[Bug 56580] New: el-api.jar memory leak
https://issues.apache.org/bugzilla/show_bug.cgi?id=56580 Bug ID: 56580 Summary: el-api.jar memory leak Product: Tomcat 7 Version: unspecified Hardware: All OS: All Status: NEW Severity: major Priority: P2 Component: Servlet JSP API Assignee: dev@tomcat.apache.org Reporter: cos...@prodinf.ro Hello I have identified a memory leak that shows in JSF Mojarra 2.1.21 and the Mojarra team said that it is your responsibility to fix it. The Mojarra issue: https://java.net/jira/browse/JAVASERVERFACES-3291 . The problem is that ELUtils stores a static instance of BeanELResolver. Both mojarra and el-api are stored in tomcat_dir\lib dir. On redeploy the BeanELResolver will not refresh the stored classes inside. For more please use the link above. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56555] Multiple connection headers for status 400 when keep-alive is specified
https://issues.apache.org/bugzilla/show_bug.cgi?id=56555 --- Comment #9 from Mark Thomas ma...@apache.org --- (In reply to Konstantin Kolinko from comment #8) I am -1 to r1598007 See how Connection header is defined in RFC2616 section 14.10 and processing of close token in section 8.1.2.1. The Connection header is a multi-value header that declares names of header fields that are for this connection only and are not forwarded by proxies. If you drop the Connection header you must drop any other headers that are referenced in it. There are no grounds to do that. I understand (and agree with) your objections to r1598007. What isn't clear is what you think Tomcat should do here. Is your position that this issue should simply have been resolved as invalid as multiple connection headers are allowed and the presence of a connection: close will always close the connection? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1598480 - in /tomcat/trunk/java/org/apache/coyote/http11/upgrade: Nio2ServletInputStream.java Nio2ServletOutputStream.java
Author: remm Date: Fri May 30 07:48:34 2014 New Revision: 1598480 URL: http://svn.apache.org/r1598480 Log: Remove listener calls optimizations, they skip a lot of things which could be useful and ultimately it doesn't work that well. Modified: tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletInputStream.java tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletOutputStream.java Modified: tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletInputStream.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletInputStream.java?rev=1598480r1=1598479r2=1598480view=diff == --- tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletInputStream.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletInputStream.java Fri May 30 07:48:34 2014 @@ -40,7 +40,7 @@ public class Nio2ServletInputStream exte private final CompletionHandlerInteger, SocketWrapperNio2Channel completionHandler; private boolean flipped = false; private volatile boolean readPending = false; -private volatile boolean fireListener = false; +private volatile boolean interest = false; public Nio2ServletInputStream(SocketWrapperNio2Channel wrapper, AbstractEndpointNio2Channel endpoint0) { this.endpoint = endpoint0; @@ -49,31 +49,21 @@ public class Nio2ServletInputStream exte this.completionHandler = new CompletionHandlerInteger, SocketWrapperNio2Channel() { @Override public void completed(Integer nBytes, SocketWrapperNio2Channel attachment) { -boolean fire = false; +boolean notify = false; synchronized (completionHandler) { if (nBytes.intValue() 0) { failed(new EOFException(), attachment); -return; -} -readPending = false; -fire = fireListener; -fireListener = false; -} -if (nBytes.intValue() 0) { -if (!Nio2Endpoint.isInline() fire) { -try { -onDataAvailable(); -} catch (IOException e) { -failed(e, attachment); +} else { +readPending = false; +if (interest !Nio2Endpoint.isInline()) { +interest = false; +notify = true; } } -} else { -try { -onAllDataRead(); -} catch (IOException e) { -failed(e, attachment); -} } +if (notify) { +endpoint.processSocket(attachment, SocketStatus.OPEN_READ, false); +} } @Override public void failed(Throwable exc, SocketWrapperNio2Channel attachment) { @@ -93,7 +83,7 @@ public class Nio2ServletInputStream exte protected boolean doIsReady() throws IOException { synchronized (completionHandler) { if (readPending) { -fireListener = true; +interest = true; return false; } ByteBuffer readBuffer = channel.getBufHandler().getReadBuffer(); @@ -116,7 +106,7 @@ public class Nio2ServletInputStream exte flipped = true; } } else { -fireListener = true; +interest = true; } return isReady; } Modified: tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletOutputStream.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletOutputStream.java?rev=1598480r1=1598479r2=1598480view=diff == --- tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletOutputStream.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletOutputStream.java Fri May 30 07:48:34 2014 @@ -58,13 +58,7 @@ public class Nio2ServletOutputStream ext } else { writePending.release(); if (!Nio2Endpoint.isInline()) { -try { -onWritePossible(); -} catch (IOException e) { -socketWrapper.setError(true); -onError(e); -endpoint.processSocket(socketWrapper, SocketStatus.ERROR, false); -} +
