[Bug 64488] EL API: AccessControlException -- Import Handler
https://bz.apache.org/bugzilla/show_bug.cgi?id=64488 Mark Thomas changed: What|Removed |Added Attachment #37286|application/mbox|text/plain mime type|| Attachment #37286|0 |1 is patch|| -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64488] EL API: AccessControlException -- Import Handler
https://bz.apache.org/bugzilla/show_bug.cgi?id=64488 Mark Thomas changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #1 from Mark Thomas --- The ImportHandler code should not be made privileged. You need to grant the necessary permissions to whatever code calls ImportHandler. In a default Tomcat installation, the necessary permission should be granted in the catalina.policy file. It is possible, but unlikely, that a privileged block is missing elsewhere. If you can provide the simplest possible JSP that triggers this issue on a clean Tomcat 10 install we can take a look. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64231] Tomcat jdbc pool behaviour
https://bz.apache.org/bugzilla/show_bug.cgi?id=64231 --- Comment #1 from le...@redhat.com --- Hi, Just wondering if someone can answer this please? Is there a timeline we can expect for this? Thanks Lei -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Improve fomatting
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new 00c2660 Improve fomatting 00c2660 is described below commit 00c2660b90dc53d2bd7f700a3ecdd8b06b9345ed Author: remm AuthorDate: Tue Jun 2 16:26:02 2020 +0200 Improve fomatting --- webapps/docs/changelog.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 67c061d..b6d47ce 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -69,8 +69,9 @@ attributes. (remm) -64442Be more flexible with respect to the ordering of groups, -roles and users in the tomcat-users.xml file. (fschumacher) +64442: Be more flexible with respect to the ordering of +groups, roles and users in the tomcat-users.xml file. +(fschumacher) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Improve fomatting
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 4dbf088 Improve fomatting 4dbf088 is described below commit 4dbf088910c1ba9b89676975afc6e8d2a006fa3c Author: remm AuthorDate: Tue Jun 2 16:26:02 2020 +0200 Improve fomatting --- webapps/docs/changelog.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 8d31f4a..48ae17f 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -65,8 +65,9 @@ attributes. (remm) -64442Be more flexible with respect to the ordering of groups, -roles and users in the tomcat-users.xml file. (fschumacher) +64442: Be more flexible with respect to the ordering of +groups, roles and users in the tomcat-users.xml file. +(fschumacher) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Improve fomatting
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 41b7c9d Improve fomatting 41b7c9d is described below commit 41b7c9d514f63e58ee646958ae191024eef1b710 Author: remm AuthorDate: Tue Jun 2 16:26:02 2020 +0200 Improve fomatting --- webapps/docs/changelog.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index a66c82e..ea6547e 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -73,8 +73,9 @@ attributes. (remm) -64442Be more flexible with respect to the ordering of groups, -roles and users in the tomcat-users.xml file. (fschumacher) +64442: Be more flexible with respect to the ordering of +groups, roles and users in the tomcat-users.xml file. +(fschumacher) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64486] Receiving null/empty request body when SSL enabled
https://bz.apache.org/bugzilla/show_bug.cgi?id=64486 vink...@gmail.com changed: What|Removed |Added Resolution|INVALID |FIXED --- Comment #2 from vink...@gmail.com --- Hi It is not an invalid issue. We updated the tomcat jar 9.0.31 to 9.0.35 in our spring boot project lib directory and the issue is resolved now. It seems the issue could be related to EOF return before the whole read. Fix : Update to latest Version of Tomcat 9.0.35. Marking it as Fixed in updated Version. Thanks -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Remove version number
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new b9656d7 Remove version number b9656d7 is described below commit b9656d72353a5ff5021b7125ed5aa024f0b7ce2b Author: remm AuthorDate: Tue Jun 2 16:33:54 2020 +0200 Remove version number 19.3 is antiquated by Graal standards and I will only bump the requirement if Graal adds meaningful improvements that can change the Tomcat capabilities. The next item coming could be serialization, which would allow clustering and other session related features to work. At this time, it will be possible to simplify the metadata a bit and review the Graal code paths for improvements. --- webapps/docs/graal.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/graal.xml b/webapps/docs/graal.xml index 27ca99a..0d9535f 100644 --- a/webapps/docs/graal.xml +++ b/webapps/docs/graal.xml @@ -35,7 +35,7 @@ -Tomcat supports using the GraalVM 19.3 Native Image tool to produce +Tomcat supports using the GraalVM Native Image tool to produce a native binary including the container. This documentation page describes the build process of such an image. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64493] New: Regression: JMX beans for HTTPS connector changed protocol with 9.0.35
https://bz.apache.org/bugzilla/show_bug.cgi?id=64493 Bug ID: 64493 Summary: Regression: JMX beans for HTTPS connector changed protocol with 9.0.35 Product: Tomcat 9 Version: 9.0.35 Hardware: PC OS: Mac OS X 10.1 Status: NEW Severity: normal Priority: P2 Component: Connectors Assignee: dev@tomcat.apache.org Reporter: asf+p...@kungfoocoder.org Target Milestone: - Using the following pseudo code: { try { MBeanServer server = MBeanServerFactory.createMBeanServer(); Set protocolHandlers = server.queryNames(new ObjectName("Catalina:type=Connector,*"), null); for (ObjectName x: protocolHandlers) { String protocol = (String) server.getAttribute(x, "protocol"); System.out.println(x + " - " + protocol); } } catch (Exception e) { } } Then under 9.0.30 we get: Catalina:type=Connector,port=10180 - HTTP/1.1 Catalina:type=Connector,port=10443 - HTTP/1.1 Under 0.0.35 we get: [15:02] Anton Goselink Catalina:type=Connector,port=10180 - HTTP/1.1 Catalina:type=Connector,port=10443 - org.apache.coyote.http11.Http11NioProtocol I believe that this is related to https://github.com/apache/tomcat/commit/5e0dd5d91ca3b9eb85d79fca2b9ce9313d90083c , since in the old situation, whenever the connector was Http11NioProtocol, it would return "HTTP/1.1". in the new situation, when a ProtocolHandler is passed in, we use the class name instead of "HTTP/1.1" for configuredProtocol. This should probably get the name of the protocol being handled from the ProtocolHandler. In any case, this causes a breakage in our environment, as we rely on the protocol being set to "HTTP*" for the JMX bean. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64488] EL API: AccessControlException -- Import Handler
https://bz.apache.org/bugzilla/show_bug.cgi?id=64488 --- Comment #2 from Konstantin Kolinko --- (In reply to volosied+apache from comment #0) > Permission: > ("java.io.FilePermission" > "/Library/Java/JavaVirtualMachines/adoptopenjdk-8-openj9.jdk/Contents/Home/ > jre/lib/rt.jar" "read") How does it happen that it does not have a read permission for "rt.jar"? In your case (looking at the proposed patch - attachment 37286) it is a getResource() call that is blocked by lacking permissions. Does it mean that not only loading of resources, but loading classes from rt.jar is blocked as well? Why? For what purpose? (*) Is it a real-world configuration? Why is it configured like that? (*) E.g. looking a 'loadClass(name)' call a few lines later just below the code affected by the patch - at ImportHandler line 463. - Will it fail? (In reply to Mark Thomas from comment #1) > If you can provide the simplest possible JSP that triggers this issue on a > clean Tomcat 10 install we can take a look. +1 I would like to see steps and code that are sufficient to reproduce the behaviour. (From your stack trace I guess that you are running a JSP page, but not from within Apache Tomcat.) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: 64493: Revert possible protocol value change
