svn commit: r45431 - in /release/tomcat/tomcat-10/v10.0.0/bin: apache-tomcat-10.0.0.tar.gz.asc apache-tomcat-10.0.0.zip.asc

[markt]

Author: markt
Date: Thu Jan 14 22:32:55 2021
New Revision: 45431

Log:
Add missing signature files

Added:
release/tomcat/tomcat-10/v10.0.0/bin/apache-tomcat-10.0.0.tar.gz.asc
release/tomcat/tomcat-10/v10.0.0/bin/apache-tomcat-10.0.0.zip.asc

Added: release/tomcat/tomcat-10/v10.0.0/bin/apache-tomcat-10.0.0.tar.gz.asc
==
--- release/tomcat/tomcat-10/v10.0.0/bin/apache-tomcat-10.0.0.tar.gz.asc (added)
+++ release/tomcat/tomcat-10/v10.0.0/bin/apache-tomcat-10.0.0.tar.gz.asc Thu 
Jan 14 22:32:55 2021
@@ -0,0 +1,16 @@
+-BEGIN PGP SIGNATURE-
+
+iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAmAAxmgACgkQEMAcWi9g
+WecdKA//UY1oH5Xb619rZoyP0dW0llbILgAKmltA2a3WJRbvmiUSteGN566RBj2o
+Ye2V7enn6XTWeHcXdypJacCkUuvGADamNfjC2ZCx+wVH8WtreZjtBvHlV0BvgZod
+MnSfafBehKQ2XjcuPc5ziecA30PJ/m8BkjOgzcfeg8ISRNtg1xlCGBF5zd+y3hhe
+VfKKsoDtWVdknQuOSMBNvCSHrIEW/V+AvYkNljnHqHGu2sxRP7v/anG2Br6qYu68
+EX/0emrLJhNskiEXDDFaV6p0ZNepypyCOf0yOIIYZ7O5yg8bIMAhaNFR3u/6Th+2
+3FIn/u7ww3ysI1+PTrAuq4UYDJ1bQcPiyOb+WLG7eDmbS/OiYhejH8rzs0XONFEs
+PajZ6u8wZoiByPi27+qGrhF9vGsn3if5MqTJpdqoPoHxvoNvialVhdAFfIwnzXtE
+Gsl6Iid+NJQDEUAjw/7BuxopbJtqZnRgL3IX88llmpR+ztRQOe5RZ6SXjc8Jdn1w
+re1OjGH237PVw1aQD3AFW4quI110WoOvtvep17tzDHRfAMXpdMsiSuNMyGojYLpR
+6Td0GbAgxZD8QNrIrIFJbkIoZU4UKSA9BGEq4V/zL40iDp/xGCdwRKkSr5XVrCLk
+Xx3mrvI0qgVn/+vBrGEKRCCPipRQAH0AN3fbp1WkVhp2dtzUr+k=
+=jLzI
+-END PGP SIGNATURE-