svn commit: r1598483 - in /tomcat/trunk/webapps: docs/changelog.xml examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java e
Author: remm Date: Fri May 30 07:52:52 2014 New Revision: 1598483 URL: http://svn.apache.org/r1598483 Log: - Test autobahn myself, add two new echo endpoints and my example config. - Issues with the async endpoint, 9.7 and 9.8. Added: tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/servers.json Modified: tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1598483r1=1598482r2=1598483view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Fri May 30 07:52:52 2014 @@ -135,6 +135,9 @@ status code of the response, ensure that only one connection header is sent to the client. (markt) /fix + fix +Fix input concurrency issue in NIO2 upgrade. (remm) + /fix /changelog /subsection subsection name=Jasper @@ -176,6 +179,9 @@ the resulting codeIllegalStateException/code in a manner consistent with the handling of an codeIOException/code. (markt) /fix + fix +Add more varied endpoints for echo testing. (remm) + /fix /changelog /subsection subsection name=Other Added: tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java?rev=1598483view=auto == --- tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java (added) +++ tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java Fri May 30 07:52:52 2014 @@ -0,0 +1,74 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the License); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an AS IS BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package websocket.echo; + +import java.io.IOException; +import java.io.ByteArrayOutputStream; +import java.io.OutputStream; +import java.io.Writer; +import java.nio.ByteBuffer; + +import javax.websocket.OnMessage; +import javax.websocket.PongMessage; +import javax.websocket.Session; +import javax.websocket.server.ServerEndpoint; + +@ServerEndpoint(/websocket/echoAsyncAnnotation) +public class EchoAsyncAnnotation { + +StringBuilder sb = null; +ByteArrayOutputStream bytes = null; + +@OnMessage +public void echoTextMessage(Session session, String msg, boolean last) +throws IOException { +if (sb == null) { +sb = new StringBuilder(); +} +sb.append(msg); +if (last) { +//System.out.println(Write: + sb.length()); +session.getAsyncRemote().sendText(sb.toString()); +sb = null; +} +} + +@OnMessage +public void echoBinaryMessage(byte[] msg, Session session, boolean last) +throws IOException { +if (bytes == null) { +bytes = new ByteArrayOutputStream(); +} +bytes.write(msg); +//System.out.println(Got: + msg.length + + last + + bytes.size()); +if (last) { +//System.out.println(Write bytes: + bytes.size()); + session.getAsyncRemote().sendBinary(ByteBuffer.wrap(bytes.toByteArray())); +bytes = null; +} +} + +/** + * Process a received pong. This is a NO-OP. + * + * @param pmIgnored. + */ +@OnMessage +public void echoPongMessage(PongMessage pm) { +// NO-OP +} +} Added: tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java?rev=1598483view=auto == --- tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java (added) +++
[Bug 56555] Multiple connection headers for status 400 when keep-alive is specified
https://issues.apache.org/bugzilla/show_bug.cgi?id=56555 --- Comment #10 from Remy Maucherat r...@apache.org --- It seems enough to me, +1 for a simple revert. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in ASF Buildbot on tomcat-trunk
The Buildbot has detected a new failure on builder tomcat-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-trunk/builds/123 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/trunk] 1598483 Blamelist: remm BUILD FAILED: failed compile_1 sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56555] Multiple connection headers for status 400 when keep-alive is specified