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new e622833 64493: Revert possible protocol value change e622833 is described below commit e62283354ab6c6a86ba8e5e9d7c56e61f99e6a39 Author: remm AuthorDate: Tue Jun 2 17:40:59 2020 +0200 64493: Revert possible protocol value change Best to avoid changes in 9.0.x, but I will keep the new behavior in 10. Don't reintroduce API on the ProtocolHandler itself. --- java/org/apache/catalina/connector/Connector.java | 18 +- webapps/docs/changelog.xml| 4 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/java/org/apache/catalina/connector/Connector.java b/java/org/apache/catalina/connector/Connector.java index d41fcb7..b22ce95 100644 --- a/java/org/apache/catalina/connector/Connector.java +++ b/java/org/apache/catalina/connector/Connector.java @@ -80,7 +80,6 @@ public class Connector extends LifecycleMBeanBase { public Connector(String protocol) { -configuredProtocol = protocol; boolean apr = AprLifecycleListener.isAprAvailable() && AprLifecycleListener.getUseAprConnector(); ProtocolHandler p = null; @@ -104,7 +103,6 @@ public class Connector extends LifecycleMBeanBase { public Connector(ProtocolHandler protocolHandler) { protocolHandlerClassName = protocolHandler.getClass().getName(); -configuredProtocol = protocolHandlerClassName; this.protocolHandler = protocolHandler; // Default for Connector depends on this system property setThrowOnFailure(Boolean.getBoolean("org.apache.catalina.startup.EXIT_ON_INIT_FAILURE")); @@ -250,12 +248,6 @@ public class Connector extends LifecycleMBeanBase { /** - * Name of the protocol that was configured. - */ -protected final String configuredProtocol; - - -/** * Coyote protocol handler. */ protected final ProtocolHandler protocolHandler; @@ -633,7 +625,15 @@ public class Connector extends LifecycleMBeanBase { * @return the Coyote protocol handler in use. */ public String getProtocol() { -return configuredProtocol; +boolean apr = AprLifecycleListener.getUseAprConnector(); +if ((!apr && org.apache.coyote.http11.Http11NioProtocol.class.getName().equals(protocolHandlerClassName)) +|| (apr && org.apache.coyote.http11.Http11AprProtocol.class.getName().equals(protocolHandlerClassName))) { +return "HTTP/1.1"; +} else if ((!apr && org.apache.coyote.ajp.AjpNioProtocol.class.getName().equals(protocolHandlerClassName)) +|| (apr && org.apache.coyote.ajp.AjpAprProtocol.class.getName().equals(protocolHandlerClassName))) { +return "AJP/1.3"; +} +return protocolHandlerClassName; } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index ea6547e..55e9419 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -77,6 +77,10 @@ groups, roles and users in the tomcat-users.xml file. (fschumacher) + +64493: Revert possible change of returned protocol +attribute value on the Connector. (remm) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64493] Regression: JMX beans for HTTPS connector changed protocol with 9.0.35
https://bz.apache.org/bugzilla/show_bug.cgi?id=64493 Remy Maucherat changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #4 from Remy Maucherat --- I decided to change it back in 9.0.36. 10.0 will continue to use the value that was used to configure the connector. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64493] Regression: JMX beans for HTTPS connector changed protocol with 9.0.35
https://bz.apache.org/bugzilla/show_bug.cgi?id=64493 --- Comment #3 from Remy Maucherat --- The new behavior reflects what is passed to the constructor, which I think is more consistent, so how is your connector created ? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when an AJP request is rejected
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/2/20 06:24, ma...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > markt pushed a commit to branch master in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > > The following commit(s) were added to refs/heads/master by this > push: new 186aae3 Fix BZ 64483 Log a warning when an AJP request > is rejected 186aae3 is described below > > commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark Thomas > AuthorDate: Tue Jun 2 11:22:35 2020 +0100 > > Fix BZ 64483 Log a warning when an AJP request is rejected --- > java/org/apache/coyote/ajp/AjpProcessor.java | 14 > -- java/org/apache/coyote/ajp/LocalStrings.properties | > 1 + webapps/docs/changelog.xml | 4 3 > files changed, 9 insertions(+), 10 deletions(-) > > diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java > b/java/org/apache/coyote/ajp/AjpProcessor.java index > d24a818..77d6a94 100644 --- > a/java/org/apache/coyote/ajp/AjpProcessor.java +++ > b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 @@ > import java.util.HashMap; import java.util.HashSet; import > java.util.Map; import java.util.Set; -import > java.util.regex.Matcher; import java.util.regex.Pattern; > > import jakarta.servlet.http.HttpServletResponse; @@ -779,17 +778,12 > @@ public class AjpProcessor extends AbstractProcessor { // All > 'known' attributes will be processed by the previous // blocks. Any > remaining attribute is an 'arbitrary' one. Pattern pattern = > protocol.getAllowedRequestAttributesPatternInternal(); - > if (pattern == null) { +if (pattern != null && > pattern.matcher(n).matches()) { + > request.setAttribute(n, v); +} else { + > log.warn(sm.getString("ajpprocessor.unknownAttribute", n)); > response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, > null); Possible DOS by spamming the log file? I suppose you can DOS by filling the access log, too :/ - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7Wci4ACgkQHPApP6U8 pFhpnhAAjfeGXFsvte7M84+FCwtlA/AKeXDkdf3cq87D2G1lKPfMHAuiDYNJCnwP G7CZRxP8S3yAxEd/tzplqFzRYwHK/ZHVfGMOscFSvREb/XxbUvCwdau3Zl/S0LHZ kvw54K2M5BWpvz9fy7vcqlDlK5ccGkVY5y4J+F8vxyWojLU2KJUPQ0L7Zn750VDI vUyapcc8xBgMvKMSyBWeWgpuHRzutgssxy/K3OX7xKn4o2OnGgc5C/5tgBRhEUv5 g1dQxD38GC8CoYmw5fPP5kWmRkQ9JWG4sgicrIRw1ZWidmbAhPPcEeibyclPhrw+ c5NegVCblAkGHbnEkxyCIKWoUmkq+w5uStIA7pzTLHK5JbTjALneOgjq3xPRRHa+ sD7R6rhMHWGQ3uZKLicasx8qDug/mscIMiVczSSyj5TAffT71+WetIxDztXnU6uD 2Z1ObTirdGVXAmqd7JcB9Rf2nMQcP4VQrR9yvM40x/zKXsfZytmtNgH3fR587EaI rK1ye7ftSiR+Tiu/BGhfCbi2mIdVBoXwQ/2T/BR46xKMtsdksna8lZKhzf612PIF WXVcQdWqDtlOhclIJOXYKyEn1/dhe3G5Mj41eR5h14SU3OrHTz3fCDEVwodrZUH4 8jK7/j6tN3WWHdJw6cFFxoSUzlG7JmYFOr7UniYjrG91cFVwf4g= =BTn3 -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64493] Regression: JMX beans for HTTPS connector changed protocol with 9.0.35
https://bz.apache.org/bugzilla/show_bug.cgi?id=64493 --- Comment #2 from asf+p...@kungfoocoder.org --- I would be happy if they _both_ showed the same value, either new or old. It is the mismatch between the two that makes me sad. Ideally we would keep the old, then we wouldn't need to update our product to get the CVE fix in 9.0.35. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when an AJP request is rejected
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/2/20 11:44, Mark Thomas wrote: > On 02/06/2020 16:37, Christopher Schultz wrote: >> Mark, >> >> On 6/2/20 06:24, ma...@apache.org wrote: >>> This is an automated email from the ASF dual-hosted git >>> repository. >> >>> markt pushed a commit to branch master in repository >>> https://gitbox.apache.org/repos/asf/tomcat.git >> >> >>> The following commit(s) were added to refs/heads/master by >>> this push: new 186aae3 Fix BZ 64483 Log a warning when an AJP >>> request is rejected 186aae3 is described below >> >>> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark >>> Thomas AuthorDate: Tue Jun 2 11:22:35 2020 >>> +0100 >> >>> Fix BZ 64483 Log a warning when an AJP request is rejected --- >>> java/org/apache/coyote/ajp/AjpProcessor.java | 14 >>> -- >>> java/org/apache/coyote/ajp/LocalStrings.properties | 1 + >>> webapps/docs/changelog.xml | 4 3 >>> files changed, 9 insertions(+), 10 deletions(-) >> >>> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java >>> b/java/org/apache/coyote/ajp/AjpProcessor.java index >>> d24a818..77d6a94 100644 --- >>> a/java/org/apache/coyote/ajp/AjpProcessor.java +++ >>> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 >>> @@ import java.util.HashMap; import java.util.HashSet; import >>> java.util.Map; import java.util.Set; -import >>> java.util.regex.Matcher; import java.util.regex.Pattern; >> >>> import jakarta.servlet.http.HttpServletResponse; @@ -779,17 >>> +778,12 @@ public class AjpProcessor extends AbstractProcessor >>> { // All 'known' attributes will be processed by the previous >>> // blocks. Any remaining attribute is an 'arbitrary' one. >>> Pattern pattern = >>> protocol.getAllowedRequestAttributesPatternInternal(); - if >>> (pattern == null) { +if (pattern != null >>> && pattern.matcher(n).matches()) { + request.setAttribute(n, >>> v); +} else { + >>> log.warn(sm.getString("ajpprocessor.unknownAttribute", n)); >>> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, >>> null); >> >> Possible DOS by spamming the log file? >> >> I suppose you can DOS by filling the access log, too :/ > > How? This is AJP. Exposed endpoint. *shrug* I understand that this was added to make debugging of secured-endpoints easier (so the owner can whitelist whatever they seem to have forgotten) but anyone spamming the AJP port can cause a lot of output. This would be similar to sending malformed HTTP requests, which we currently log a single time and then subsequent errors are logged "at debug level" so you can at least disable them for production. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7WdvgACgkQHPApP6U8 pFhbtxAAlbaqmiPAMduW/gJrHIbL/FWvO7CgxSeUCbVMTo5mJmEZfJseiu/8jIMJ 8oejSRodPGeQhy8bdhelI3btQ69j5FYoXhN1Xn5A1vfEHP2EgsZj1hMp8FklYSo6 XJBqG+mpbASOvQS8iDhwX3S6mNrhOLZYhDO6otQ1mTz3MIbquK8fvMNxvltmmti6 gXyag9WwBY/Ln1M3vn7VcYAbY5NrhnR8QQn8BJq2FVWxxXeuhJV8CJeV860/0kkl MufKzLKt7xEyWp4Bd+iH0qOpWdib57vjXSzPc6DQw7LU0npOO68kcRc1H8RIqqjY GuL8m1LX4OuBJZ0S7JkOH3EpPwQrM9QkUHkKyR3XYFKOHiAJx1YHWSAJczFG8CWH Iu+E9Rc1bcLSe+9UbvTkNEj/nie2JiDNa+DV+xL56tnkHlAMn1uULwAUE9aff827 amiLosBInW0QvzqwPV0CA/WbIkdNxAOjI2mqYETxuBeFKHdGVdCtY/bDfhrLenT3 GYA88fNiWaRGkJHWRFaBrTpFlV5h/zgBygEPwazL/dXVXk46IR7viOfRugGipbE+ YiyJMVFR/TbkNN2CIm9zymHBhOwSe3cgUTasSNn5jucU2kWrp2qiVE+6jtlMpWtt zIyt8y8IxxOyNXgo7kaVMboixYrgH5aZYlgGcde6IMCNn1Q898M= =iDD7 -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
June releases
Hi all, It is the start of the month again so I intend to start the next round of releases. All the open issues appear to be resolved / waiting for info so I plan to run the unit tests locally and, assuming they pass cleanly, tag later today / early tomorrow. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Update BND
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new a0ad185 Update BND a0ad185 is described below commit a0ad1855c276a3ad145f1cbe0ce4ab4bbb7ad6ab Author: Mark Thomas AuthorDate: Tue Jun 2 15:12:03 2020 +0100 Update BND --- build.properties.default | 9 + webapps/docs/changelog.xml | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/build.properties.default b/build.properties.default index 85bb862..12af31c 100644 --- a/build.properties.default +++ b/build.properties.default @@ -288,16 +288,17 @@ saaj-api.loc=${base-maven.loc}/javax/xml/soap/saaj-api/${saaj-api.version}/saaj- # - bnd & bndlib, version 4.0.0 or later - # - provides OSGI metadata for JARs - -bnd.version=5.0.1 +bnd.version=5.1.0 -# checksums for biz.aQute.bnd-5.0.1.jar, biz.aQute.bndlib-5.0.1.jar +# checksums for biz.aQute.bnd-5.1.0.jar bnd.checksum.enabled=true bnd.checksum.algorithm=MD5|SHA-1 -bnd.checksum.value=42cb2f3bbb5556f0182131c6543f1579|67d8bb4f274e8ecfd8ebfcdeed3b328f7078b13b +bnd.checksum.value=477684fd83707666cc84a766b147ed0c|9069bc1afad9201e3dc2efe62c0d5193777d16ae +# checksums for biz.aQute.bndlib-5.1.0.jar bndlib.checksum.enabled=true bndlib.checksum.algorithm=MD5|SHA-1 -bndlib.checksum.value=9d29031f80e3b94e3578fea75b45c8e6|aa13aef49a74fe0bd8bbcb016df124bab5d4064e +bndlib.checksum.value=59dfe87f09e3f03be891327a91430182|30e119e5b3ae63dbb86532490855707b009e1b2e bnd.home=${base.path}/bnd-${bnd.version} bnd.jar=${bnd.home}/biz.aQute.bnd-${bnd.version}.jar diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index fe75def..67c061d 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -141,6 +141,9 @@ Resolver Ant Tasks to upload artifacts to the ASF Maven repository (and from there to Maven Central). (markt) + +Update dependency on bnd to 5.1.0. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Update BND
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 9a0a943 Update BND 9a0a943 is described below commit 9a0a943442329e3aa0700462684fa1e994c4b3f0 Author: Mark Thomas AuthorDate: Tue Jun 2 15:12:03 2020 +0100 Update BND --- build.properties.default | 9 + webapps/docs/changelog.xml | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/build.properties.default b/build.properties.default index 4555662..d3adc67 100644 --- a/build.properties.default +++ b/build.properties.default @@ -288,16 +288,17 @@ saaj-api.loc=${base-maven.loc}/javax/xml/soap/saaj-api/${saaj-api.version}/saaj- # - bnd & bndlib, version 4.0.0 or later - # - provides OSGI metadata for JARs - -bnd.version=5.0.1 +bnd.version=5.1.0 -# checksums for biz.aQute.bnd-5.0.1.jar, biz.aQute.bndlib-5.0.1.jar +# checksums for biz.aQute.bnd-5.1.0.jar bnd.checksum.enabled=true bnd.checksum.algorithm=MD5|SHA-1 -bnd.checksum.value=42cb2f3bbb5556f0182131c6543f1579|67d8bb4f274e8ecfd8ebfcdeed3b328f7078b13b +bnd.checksum.value=477684fd83707666cc84a766b147ed0c|9069bc1afad9201e3dc2efe62c0d5193777d16ae +# checksums for biz.aQute.bndlib-5.1.0.jar bndlib.checksum.enabled=true bndlib.checksum.algorithm=MD5|SHA-1 -bndlib.checksum.value=9d29031f80e3b94e3578fea75b45c8e6|aa13aef49a74fe0bd8bbcb016df124bab5d4064e +bndlib.checksum.value=59dfe87f09e3f03be891327a91430182|30e119e5b3ae63dbb86532490855707b009e1b2e bnd.home=${base.path}/bnd-${bnd.version} bnd.jar=${bnd.home}/biz.aQute.bnd-${bnd.version}.jar diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index f82b323..a66c82e 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -131,6 +131,9 @@ Resolver Ant Tasks to upload artifacts to the ASF Maven repository (and from there to Maven Central). (markt) + +Update dependency on bnd to 5.1.0. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: June releases
On Tue, Jun 2, 2020 at 4:01 PM Mark Thomas wrote: > Hi all, > > It is the start of the month again so I intend to start the next round > of releases. All the open issues appear to be resolved / waiting for > info so I plan to run the unit tests locally and, assuming they pass > cleanly, tag later today / early tomorrow. > +1, let's get rid of these regressions. Rémy > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
[tomcat] branch master updated: Remove version number
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new f03e2b0 Remove version number f03e2b0 is described below commit f03e2b08a423799fec5bd1ec658f73a7fc41e2ce Author: remm AuthorDate: Tue Jun 2 16:33:54 2020 +0200 Remove version number 19.3 is antiquated by Graal standards and I will only bump the requirement if Graal adds meaningful improvements that can change the Tomcat capabilities. The next item coming could be serialization, which would allow clustering and other session related features to work. At this time, it will be possible to simplify the metadata a bit and review the Graal code paths for improvements. --- webapps/docs/graal.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/graal.xml b/webapps/docs/graal.xml index f75a081..0852595 100644 --- a/webapps/docs/graal.xml +++ b/webapps/docs/graal.xml @@ -35,7 +35,7 @@ -Tomcat supports using the GraalVM 19.3 Native Image tool to produce +Tomcat supports using the GraalVM Native Image tool to produce a native binary including the container. This documentation page describes the build process of such an image. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64488] EL API: AccessControlException -- Import Handler
https://bz.apache.org/bugzilla/show_bug.cgi?id=64488 --- Comment #3 from Konstantin Kolinko --- (In reply to volosied+apache from comment #0) A pair of minor comments regarding the patch > + @Override > + public Boolean run() { > + return cl.getResource(path) == null; > + } The code fragment above uses autoboxing. The code style in Tomcat is to use explicit boxing. (Configuration of compiler warnings for Eclipse IDE is documented in /res/ide-support/eclipse/java-compiler-errors-warnings.txt) > From: If that was not intended, you may want to configure user.email setting in your clone of the repository. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64493] Regression: JMX beans for HTTPS connector changed protocol with 9.0.35
