, long time); /** - * Should this valve set request attributes for IP address, hostname, - * protocol and port used for the request? This are typically used in - * conjunction with the {@link org.apache.catalina.valves.AccessLogValve} - * which will otherwise log the original values. + * Should this valve use request attributes for IP address, hostname, + * protocol and port used for the request? * - * The attributes set are: + * The attributes used are: * * org.apache.catalina.RemoteAddr * org.apache.catalina.RemoteHost * org.apache.catalina.Protocol + * org.apache.catalina.ServerName * org.apache.catalina.ServerPost * * * @param requestAttributesEnabled true causes the attributes - * to be set, false disables - * the setting of the attributes. + * to be used, false causes + * the original values to be used. */ public void setRequestAttributesEnabled(boolean requestAttributesEnabled); diff --git a/java/org/apache/catalina/valves/AbstractAccessLogValve.java b/java/org/apache/catalina/valves/AbstractAccessLogValve.java index 1515cfa..245da90 100644 --- a/java/org/apache/catalina/valves/AbstractAccessLogValve.java +++ b/java/org/apache/catalina/valves/AbstractAccessLogValve.java @@ -456,7 +456,7 @@ public abstract class AbstractAccessLogValve extends ValveBase implements Access protected AccessLogElement[] logElements = null; /** - * Should this valve set request attributes for IP address, hostname, + * Should this valve use request attributes for IP address, hostname, * protocol and port used for the request. * Default is false. * @see #setRequestAttributesEnabled(boolean) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org