https://issues.apache.org/bugzilla/show_bug.cgi?id=56555 --- Comment #11 from Konstantin Kolinko knst.koli...@gmail.com --- multiple connection headers are allowed and the presence of a connection: close will always close the connection? Yes. (and multiple tokens in the same Connection header are allowed). If you strive for cleanness then a) remove keep-alive token only, b) remove Keep-Alive: header if there is any (a header defined by RFC2068). I do not think that it is worth pursuing. As for OP, I see no sense why they explicitly add a keep-alive header. First, container takes care of that (and will use keep-alive whenever possible, taking into account the protocol version and how many keep-alive requests have already been processed). Second, HTTP/1.1 connections are keep-alive by default. No header needed. Third, as this is a header for the current hop/connection only, it further makes no sense to rely on it in an application. Thus I think that the original claim is INVALID. Regarding the original code of AbstractHttp11Processor: I think Tomcat adds keep-alive header in some cases when it should not. Per the above, it does not matter, as the close header wins. The issues are the following: 1) isConnectionClose(headers) call happens in one branch of an if/else only. It shall be called in both cases. 2) If isConnectionClose(headers) returns true, then keepAlive flag shall be set to false and no header added. 3) isConnectionClose( ) method looks for the value of the first header only. It does not enumerate all Connection headers, nor it looks for multiple tokens in the same header. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56578] session.invalidate does not work on cluster enabled webapps
https://issues.apache.org/bugzilla/show_bug.cgi?id=56578 --- Comment #3 from Konstantin Kolinko knst.koli...@gmail.com --- For reference: the thread on users@, Tomcat 7.0.54 - Session invalidate broken in some apps http://tomcat.markmail.org/thread/3zjrbavcxgrnw3ga -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GUMP@vmgump]: Project tomcat-trunk-validate (in module tomcat-trunk) failed
To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-trunk-validate has an issue affecting its community integration. This issue affects 1 projects. The current state of this project is 'Failed', with reason 'Build Failed'. For reference only, the following projects are affected by this: - tomcat-trunk-validate : Tomcat 8.x, a web server implementing the Java Servlet 3.1, ... Full details are available at: http://vmgump.apache.org/gump/public/tomcat-trunk/tomcat-trunk-validate/index.html That said, some information snippets are provided here. The following annotations (debug/informational/warning/error messages) were provided: -DEBUG- Dependency on checkstyle exists, no need to add for property checkstyle.jar. -INFO- Failed with reason build failed The following work was performed: http://vmgump.apache.org/gump/public/tomcat-trunk/tomcat-trunk-validate/gump_work/build_tomcat-trunk_tomcat-trunk-validate.html Work Name: build_tomcat-trunk_tomcat-trunk-validate (Type: Build) Work ended in a state of : Failed Elapsed: 25 secs Command Line: /usr/lib/jvm/java-7-oracle/bin/java -Djava.awt.headless=true -Dbuild.sysclasspath=only org.apache.tools.ant.Main -Dgump.merge=/srv/gump/public/gump/work/merge.xml -Dcheckstyle.jar=/srv/gump/public/workspace/checkstyle/target/checkstyle-5.7-SNAPSHOT.jar -Dexecute.validate=true validate [Working Directory: /srv/gump/public/workspace/tomcat-trunk] CLASSPATH: /usr/lib/jvm/java-7-oracle/lib/tools.jar:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/packages/antlr/antlr-3.1.3.jar:/srv/gump/public/workspace/checkstyle/target/checkstyle-5.7-SNAPSHOT.jar:/srv/gump/public/workspace/apache-commons/beanutils/dist/commons-beanutils-20140530.jar:/srv/gump/public/workspace/apache-commons/cli/target/commons-cli-1.3-SNAPSHOT.jar:/srv/gump/public/workspace/commons-collections-3.x/target/commons-collections-3.3-SNAPSHOT.jar:/srv/gump/public/workspace/apache-commons/exec/tar get/commons-exec-1.3-SNAPSHOT.jar:/srv/gump/public/workspace/apache-commons/logging/target/commons-logging-20140530.jar:/srv/gump/public/workspace/apache-commons/logging/target/commons-logging-api-20140530.jar:/srv/gump/public/workspace/apache-commons/validator/dist/commons-validator-20140530.jar:/srv/gump/public/workspace/google-guava/guava/target/guava-18.0-SNAPSHOT.jar - Buildfile: /srv/gump/public/workspace/tomcat-trunk/build.xml build-prepare: [delete] Deleting directory /srv/gump/public/workspace/tomcat-trunk/output/build/temp [mkdir] Created dir: /srv/gump/public/workspace/tomcat-trunk/output/build/temp compile-prepare: download-validate: proxyflags: setproxy: testexist: [echo] Testing for /srv/gump/public/workspace/checkstyle/target/checkstyle-5.7-SNAPSHOT.jar