https://bz.apache.org/bugzilla/show_bug.cgi?id=64493 --- Comment #1 from Remy Maucherat --- Well, the new value is correct as well I'm afraid. I will look at how easy it is to restore the fake value. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when an AJP request is rejected
On 02/06/2020 16:37, Christopher Schultz wrote: > Mark, > > On 6/2/20 06:24, ma...@apache.org wrote: >> This is an automated email from the ASF dual-hosted git >> repository. > >> markt pushed a commit to branch master in repository >> https://gitbox.apache.org/repos/asf/tomcat.git > > >> The following commit(s) were added to refs/heads/master by this >> push: new 186aae3 Fix BZ 64483 Log a warning when an AJP request >> is rejected 186aae3 is described below > >> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark Thomas >> AuthorDate: Tue Jun 2 11:22:35 2020 +0100 > >> Fix BZ 64483 Log a warning when an AJP request is rejected --- >> java/org/apache/coyote/ajp/AjpProcessor.java | 14 >> -- java/org/apache/coyote/ajp/LocalStrings.properties | >> 1 + webapps/docs/changelog.xml | 4 3 >> files changed, 9 insertions(+), 10 deletions(-) > >> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java >> b/java/org/apache/coyote/ajp/AjpProcessor.java index >> d24a818..77d6a94 100644 --- >> a/java/org/apache/coyote/ajp/AjpProcessor.java +++ >> b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 @@ >> import java.util.HashMap; import java.util.HashSet; import >> java.util.Map; import java.util.Set; -import >> java.util.regex.Matcher; import java.util.regex.Pattern; > >> import jakarta.servlet.http.HttpServletResponse; @@ -779,17 +778,12 >> @@ public class AjpProcessor extends AbstractProcessor { // All >> 'known' attributes will be processed by the previous // blocks. Any >> remaining attribute is an 'arbitrary' one. Pattern pattern = >> protocol.getAllowedRequestAttributesPatternInternal(); - >> if (pattern == null) { +if (pattern != null && >> pattern.matcher(n).matches()) { + >> request.setAttribute(n, v); +} else { + >> log.warn(sm.getString("ajpprocessor.unknownAttribute", n)); >> response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, >> null); > > Possible DOS by spamming the log file? > > I suppose you can DOS by filling the access log, too :/ How? This is AJP. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Re-use roles and groups defined on users on MemoryUserDatabase creation
This is an automated email from the ASF dual-hosted git repository. fschumacher pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 61e533f Re-use roles and groups defined on users on MemoryUserDatabase creation 61e533f is described below commit 61e533f322f33de6cb4c78e9116baff22b880021 Author: Felix Schumacher AuthorDate: Thu May 14 20:19:18 2020 +0200 Re-use roles and groups defined on users on MemoryUserDatabase creation When the XML file for MemoryUserDatabse is digested, the order of the elements was important. It had to be roles, groups and than users. With this patch the order of the elements is not important anymore. If a user element defined a role or group before the corresponding role or group element, we now will re-use that element and add a possibly missing description. Bugzilla Id: 64442 --- conf/tomcat-users.xsd | 12 ++-- .../org/apache/catalina/users/MemoryUserDatabase.java | 19 --- webapps/docs/changelog.xml| 4 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/conf/tomcat-users.xsd b/conf/tomcat-users.xsd index 948bd01..6a3446c 100644 --- a/conf/tomcat-users.xsd +++ b/conf/tomcat-users.xsd @@ -24,21 +24,21 @@ version="1.0"> - - + + - + - + @@ -47,7 +47,7 @@ - + @@ -56,4 +56,4 @@ - \ No newline at end of file + diff --git a/java/org/apache/catalina/users/MemoryUserDatabase.java b/java/org/apache/catalina/users/MemoryUserDatabase.java index 1f44202..efde670 100644 --- a/java/org/apache/catalina/users/MemoryUserDatabase.java +++ b/java/org/apache/catalina/users/MemoryUserDatabase.java @@ -751,7 +751,14 @@ class MemoryGroupCreationFactory extends AbstractObjectCreationFactory { } String description = attributes.getValue("description"); String roles = attributes.getValue("roles"); -Group group = database.createGroup(groupname, description); +Group group = database.findGroup(groupname); +if (group == null) { +group = database.createGroup(groupname, description); +} else { +if (group.getDescription() == null) { +group.setDescription(description); +} +} if (roles != null) { while (roles.length() > 0) { String rolename = null; @@ -796,8 +803,14 @@ class MemoryRoleCreationFactory extends AbstractObjectCreationFactory { rolename = attributes.getValue("name"); } String description = attributes.getValue("description"); -Role role = database.createRole(rolename, description); -return role; +Role existingRole = database.findRole(rolename); +if (existingRole == null) { +return database.createRole(rolename, description); +} +if (existingRole.getDescription() == null) { +existingRole.setDescription(description); +} +return existingRole; } private final MemoryUserDatabase database; diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 0ce02e6..cb81ea7 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -64,6 +64,10 @@ Implement a few rewrite SSL env that correspond to Servlet request attributes. (remm) + +64442Be more flexible with respect to the ordering of groups, +roles and users in the tomcat-users.xml file. (fschumacher) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64442] Re-use roles and groups defined on users on MemoryUserDatabase creation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64442 --- Comment #18 from Mark Thomas --- I don't see why not. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Fix BZ 64483 Log a warning when an AJP request is rejected
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new 186aae3 Fix BZ 64483 Log a warning when an AJP request is rejected 186aae3 is described below commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark Thomas AuthorDate: Tue Jun 2 11:22:35 2020 +0100 Fix BZ 64483 Log a warning when an AJP request is rejected --- java/org/apache/coyote/ajp/AjpProcessor.java | 14 -- java/org/apache/coyote/ajp/LocalStrings.properties | 1 + webapps/docs/changelog.xml | 4 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index d24a818..77d6a94 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 @@ import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Set; -import java.util.regex.Matcher; import java.util.regex.Pattern; import jakarta.servlet.http.HttpServletResponse; @@ -779,17 +778,12 @@ public class AjpProcessor extends AbstractProcessor { // All 'known' attributes will be processed by the previous // blocks. Any remaining attribute is an 'arbitrary' one. Pattern pattern = protocol.getAllowedRequestAttributesPatternInternal(); -if (pattern == null) { +if (pattern != null && pattern.matcher(n).matches()) { +request.setAttribute(n, v); +} else { +log.warn(sm.getString("ajpprocessor.unknownAttribute", n)); response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, null); -} else { -Matcher m = pattern.matcher(n); -if (m.matches()) { -request.setAttribute(n, v); -} else { -response.setStatus(403); -setErrorState(ErrorState.CLOSE_CLEAN, null); -} } } break; diff --git a/java/org/apache/coyote/ajp/LocalStrings.properties b/java/org/apache/coyote/ajp/LocalStrings.properties index ab377eb..467035d 100644 --- a/java/org/apache/coyote/ajp/LocalStrings.properties +++ b/java/org/apache/coyote/ajp/LocalStrings.properties @@ -26,6 +26,7 @@ ajpprocessor.header.tooLong=Header message of length [{0}] received but the pack ajpprocessor.readtimeout=Timeout attempting to read data from the socket ajpprocessor.request.prepare=Error preparing request ajpprocessor.request.process=Error processing request +ajpprocessor.unknownAttribute=Rejecting request due to unknown request attribute [{0}] received from reverse proxy ajpprotocol.noSSL=SSL is not supported with AJP. The SSL host configuration for [{0}] was ignored ajpprotocol.noSecret=The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 056cf3b..fe75def 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -87,6 +87,10 @@ Expose server certificate through the SSLSupport interface. (remm) + +64483: Log a warning if an AJP request is rejected because it +contains an unexpected request attribute. (markt) + 64485: Fix possible resource leak geting last modified from ConfigurationSource.Resource. (remm) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix BZ 64483 Log a warning when an AJP request is rejected