Added: release/tomcat/tomcat-10/v10.0.0/bin/apache-tomcat-10.0.0.zip.asc
==
--- release/tomcat/tomcat-10/v10.0.0/bin/apache-tomcat-10.0.0.zip.asc (added)
+++ release/tomcat/tomcat-10/v10.0.0/bin/apache-tomcat-10.0.0.zip.asc Thu Jan 
14 22:32:55 2021
@@ -0,0 +1,16 @@
+-BEGIN PGP SIGNATURE-
+
+iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAmAAxmsACgkQEMAcWi9g
+WedpShAA3omyb/FxLbMQH4C7Jv7YvDk3faA4O9EVOdPOZ7BR0xw439feWxnJw/2h
+wU5S7TvxGXnDJRqPkHTRo6LEav7queCoo6WPcGGIs/95zstPI7Ax5zxlpCq/htHn
+8MbiUR7E5Ih8WyvZE9KmX45GV8GKzBW+LWKKI8zfo1JStLfP0+Ah25BrN8x/NUFe
+ZQJaDXmHGUIjVBuifwN7qSPNry+gRmYnxzcoG4m6jXpghOKD0DGV+/ZoRPjBgfAD
+X0H8J9lNdDwhjeGolQWJC5Z6lwdHCbITn9TvR/OqIyBEBMp+jvhsawxk4hbJVyOR
+Dn+aK64kHHYGaSPyf8VeMc0LcNyQ3q6OADA2T24zOFzGbIP/c4mzy5peuZ3sW47Q
+tVMrxUW/u6nu/lDqQzw6FXqbvoTqg8XMd4z4D3vlf0pZtLTapvyPtCwx4mvvX2wA
+TZm1Bb5+S1q0T4PsTTEMj1FkJnjdx6BmrSDXPwAEr58Z/Abm5DMna2Oc2YzBQdAB
+nz+aVVuz9uE57joX34443CAqoKW3r6li+uagJAxY5o5jSkTmO2A7k0bKBSZS45pe
+/b2BDiX4PM2j9XoAnWgmFBsdqu1jQTHCYRCblfrFf+e3OtbrTUZBPy4ORNSclz7z
+MAsCtDiSO1ma6jfYuZ27cN7pSjo7dx5XoMQWnnCC9RBUia7pSPc=
+=7y5A
+-END PGP SIGNATURE-



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE][RESULT] Release Apache Tomcat 10.0.0

[Mark Thomas]

On 14/01/2021 22:00, Christopher Schultz wrote:
> Mark,
> 
> On 12/8/20 12:17, Mark Thomas wrote:
>> The following votes were case:
>>
>> Binding:
>> +1 (beta): remm, isapir, mturk, mgrigorov, ebourg, markt
>>
>> No other votes were cast.
>>
>> The vote therefore passes.
>>
>> Thanks to everyone who contributed to this release.
> 
> Someone reported on the users' list it appears that PGP signatures are
> missing for the .zip and .tar.gz artifacts. Other signatures are
> available on the web server @
> https://downloads.apache.org/tomcat/tomcat-10/v10.0.0/bin/

Hmm. This again. I wish I knew what was going on.

I have the original release directory. I'll get the sigs added.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE][RESULT] Release Apache Tomcat 10.0.0

[Christopher Schultz]

Mark,

On 12/8/20 12:17, Mark Thomas wrote:

The following votes were case:

Binding:
+1 (beta): remm, isapir, mturk, mgrigorov, ebourg, markt

No other votes were cast.

The vote therefore passes.

Thanks to everyone who contributed to this release.


Someone reported on the users' list it appears that PGP signatures are 
missing for the .zip and .tar.gz artifacts. Other signatures are 
available on the web server @ 
https://downloads.apache.org/tomcat/tomcat-10/v10.0.0/bin/


-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Fwd: Working Group Last Call: HTTP Core Documents

[Julian Reschke]

(FY)


 Weitergeleitete Nachricht 
Betreff:Working Group Last Call: HTTP Core Documents
Weitersenden-Datum: Thu, 14 Jan 2021 17:49:41 +
Weitersenden-Von:   ietf-http...@w3.org
Datum:  Thu, 14 Jan 2021 09:49:22 -0800
Von:Tommy Pauly 
An: HTTP Working Group 



Hello HTTP WG,

The time has come to start our Working Group Last Call for our current
“core” documents! The issues list for these documents has been whittled
down and we’re ready to have the working group review them in depth in
preparation to progress them towards publication.

These are substantial drafts, so your time in reviewing is very much
appreciated. We'll plan to have a three-and-a-half-week last call, so
that we will get feedback prior to our planned interim dates. The last
call will end on *Monday, February 8, 2021*.

The three drafts to review are:

HTTP Semantics, draft-ietf-httpbis-semantics
https://www.ietf.org/archive/id/draft-ietf-httpbis-semantics-14.html


HTTP/1.1, draft-ietf-httpbis-messaging
https://www.ietf.org/archive/id/draft-ietf-httpbis-messaging-14.html


HTTP Caching, draft-ietf-httpbis-cache
https://www.ietf.org/archive/id/draft-ietf-httpbis-cache-14.html


Please send email to the working group list with comments and feedback,
and state if you think these documents are ready to progress. You can
also file issues here: https://github.com/httpwg/http-core/issues
.