downloadzip: validate: [mkdir] Created dir: /srv/gump/public/workspace/tomcat-trunk/output/res/checkstyle [checkstyle] Running Checkstyle 5.7-SNAPSHOT on 2876 files [checkstyle] /srv/gump/public/workspace/tomcat-trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletInputStream.java:66: Line matches the illegal pattern '\s+$'. [checkstyle] /srv/gump/public/workspace/tomcat-trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java:20: Wrong order for 'java.io.ByteArrayOutputStream' import. [checkstyle] /srv/gump/public/workspace/tomcat-trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java:21:8: Unused import - java.io.OutputStream. [checkstyle] /srv/gump/public/workspace/tomcat-trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java:22:8: Unused import - java.io.Writer. [checkstyle] /srv/gump/public/workspace/tomcat-trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java:22:8: Unused import - java.nio.ByteBuffer. BUILD FAILED /srv/gump/public/workspace/tomcat-trunk/build.xml:538: Got 5 errors and 0 warnings. Total time: 25 seconds - To subscribe to this information via syndicated feeds: - RSS: http://vmgump.apache.org/gump/public/tomcat-trunk/tomcat-trunk-validate/rss.xml - Atom: http://vmgump.apache.org/gump/public/tomcat-trunk/tomcat-trunk-validate/atom.xml == Gump Tracking Only === Produced by Apache Gump(TM) version 2.3. Gump Run
svn commit: r1598708 - in /tomcat/trunk: java/org/apache/coyote/http11/upgrade/Nio2ServletInputStream.java webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java webapps/examples/WEB
Author: remm Date: Fri May 30 19:23:48 2014 New Revision: 1598708 URL: http://svn.apache.org/r1598708 Log: Typos. Modified: tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletInputStream.java tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java Modified: tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletInputStream.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletInputStream.java?rev=1598708r1=1598707r2=1598708view=diff == --- tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletInputStream.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/upgrade/Nio2ServletInputStream.java Fri May 30 19:23:48 2014 @@ -63,7 +63,7 @@ public class Nio2ServletInputStream exte } if (notify) { endpoint.processSocket(attachment, SocketStatus.OPEN_READ, false); -} +} } @Override public void failed(Throwable exc, SocketWrapperNio2Channel attachment) { Modified: tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java?rev=1598708r1=1598707r2=1598708view=diff == --- tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java (original) +++ tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java Fri May 30 19:23:48 2014 @@ -16,10 +16,8 @@ */ package websocket.echo; -import java.io.IOException; import java.io.ByteArrayOutputStream; -import java.io.OutputStream; -import java.io.Writer; +import java.io.IOException; import java.nio.ByteBuffer; import javax.websocket.OnMessage; Modified: tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java?rev=1598708r1=1598707r2=1598708view=diff == --- tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java (original) +++ tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java Fri May 30 19:23:48 2014 @@ -19,7 +19,6 @@ package websocket.echo; import java.io.IOException; import java.io.OutputStream; import java.io.Writer; -import java.nio.ByteBuffer; import javax.websocket.OnMessage; import javax.websocket.PongMessage; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1598758 - /tomcat/trunk/webapps/docs/changelog.xml
Author: kkolinko Date: Fri May 30 22:03:12 2014 New Revision: 1598758 URL: http://svn.apache.org/r1598758 Log: Add CVE numbers, correct a typo. Modified: tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1598758r1=1598757r2=1598758view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Fri May 30 22:03:12 2014 @@ -163,7 +163,7 @@ /add fix Correct a copy/paste error and return a 500 response rather than a 400 -response when an internal server error occurs. (mark) +response when an internal server error occurs. (markt) /fix /changelog /subsection @@ -323,8 +323,12 @@ the WAR was deleted. (markt) /fix fix +Fix CVE-2014-0119: Only create XML parsing objects if required and fix associated potential -memory leak in the default Servlet. (markt) +memory leak in the default Servlet. +Extend XML factory, parser etc. memory leak protection to cover some +additional locations where, theoretically, a memory leak could occur. +(markt) /fix fix Modify generic exception handling so that @@ -341,11 +345,6 @@ patterns of the form code*.a.b/code which are