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 20e963e Fix BZ 64483 Log a warning when an AJP request is rejected 20e963e is described below commit 20e963e78e5a1467276fdd25c7db67570605ceaf Author: Mark Thomas AuthorDate: Tue Jun 2 11:22:35 2020 +0100 Fix BZ 64483 Log a warning when an AJP request is rejected --- java/org/apache/coyote/ajp/AjpProcessor.java | 14 -- java/org/apache/coyote/ajp/LocalStrings.properties | 1 + webapps/docs/changelog.xml | 4 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index 31e2239..88f1cb7 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -28,7 +28,6 @@ import java.security.cert.X509Certificate; import java.util.Collections; import java.util.HashSet; import java.util.Set; -import java.util.regex.Matcher; import java.util.regex.Pattern; import javax.servlet.http.HttpServletResponse; @@ -771,17 +770,12 @@ public class AjpProcessor extends AbstractProcessor { // All 'known' attributes will be processed by the previous // blocks. Any remaining attribute is an 'arbitrary' one. Pattern pattern = protocol.getAllowedRequestAttributesPatternInternal(); -if (pattern == null) { +if (pattern != null && pattern.matcher(n).matches()) { +request.setAttribute(n, v); +} else { +log.warn(sm.getString("ajpprocessor.unknownAttribute", n)); response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, null); -} else { -Matcher m = pattern.matcher(n); -if (m.matches()) { -request.setAttribute(n, v); -} else { -response.setStatus(403); -setErrorState(ErrorState.CLOSE_CLEAN, null); -} } } break; diff --git a/java/org/apache/coyote/ajp/LocalStrings.properties b/java/org/apache/coyote/ajp/LocalStrings.properties index ab377eb..467035d 100644 --- a/java/org/apache/coyote/ajp/LocalStrings.properties +++ b/java/org/apache/coyote/ajp/LocalStrings.properties @@ -26,6 +26,7 @@ ajpprocessor.header.tooLong=Header message of length [{0}] received but the pack ajpprocessor.readtimeout=Timeout attempting to read data from the socket ajpprocessor.request.prepare=Error preparing request ajpprocessor.request.process=Error processing request +ajpprocessor.unknownAttribute=Rejecting request due to unknown request attribute [{0}] received from reverse proxy ajpprotocol.noSSL=SSL is not supported with AJP. The SSL host configuration for [{0}] was ignored ajpprotocol.noSecret=The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index dc7b498..f82b323 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -91,6 +91,10 @@ Expose server certificate through the SSLSupport interface. (remm) + +64483: Log a warning if an AJP request is rejected because it +contains an unexpected request attribute. (markt) + 64485: Fix possible resource leak geting last modified from ConfigurationSource.Resource. (remm) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64483] AJP connector allowedRequestAttributesPattern failures not logged
https://bz.apache.org/bugzilla/show_bug.cgi?id=64483 --- Comment #1 from Mark Thomas --- Fair point. I'll take a look. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64486] Receiving null/empty request body when SSL enabled
https://bz.apache.org/bugzilla/show_bug.cgi?id=64486 --- Comment #3 from vink...@gmail.com --- Additional Comments: The issue could be related to the bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=64195 Thanks -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 7.0.x updated: Fix BZ 64483 Log a warning when an AJP request is rejected
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/7.0.x by this push: new 32c3009 Fix BZ 64483 Log a warning when an AJP request is rejected 32c3009 is described below commit 32c30090e754f7b7e84eb16deaed93d27ce37045 Author: Mark Thomas AuthorDate: Tue Jun 2 11:22:35 2020 +0100 Fix BZ 64483 Log a warning when an AJP request is rejected --- java/org/apache/coyote/ajp/AbstractAjpProcessor.java | 15 +-- java/org/apache/coyote/ajp/LocalStrings.properties | 1 + webapps/docs/changelog.xml | 8 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProcessor.java b/java/org/apache/coyote/ajp/AbstractAjpProcessor.java index 7d6cae1..7016e41 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProcessor.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProcessor.java @@ -27,7 +27,6 @@ import java.util.Collections; import java.util.HashSet; import java.util.Set; import java.util.concurrent.atomic.AtomicBoolean; -import java.util.regex.Matcher; import java.util.regex.Pattern; import javax.servlet.http.HttpServletResponse; @@ -912,17 +911,13 @@ public abstract class AbstractAjpProcessor extends AbstractProcessor { } else { // All 'known' attributes will be processed by the previous // blocks. Any remaining attribute is an 'arbitrary' one. -if (allowedRequestAttributesPatternPattern == null) { +if (allowedRequestAttributesPatternPattern != null && + allowedRequestAttributesPatternPattern.matcher(n).matches() ) { +request.setAttribute(n, v); +} else { + getLog().warn(sm.getString("ajpprocessor.unknownAttribute", n)); response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, null); -} else { -Matcher m = allowedRequestAttributesPatternPattern.matcher(n); -if (m.matches()) { -request.setAttribute(n, v); -} else { -response.setStatus(403); -setErrorState(ErrorState.CLOSE_CLEAN, null); -} } } break; diff --git a/java/org/apache/coyote/ajp/LocalStrings.properties b/java/org/apache/coyote/ajp/LocalStrings.properties index 496550c..3868f45 100644 --- a/java/org/apache/coyote/ajp/LocalStrings.properties +++ b/java/org/apache/coyote/ajp/LocalStrings.properties @@ -33,6 +33,7 @@ ajpprocessor.request.prepare=Error preparing request ajpprocessor.request.process=Error processing request ajpprocessor.socket.info=Exception getting socket information ajpprocessor.ssl.notsupported=The SSL protocol is not supported by this connector +ajpprocessor.unknownAttribute=Rejecting request due to unknown request attribute [{0}] received from reverse proxy ajpprotocol.endpoint.starterror=Error starting endpoint ajpprotocol.failedwrite=Socket write failed diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 3707cdd..3c2bbee 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -68,6 +68,14 @@ + + + +64483: Log a warning if an AJP request is rejected because it +contains an unexpected request attribute. (markt) + + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64483] AJP connector allowedRequestAttributesPattern failures not logged
https://bz.apache.org/bugzilla/show_bug.cgi?id=64483 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #2 from Mark Thomas --- Fixed in: - master for 10.0.0-M6 onwards - 9.0.x for 9.0.36 onwards - 8.5.x for 8.5.56 onwards - 7.0.x for 7.0.105 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64442] Re-use roles and groups defined on users on MemoryUserDatabase creation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64442 Felix Schumacher changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #19 from Felix Schumacher --- Backported to 8.5.x -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64195] Tomcat NIO SSL Connector broken under Linux in Tomcat 9.0.31
https://bz.apache.org/bugzilla/show_bug.cgi?id=64195 mgrigorov changed: What|Removed |Added CC||vink...@gmail.com --- Comment #14 from mgrigorov --- *** Bug 64486 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64486] Receiving null/empty request body when SSL enabled
https://bz.apache.org/bugzilla/show_bug.cgi?id=64486 mgrigorov changed: What|Removed |Added Resolution|FIXED |DUPLICATE --- Comment #4 from mgrigorov --- *** This bug has been marked as a duplicate of bug 64195 *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix BZ 64483 Log a warning when an AJP request is rejected
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 06edd30 Fix BZ 64483 Log a warning when an AJP request is rejected 06edd30 is described below commit 06edd300c183fc0e49df81a8fae58d8fbed9 Author: Mark Thomas AuthorDate: Tue Jun 2 11:22:35 2020 +0100 Fix BZ 64483 Log a warning when an AJP request is rejected --- java/org/apache/coyote/ajp/AjpProcessor.java | 15 +-- java/org/apache/coyote/ajp/LocalStrings.properties | 1 + webapps/docs/changelog.xml | 4 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index fa71116..e65486d 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -28,7 +28,6 @@ import java.security.cert.X509Certificate; import java.util.Collections; import java.util.HashSet; import java.util.Set; -import java.util.regex.Matcher; import java.util.regex.Pattern; import javax.servlet.http.HttpServletResponse; @@ -863,17 +862,13 @@ public class AjpProcessor extends AbstractProcessor { } else { // All 'known' attributes will be processed by the previous // blocks. Any remaining attribute is an 'arbitrary' one. -if (allowedRequestAttributesPattern == null) { +if (allowedRequestAttributesPattern != null && + allowedRequestAttributesPattern.matcher(n).matches()) { +request.setAttribute(n, v); +} else { +log.warn(sm.getString("ajpprocessor.unknownAttribute", n)); response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, null); -} else { -Matcher m = allowedRequestAttributesPattern.matcher(n); -if (m.matches()) { -request.setAttribute(n, v); -} else { -response.setStatus(403); -setErrorState(ErrorState.CLOSE_CLEAN, null); -} } } break; diff --git a/java/org/apache/coyote/ajp/LocalStrings.properties b/java/org/apache/coyote/ajp/LocalStrings.properties index 38067ca..bc9bae6 100644 --- a/java/org/apache/coyote/ajp/LocalStrings.properties +++ b/java/org/apache/coyote/ajp/LocalStrings.properties @@ -29,6 +29,7 @@ ajpprocessor.header.tooLong=Header message of length [{0}] received but the pack ajpprocessor.readtimeout=Timeout attempting to read data from the socket ajpprocessor.request.prepare=Error preparing request ajpprocessor.request.process=Error processing request +ajpprocessor.unknownAttribute=Rejecting request due to unknown request attribute [{0}] received from reverse proxy ajpprotocol.noBio=The AJP BIO connector has been removed in Tomcat 8.5.x onwards. The AJP BIO connector configuration has been automatically switched to use the AJP NIO connector instead. ajpprotocol.noSSL=SSL is not supported with AJP. The SSL host configuration for [{0}] was ignored diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index cb81ea7..8d31f4a 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -79,6 +79,10 @@ 64467: Improve performance of closing idle HTTP/2 streams. (markt) + +64483: Log a warning if an AJP request is rejected because it +contains an unexpected request attribute. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64493] Regression: JMX beans for HTTPS connector changed protocol with 9.0.35
https://bz.apache.org/bugzilla/show_bug.cgi?id=64493 --- Comment #5 from asf+p...@kungfoocoder.org --- We construct it through server.xml I guess. We don't call this code directly, but rather through the normal tomcat configuration. Our server.xml has:
[tomcat] branch master updated: Update a missed version number
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new 5520347 Update a missed version number 5520347 is described below commit 55203470a3632c9386fe62e61ad6dae8e660cfd2 Author: Mark Thomas AuthorDate: Tue Jun 2 15:30:21 2020 +0100 Update a missed version number --- build.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.xml b/build.xml index 4236393..8682b40 100644 --- a/build.xml +++ b/build.xml @@ -15,7 +15,7 @@ See the License for the specific language governing permissions and limitations under the License. --> - - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64493] Regression: JMX beans for HTTPS connector changed protocol with 9.0.35
https://bz.apache.org/bugzilla/show_bug.cgi?id=64493 --- Comment #6 from asf+p...@kungfoocoder.org --- Thanks for the change! As discussed in the previous comment we do have a workaround that we could apply, now that we know what the change is and the reason why this changed. So although I would still argue against this change for the 9.0 branch, since it _might_ require code/config changes for users. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when an AJP request is rejected
On 02/06/2020 16:57, Christopher Schultz wrote: > Mark, > > On 6/2/20 11:44, Mark Thomas wrote: >> On 02/06/2020 16:37, Christopher Schultz wrote: >>> Mark, >>> >>> On 6/2/20 06:24, ma...@apache.org wrote: This is an automated email from the ASF dual-hosted git repository. >>> markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git >>> >>> The following commit(s) were added to refs/heads/master by this push: new 186aae3 Fix BZ 64483 Log a warning when an AJP request is rejected 186aae3 is described below >>> commit 186aae31791ea120cf1b4ddd2f9fcb974bd1d5f9 Author: Mark Thomas AuthorDate: Tue Jun 2 11:22:35 2020 +0100 >>> Fix BZ 64483 Log a warning when an AJP request is rejected --- java/org/apache/coyote/ajp/AjpProcessor.java | 14 -- java/org/apache/coyote/ajp/LocalStrings.properties | 1 + webapps/docs/changelog.xml | 4 3 files changed, 9 insertions(+), 10 deletions(-) >>> diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index d24a818..77d6a94 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -30,7 +30,6 @@ import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Set; -import java.util.regex.Matcher; import java.util.regex.Pattern; >>> import jakarta.servlet.http.HttpServletResponse; @@ -779,17 +778,12 @@ public class AjpProcessor extends AbstractProcessor { // All 'known' attributes will be processed by the previous // blocks. Any remaining attribute is an 'arbitrary' one. Pattern pattern = protocol.getAllowedRequestAttributesPatternInternal(); - if (pattern == null) { +if (pattern != null && pattern.matcher(n).matches()) { + request.setAttribute(n, v); +} else { + log.warn(sm.getString("ajpprocessor.unknownAttribute", n)); response.setStatus(403); setErrorState(ErrorState.CLOSE_CLEAN, null); >>> >>> Possible DOS by spamming the log file? >>> >>> I suppose you can DOS by filling the access log, too :/ > >> How? This is AJP. > > Exposed endpoint. *shrug* > > I understand that this was added to make debugging of > secured-endpoints easier (so the owner can whitelist whatever they > seem to have forgotten) but anyone spamming the AJP port can cause a > lot of output. Ah. I thought the secret was checked earlier than it is. > This would be similar to sending malformed HTTP requests, which we > currently log a single time and then subsequent errors are logged "at > debug level" so you can at least disable them for production. I'm still in favour of leaving this as it is for multiple reasons: - If users have exposed an AJP port to the public internet and are getting spammed / attacked they need to know. - A misconfigured "private" Connector is far more likely than a correctly secured "public" one - In terms of load it should be no worse than the access log (which is only noticeable when you load test on local host with a trivial servlet). There is no exception generated here which is the more usual source of load in these scenarios. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Correct section
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new 44f949b Correct section 44f949b is described below commit 44f949b7cfcd1b3831bc93721e6eaf98c43b2297 Author: Mark Thomas AuthorDate: Tue Jun 2 23:57:16 2020 +0100 Correct section --- webapps/docs/changelog.xml | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index b3c1546..67be36b 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -105,6 +105,11 @@ specification updates to use generics and add missing @Deprecated annotations. (markt) + +64488: Ensure that the ImportHandler from the Expression +Language API is able to load classes from the Java runtime when running +under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt) + @@ -119,11 +124,6 @@ endpoint path is specified and catch invalid endpoint paths earlier. (markt) - -64488: Ensure that the ImportHandler from the Expression -Language API is able to load classes from the Java runtime when running -under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt) - - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64488] EL API: AccessControlException -- Import Handler