not valid patterns for extension mappings. (markt) /add - add -Extend XML factory, parser etc. memory leak protection to cover some -additional locations where, theoretically, a memory leak could occur. -(markt) - /add fix bug56441/bug: Raise the visibility of exceptions thrown when a problem is encountered calling a getter or setter on a component @@ -763,6 +762,7 @@ unit tests identified. Based on a patch by Larry Isaacs. (markt) /fix fix +Fix CVE-2014-0096: Redefine the codeglobalXsltFile/code initialisation parameter of the DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. Prevent user supplied XSLTs used by the DefaultServlet from defining @@ -786,16 +786,19 @@ Nabil Benothman. (remm) /add fix +Fix CVE-2014-0075: Improve processing of chuck size from chunked headers. Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster. (markt/kkolinko) /fix fix +Fix CVE-2014-0095: Correct regression introduced in 8.0.0-RC2 as part of the Servlet 3.1 non-blocking IO support that broke handling of requests with an explicit content length of zero. (markt/kkolinko) /fix fix +Fix CVE-2014-0099: Fix possible overflow when parsing long values from a byte array. (markt) /fix - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1598761 - /tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Author: kkolinko Date: Fri May 30 22:09:51 2014 New Revision: 1598761 URL: http://svn.apache.org/r1598761 Log: Add CVE numbers, correct typos. Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1598761r1=1598760r2=1598761view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri May 30 22:09:51 2014 @@ -153,8 +153,13 @@ Based on the patch provided by Nick Bunn. (violetagg/kkolinko) /add fix +Fix CVE-2014-0119: Only create XML parsing objects if required and fix associated potential -memory leak in the default Servlet. (markt) +memory leak in the default Servlet. +Extend XML factory, parser etc. memory leak protection to cover some +additional locations where, theoretically, a memory leak could occur. +Ensure that a TLD parser obtained from the cache has the correct value +of codeblockExternal/code. (markt) /fix fix Modify generic exception handling so that @@ -171,15 +176,6 @@ patterns of the form code*.a.b/code which are not valid patterns for extension mappings. (markt) /add - add -Extend XML factory, parser etc. memory leak protection to cover some -additional locations where, theoretically, a memory leak could occur. -(markt) - /add - fix -Ensure that a TLD parser obtained from the cache has the correct value -of codeblockExternal/code. (markt) - /fix fix bug56441/bug: Raise the visibility of exceptions thrown when a problem is encountered calling a getter or setter on a component @@ -460,6 +456,7 @@ new version. (markt) /fix fix +Fix CVE-2014-0096: Redefine the codeglobalXsltFile/code initialisation parameter of the DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. Prevent user supplied XSLTs used by the DefaultServlet from defining @@ -495,11 +492,13 @@ under heavy load. (markt) /fix fix +Fix CVE-2014-0075: Improve processing of chuck size from chunked headers. Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster. (markt/kkolinko) /fix fix +Fix CVE-2014-0099: Fix possible overflow when parsing long values from a byte array. (markt) /fix @@ -3500,7 +3499,7 @@ fix Remove the codesocket.soTrafficClass/code from the BIO and NIO HTTP and AJP connectors because any use of the option is either ignored -or in some cases (Java 7 with NIO) throws an Exception. (mark) +or in some cases (Java 7 with NIO) throws an Exception. (markt) /fix fix Prevent possible NPE when processing Comet requests during Connector @@ -4520,7 +4519,7 @@ fix bug52577/bug: Fix a regression in the fix for bug52328/bug. Prevent output truncation when codereset()/code is called on a -response. (mark) +response. (markt) /fix fix bug52586/bug: Remove an old and now unnecessary hack that modified @@ -5638,7 +5637,7 @@ changelog fix bug51641/bug: Use correct key when removing processor instances from -the connections map during clean-up. Patch provided by zhh. (mark) +the connections map during clean-up. Patch provided by zhh. (markt) /fix fix More changes to align the code between the different HTTP connectors. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1598762 - /tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Author: kkolinko Date: Fri May 30 22:13:53 2014 New Revision: 1598762 URL: http://svn.apache.org/r1598762 Log: Add CVE numbers. Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1598762r1=1598761r2=1598762view=diff == --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Fri May 30 22:13:53 2014 @@ -97,6 +97,7 @@ (markt/kkolinko) /fix fix +Fix CVE-2014-0096: Redefine the codeglobalXsltFile/code initialisation parameter of the DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. Prevent user supplied XSLTs used by the DefaultServlet from defining @@ -113,18 +114,15 @@ listener. (markt) /fix fix +Fix CVE-2014-0119: Only create XML parsing objects if required and fix associated potential -memory leak in the default Servlet. (markt) - /fix - fix +memory leak in the default Servlet. Ensure that a TLD parser obtained from the cache has the correct value -of codeblockExternal/code. (markt/kkolinko) - /fix - add +of codeblockExternal/code. Extend XML factory, parser etc. memory leak protection to cover some additional locations where, theoretically, a memory leak could occur. -(markt) - /add +(markt/kkolinko) + /fix add Add the codeorg.apache.naming/code package to the packages requiring code to have the codedefineClassInPackage/code permission when @@ -144,11 +142,13 @@ subsection name=Coyote changelog fix +Fix CVE-2014-0075: Improve processing of chuck size from chunked headers. Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster. (markt/kkolinko) /fix fix +Fix CVE-2014-0099: Fix possible overflow when parsing long values from a byte array. (markt) /fix - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in ASF Buildbot on tomcat-trunk
The Buildbot has detected a restored build on builder tomcat-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-trunk/builds/124 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/trunk] 1598708 Blamelist: remm Build succeeded! sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1598763 - in /tomcat/trunk: ./ res/rat/ webapps/examples/WEB-INF/classes/websocket/echo/
Author: kkolinko Date: Fri May 30 22:40:48 2014 New Revision: 1598763 URL: http://svn.apache.org/r1598763 Log: Followup to r1598483: 1. svn:eol-style 2. Add *.json to text.files patternset in build.xml 3. Add json file to rat-excludes.txt Per RFC7159 I see no way to add license comment to a JSON file. It is a data file. Modified: tomcat/trunk/build.xml tomcat/trunk/res/rat/rat-excludes.txt tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java (props changed) tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java (props changed) tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/servers.json (props changed) Modified: tomcat/trunk/build.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/build.xml?rev=1598763r1=1598762r2=1598763view=diff == --- tomcat/trunk/build.xml (original) +++ tomcat/trunk/build.xml Fri May 30 22:40:48 2014 @@ -253,6 +253,7 @@ include name=**/*.ini/ include name=**/*.java/ include name=**/*.jjt/ +include name=**/*.json/ include name=**/*.jsp/ include name=**/*.jspf/ include name=**/*.jspx/ Modified: tomcat/trunk/res/rat/rat-excludes.txt URL: http://svn.apache.org/viewvc/tomcat/trunk/res/rat/rat-excludes.txt?rev=1598763r1=1598762r2=1598763view=diff == --- tomcat/trunk/res/rat/rat-excludes.txt (original) +++ tomcat/trunk/res/rat/rat-excludes.txt Fri May 30 22:40:48 2014 @@ -20,12 +20,18 @@ The following files are excluded: - *.html files in documentation are generated from XML sources + - *.md5 files are generated and cannot contain license + - *.manifest JAR manifest files cannot contain license + - package-list files in API documentation (javadoc) are generated + - other trivial test files, such as textual files containing only OK' string, are also excluded. + - JSON files (RFC7159) are data and cannot contain comments + output/build/webapps/docs/*.html output/build/webapps/docs/appdev/*.html output/build/webapps/docs/architecture/*.html @@ -39,19 +45,27 @@ output/dist/webapps/docs/architecture/*. output/dist/webapps/docs/config/*.html output/dist/webapps/docs/funcspecs/*.html output/dist/webapps/docs/tribes/*.html + output/embed/*.md5 output/extras/*.md5 + modules/jdbc-pool/resources/MANIFEST.MF output/dist/src/modules/jdbc-pool/resources/MANIFEST.MF output/dist/src/res/META-INF/*.manifest output/jdbc-pool/resources/MANIFEST.MF output/manifests/*.manifest res/META-INF/*.manifest + output/dist/webapps/docs/api/package-list output/dist/webapps/docs/elapi/package-list output/dist/webapps/docs/jspapi/package-list output/dist/webapps/docs/servletapi/package-list + output/dist/src/test/webapp/bug53257/*.txt output/dist/src/test/webapp-fragments/WEB-INF/classes/*.txt test/webapp/bug53257/*.txt test/webapp-fragments/WEB-INF/classes/*.txt + +webapps/examples/WEB-INF/classes/websocket/echo/servers.json +output/build/webapps/examples/WEB-INF/classes/websocket/echo/servers.json +output/dist/webapps/examples/WEB-INF/classes/websocket/echo/servers.json Propchange: tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java -- svn:eol-style = native Propchange: tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java -- svn:eol-style = native Propchange: tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/servers.json -- svn:eol-style = native - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1598483 - in /tomcat/trunk/webapps: docs/changelog.xml examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.ja