https://bz.apache.org/bugzilla/show_bug.cgi?id=64488 --- Comment #6 from Mark Thomas --- Thanks for the test case. It makes debugging what is going on a lot easier. I think there is a bug here. Over time we have added various optimisations to the ImportHandler to address performance issues caused by the ambiguity introduced in EL 3.0. A good summary of those ambiguities and the associated performance issues can be found in https://tomcat.markmail.org/thread/pcxxg4ql6mxjwcmd and the links in the first email of that thread. One of those optimisations was to do a resource lookup before trying to load the class as this was considerably quicker for the "not a class" case and only marginally slower for the "is a class" case. It is this resource lookup that is failing due to a lack of read permission. Given that this test is there to optimise the "not a class" case, that the return value is thrown away and that the class loading happens a few lines later, I think your proposed patch is along the right lines. We've been moving towards removing anonymous classes so I am going to try a variation of your patch that uses an inner class. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix BZ 64488. Correct ImportHandler failures under a security manager
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 22b4599 Fix BZ 64488. Correct ImportHandler failures under a security manager 22b4599 is described below commit 22b45997bfd967dad744dd92f5ca666516205f3f Author: Mark Thomas AuthorDate: Tue Jun 2 23:54:49 2020 +0100 Fix BZ 64488. Correct ImportHandler failures under a security manager https://bz.apache.org/bugzilla/show_bug.cgi?id=64488 Patch provided by Volodymyr Siedleck --- java/javax/el/ImportHandler.java | 39 +-- webapps/docs/changelog.xml | 5 + 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/java/javax/el/ImportHandler.java b/java/javax/el/ImportHandler.java index cfabd9d..002ce6b 100644 --- a/java/javax/el/ImportHandler.java +++ b/java/javax/el/ImportHandler.java @@ -19,6 +19,8 @@ package javax.el; import java.lang.reflect.Field; import java.lang.reflect.Method; import java.lang.reflect.Modifier; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.Collections; import java.util.HashMap; import java.util.HashSet; @@ -31,6 +33,8 @@ import java.util.concurrent.ConcurrentHashMap; */ public class ImportHandler { +private static final boolean IS_SECURITY_ENABLED = (System.getSecurityManager() != null); + private static final Map> standardPackages = new HashMap<>(); static { @@ -452,8 +456,18 @@ public class ImportHandler { * for the case where the class does exist is a lot less than the * overhead we save by not calling loadClass(). */ -if (cl.getResource(path) == null) { -return null; +if (IS_SECURITY_ENABLED) { +// Webapps don't have read permission for JAVA_HOME (and +// possibly other sources of classes). Only need to know if the +// class exists at this point. Class loading occurs with +// standard SecurityManager policy next. +if (!AccessController.doPrivileged(new PrivilegedResourceExists(cl, path)).booleanValue()) { +return null; +} +} else { +if (cl.getResource(path) == null) { +return null; +} } } catch (ClassCircularityError cce) { // May happen under a security manager. Ignore it and try loading @@ -489,4 +503,25 @@ public class ImportHandler { */ private static class NotFound { } + + +private static class PrivilegedResourceExists implements PrivilegedAction { + +private final ClassLoader cl; +private final String name; + +public PrivilegedResourceExists(ClassLoader cl, String name) { +this.cl = cl; +this.name = name; +} + +@Override +public Boolean run() { +if (cl.getResource(name) == null) { +return Boolean.FALSE; +} else { +return Boolean.TRUE; +} +} +} } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 55e9419..202946a 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -113,6 +113,11 @@ endpoint path is specified and catch invalid endpoint paths earlier. (markt) + +64488: Ensure that the ImportHandler from the Expression +Language API is able to load classes from the Java runtime when running +under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Fix BZ 64488. Correct ImportHandler failures under a security manager
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new d2e079f Fix BZ 64488. Correct ImportHandler failures under a security manager d2e079f is described below commit d2e079ff75cba8c1936874e7f1a8244de08d67f2 Author: Mark Thomas AuthorDate: Tue Jun 2 23:54:49 2020 +0100 Fix BZ 64488. Correct ImportHandler failures under a security manager https://bz.apache.org/bugzilla/show_bug.cgi?id=64488 Patch provided by Volodymyr Siedleck --- java/jakarta/el/ImportHandler.java | 39 -- webapps/docs/changelog.xml | 5 + 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/java/jakarta/el/ImportHandler.java b/java/jakarta/el/ImportHandler.java index 1e7e9b9..c4d62d2 100644 --- a/java/jakarta/el/ImportHandler.java +++ b/java/jakarta/el/ImportHandler.java @@ -19,6 +19,8 @@ package jakarta.el; import java.lang.reflect.Field; import java.lang.reflect.Method; import java.lang.reflect.Modifier; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.Collections; import java.util.HashMap; import java.util.HashSet; @@ -31,6 +33,8 @@ import java.util.concurrent.ConcurrentHashMap; */ public class ImportHandler { +private static final boolean IS_SECURITY_ENABLED = (System.getSecurityManager() != null); + private static final Map> standardPackages = new HashMap<>(); static { @@ -452,8 +456,18 @@ public class ImportHandler { * for the case where the class does exist is a lot less than the * overhead we save by not calling loadClass(). */ -if (cl.getResource(path) == null) { -return null; +if (IS_SECURITY_ENABLED) { +// Webapps don't have read permission for JAVA_HOME (and +// possibly other sources of classes). Only need to know if the +// class exists at this point. Class loading occurs with +// standard SecurityManager policy next. +if (!AccessController.doPrivileged(new PrivilegedResourceExists(cl, path)).booleanValue()) { +return null; +} +} else { +if (cl.getResource(path) == null) { +return null; +} } } catch (ClassCircularityError cce) { // May happen under a security manager. Ignore it and try loading @@ -489,4 +503,25 @@ public class ImportHandler { */ private static class NotFound { } + + +private static class PrivilegedResourceExists implements PrivilegedAction { + +private final ClassLoader cl; +private final String name; + +public PrivilegedResourceExists(ClassLoader cl, String name) { +this.cl = cl; +this.name = name; +} + +@Override +public Boolean run() { +if (cl.getResource(name) == null) { +return Boolean.FALSE; +} else { +return Boolean.TRUE; +} +} +} } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index b6d47ce..b3c1546 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -119,6 +119,11 @@ endpoint path is specified and catch invalid endpoint paths earlier. (markt) + +64488: Ensure that the ImportHandler from the Expression +Language API is able to load classes from the Java runtime when running +under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix BZ 64488. Correct ImportHandler failures under a security manager