2014-05-30 11:52 GMT+04:00 r...@apache.org: Author: remm Date: Fri May 30 07:52:52 2014 New Revision: 1598483 URL: http://svn.apache.org/r1598483 Log: - Test autobahn myself, add two new echo endpoints and my example config. - Issues with the async endpoint, 9.7 and 9.8. Added: tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoAsyncAnnotation.java tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/EchoStreamAnnotation.java tomcat/trunk/webapps/examples/WEB-INF/classes/websocket/echo/servers.json Modified: tomcat/trunk/webapps/docs/changelog.xml I fixed svn:eol-style and other issues in r1598763 What I do not like here is that it is not clear how to use these classes. They are not referenced in public examples html pages, not used in unit tests, have no javadoc, Maybe add Javadoc to them? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56578] session.invalidate does not work on cluster enabled webapps
https://issues.apache.org/bugzilla/show_bug.cgi?id=56578 --- Comment #4 from Konstantin Kolinko knst.koli...@gmail.com --- WORKSFORME: I placed both files into webapps/examples/ I added the following line to session.jsp to display current session id: trtdSession ID:/tdtd%= session.getId() %/td/tr I am using a single Tomcat instance, with default configuration. I added the following line added to server.xml. Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster/ I do not see any error. The session creation time is updated on invalidation, and session id is changed as well. Tested with current 7.0.x (JDK 6u45) and 8.0.x (JDK 7u55), on Win7, Firefox 29.0.1, A fragment of catalina.date.log of Tomcat 7 (at start time): 31.05.2014 0:02:35 org.apache.catalina.ha.tcp.SimpleTcpCluster startInternal INFO: Cluster is about to start 31.05.2014 0:02:35 org.apache.catalina.tribes.transport.ReceiverBase bind INFO: Receiver Server Socket bound to:/xxx.yyy.z.www:4000 31.05.2014 0:02:35 org.apache.catalina.tribes.membership.McastServiceImpl setupSocket INFO: Setting cluster mcast soTimeout to 500 31.05.2014 0:02:35 org.apache.catalina.tribes.membership.McastServiceImpl waitForMembers INFO: Sleeping for 1000 milliseconds to establish cluster membership, start level:4 31.05.2014 0:02:36 org.apache.catalina.tribes.membership.McastServiceImpl waitForMembers INFO: Done sleeping, membership established, start level:4 31.05.2014 0:02:36 org.apache.catalina.tribes.membership.McastServiceImpl waitForMembers INFO: Sleeping for 1000 milliseconds to establish cluster membership, start level:8 31.05.2014 0:02:37 org.apache.catalina.tribes.membership.McastServiceImpl waitForMembers INFO: Done sleeping, membership established, start level:8 31.05.2014 0:02:37 org.apache.catalina.ha.session.JvmRouteBinderValve startInternal INFO: JvmRouteBinderValve started Did you use a single Tomcat instance in your reproduction scenario, or I need something more complex? Did your cluster startup log looked like the above? Does your configuration have other differences from the default one (besides the added line in server.xml)? Can you try debugging? (As mentioned in the e-mail thread). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56578] session.invalidate does not work on cluster enabled webapps
https://issues.apache.org/bugzilla/show_bug.cgi?id=56578 --- Comment #5 from David Rees dree...@gmail.com --- On a hunch, I tested a webapp with and without the distributable/ element. The webapp also needs to have that element in the web.xml to reproduce the issue and the examples webapp does not have it. FWIW environment is CentOS 6.5, Java 7u55 and Chrome 35, but I don't think any of those factors matter. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56580] el-api.jar memory leak
https://issues.apache.org/bugzilla/show_bug.cgi?id=56580 Christopher Schultz ch...@christopherschultz.net changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #1 from Christopher Schultz ch...@christopherschultz.net --- There is no class ELUtils in Tomcat. Can you give more information? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org