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 1350860 Fix BZ 64488. Correct ImportHandler failures under a security manager 1350860 is described below commit 1350860d9a5be290edf0439a0ba6c120f2a78bce Author: Mark Thomas AuthorDate: Tue Jun 2 23:54:49 2020 +0100 Fix BZ 64488. Correct ImportHandler failures under a security manager https://bz.apache.org/bugzilla/show_bug.cgi?id=64488 Patch provided by Volodymyr Siedleck --- java/javax/el/ImportHandler.java | 39 +-- webapps/docs/changelog.xml | 5 + 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/java/javax/el/ImportHandler.java b/java/javax/el/ImportHandler.java index 151b3ab..636599b 100644 --- a/java/javax/el/ImportHandler.java +++ b/java/javax/el/ImportHandler.java @@ -19,6 +19,8 @@ package javax.el; import java.lang.reflect.Field; import java.lang.reflect.Method; import java.lang.reflect.Modifier; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.Collections; import java.util.HashMap; import java.util.HashSet; @@ -31,6 +33,8 @@ import java.util.concurrent.ConcurrentHashMap; */ public class ImportHandler { +private static final boolean IS_SECURITY_ENABLED = (System.getSecurityManager() != null); + private static final Map> standardPackages = new HashMap<>(); static { @@ -451,8 +455,18 @@ public class ImportHandler { * for the case where the class does exist is a lot less than the * overhead we save by not calling loadClass(). */ -if (cl.getResource(path) == null) { -return null; +if (IS_SECURITY_ENABLED) { +// Webapps don't have read permission for JAVA_HOME (and +// possibly other sources of classes). Only need to know if the +// class exists at this point. Class loading occurs with +// standard SecurityManager policy next. +if (!AccessController.doPrivileged(new PrivilegedResourceExists(cl, path)).booleanValue()) { +return null; +} +} else { +if (cl.getResource(path) == null) { +return null; +} } } catch (ClassCircularityError cce) { // May happen under a security manager. Ignore it and try loading @@ -488,4 +502,25 @@ public class ImportHandler { */ private static class NotFound { } + + +private static class PrivilegedResourceExists implements PrivilegedAction { + +private final ClassLoader cl; +private final String name; + +public PrivilegedResourceExists(ClassLoader cl, String name) { +this.cl = cl; +this.name = name; +} + +@Override +public Boolean run() { +if (cl.getResource(name) == null) { +return Boolean.FALSE; +} else { +return Boolean.TRUE; +} +} +} } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 48ae17f..d8fb3c6 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -93,6 +93,11 @@ endpoint path is specified and catch invalid endpoint paths earlier. (markt) + +64488: Ensure that the ImportHandler from the Expression +Language API is able to load classes from the Java runtime when running +under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt) + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in on tomcat-9-trunk
The Buildbot has detected a new failure on builder tomcat-9-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-9-trunk/builds/264 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-9-commit' triggered this build Build Source Stamp: [branch 9.0.x] 8f5b6aed86d5b110199be0d91dda80fb7b98aef9 Blamelist: Mark Thomas BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64488] EL API: AccessControlException -- Import Handler
https://bz.apache.org/bugzilla/show_bug.cgi?id=64488 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --- Comment #7 from Mark Thomas --- Fixed in: - master for 10.0.0-M6 onwards - 9.0.x for 9.0.36 onwards - 8.5.x for 8.5.56 onwards Tomcat 7 doesn't support EL 3.0 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Correct section
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 43abcd8 Correct section 43abcd8 is described below commit 43abcd8305009e8c01b64aef90675698ddc3f674 Author: Mark Thomas AuthorDate: Tue Jun 2 23:57:16 2020 +0100 Correct section --- webapps/docs/changelog.xml | 14 +- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index d8fb3c6..47f56df 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -86,6 +86,15 @@ + + + +64488: Ensure that the ImportHandler from the Expression +Language API is able to load classes from the Java runtime when running +under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt) + + + @@ -93,11 +102,6 @@ endpoint path is specified and catch invalid endpoint paths earlier. (markt) - -64488: Ensure that the ImportHandler from the Expression -Language API is able to load classes from the Java runtime when running -under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt) - - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Correct section
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 8f5b6ae Correct section 8f5b6ae is described below commit 8f5b6aed86d5b110199be0d91dda80fb7b98aef9 Author: Mark Thomas AuthorDate: Tue Jun 2 23:57:16 2020 +0100 Correct section --- webapps/docs/changelog.xml | 14 +- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 202946a..a54abc3 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -106,6 +106,15 @@ + + + +64488: Ensure that the ImportHandler from the Expression +Language API is able to load classes from the Java runtime when running +under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt) + + + @@ -113,11 +122,6 @@ endpoint path is specified and catch invalid endpoint paths earlier. (markt) - -64488: Ensure that the ImportHandler from the Expression -Language API is able to load classes from the Java runtime when running -under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt) - - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64488] EL API: AccessControlException -- Import Handler
https://bz.apache.org/bugzilla/show_bug.cgi?id=64488 Mark Thomas changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID |--- --- Comment #5 from Mark Thomas --- At first glance, I'd expect that to work. Re-opening while I dig into what is going on... -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64488] EL API: AccessControlException -- Import Handler
https://bz.apache.org/bugzilla/show_bug.cgi?id=64488 volosied+apa...@gmail.com changed: What|Removed |Added Resolution|--- |INVALID Status|NEEDINFO|RESOLVED --- Comment #4 from volosied+apa...@gmail.com --- Hello, Thank you so much for the quick replies. I looked more into my issue, and I have a better idea of what’s occurring. I do not believe anything is wrong with the ImportHandler after all. In my Open Liberty build, I had a development security property enabled, unknown to me, that logs AccessControl exceptions and allows the application to continue. When I removed that property, I encountered a different error: jakarta.el.ELException: Function [:Boolean] not found. This may relate to the the fact that rt.jar contains the Boolean class (which EL doesn't have access to?). I tested the same JSP on Tomcat (with security enabled), and encountered the very same exception. This is the troublesome EL Expression: “${Boolean(true)}” I tested it in Tomcat 7 and 9, and the same exception is thrown. The behavior is consistent everywhere. However, can anyone explain it is that way (or point me to any resources)? My current understanding is that, when security is enabled, EL(or Tomcat?) doesn’t have access, by default, to the java runtime jar, rt.jar? (Which may explain why the original error asked me add the java.io.FilePermission to the rt.jar) Although I tried modifying the permissions in Tomcat but was unsuccessful in getting the EL code to run with security enabled. However, I tested further, and the following code does work? I’m assuming because it’s not going through EL? <% Boolean b = new Boolean("true"); System.out.println("Boolean Result: " + b); %> <%= b %> I’m not very familiar with java security and, this is beyond what I originally started looking into, but, once again, thank you for your help. And I'll mark this issue as resolved/invalid. Full Exception: javax.el.ELException: Function [:Boolean] not found org.apache.el.parser.AstFunction.getValue(AstFunction.java:148) org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:190) org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:701) org.apache.jsp.el_jsp._jspService(el_jsp.java:163) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:71) javax.servlet.http.HttpServlet.service(HttpServlet.java:741) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:477) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329) javax.servlet.http.HttpServlet.service(HttpServlet.java:741) sun.reflect.GeneratedMethodAccessor58.invoke(Unknown Source) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:498) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) java.security.AccessController.doPrivileged(AccessController.java:770) javax.security.auth.Subject.doAsPrivileged(Subject.java:549) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) java.security.AccessController.doPrivileged(AccessController.java:734) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) sun.reflect.GeneratedMethodAccessor57.invoke(Unknown Source) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:498) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) java.security.AccessController.doPrivileged(AccessController.java:770) javax.security.auth.Subject.doAsPrivileged(Subject.java:549) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org