Many thanks to Julian, Mark, and Roy for their hard work on editing
these documents!

Best,
Tommy

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] kamnani edited a comment on pull request #351: Remove White Spaces from the JSP files

[GitBox]

kamnani edited a comment on pull request #351:
URL: https://github.com/apache/tomcat/pull/351#issuecomment-760420468


   @markt-asf @ChristopherSchultz @rmaucher Since this is laying low for quite 
a while, can we have updates on this ? 



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] kamnani commented on pull request #351: Remove White Spaces from the JSP files

[GitBox]

kamnani commented on pull request #351:
URL: https://github.com/apache/tomcat/pull/351#issuecomment-760420468


   @markt-asf @ChristopherSchultz @rmaucher Do we have updates on this issue? 



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: JDK 16 Early Access build 26 is now available

[Mark Thomas]

Rory,

For what purpose? There is an open bug report with a test case the
allows the issue to be reproduced. I don't understand what else is required.

Mark


On 14/01/2021 17:20, Rory O'Donnell wrote:
> Hi Mark,
> 
> I think you might want to start a thread about the issue on the
> jdk8u-dev mailing list.
> 
> https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev
> 
> 
> Rgds,Rory
> 
> On 13/01/2021 20:41, Mark Thomas wrote:
>> On 12/01/2021 13:53, Rory O'Donnell wrote:
>>> Hi Mark,
>>>
>>> Dev guys are still looking at this, not an easy fix !
>>>
>>> One question, is this for OpenJDK 8 ?
>> Hi Rory,
>>
>> Yes this is being observed with OpenJDK 8.
>>
>> Mark
>>
>>
>>> Rgds,Rory
>>>
>>> On 03/12/2020 08:57, Rory O'Donnell wrote:
 Hi Mark,

 The bug was updated, unable to reproduce , can you provide details ?

 Rgds,Rory

 On 30/11/2020 17:00, Rory O'Donnell wrote:
> Hi Marc,
>
> Let me see what we can do.
>
> Rgds,Rory
>
> On 30/11/2020 14:47, Mark Thomas wrote:
>> Hi Rory,
>>
>> I have been (slowly) working my way through the currently open issues
>> and I found time time today to investigate this one:
>> https://urldefense.com/v3/__https://bz.apache.org/bugzilla/show_bug.cgi?id=63802__;!!GqivPVa7Brio!PccppzFjCMGwBbQzCDnWyF3kpvqgDVQZjxTwZ9Q1KyRdhCuJv1k7BsAkR2ME3DDHE2Y$
>>
>>
>>
>> That led me to this OpenJDK bug:
>> https://bugs.openjdk.java.net/browse/JDK-8238279
>>
>> I have spent some time looking at this and I can confirm that the
>> OpenJDK bug is present in the latest OpenJDK 8.
>>
>> The issue looks to have been forgotten about. Is there anything
>> you can
>> do to get the right people to have a look at it? There is a simple to
>> use reproduction case provided and if the bugs triggers it has very
>> serious consequences for Tomcat.
>>
>> It would be really good to get a fix for this in Java 8.
>>
>> Thanks,
>>
>> Mark
>>
>>
>> On 30/11/2020 14:02, Rory O'Donnell wrote:
>>> Thanks for the feedback Martin!
>>>
>>> On 30/11/2020 09:37, Martin Grigorov wrote:
 Hi Rory,

 Apache Tomcat's build and tests pass with JDK 16 b26 on Ubuntu
 20.04.1
 (x86_64 & aarch64)!

 Regards,
 Martin

 On Fri, Nov 27, 2020 at 1:15 PM Rory O'Donnell
 mailto:rory.odonn...@oracle.com>> wrote:

   Hi Mark,

   OpenJDK 16 Early Access build 26**is now available at
 https://urldefense.com/v3/__http://jdk.java.net/16__;!!GqivPVa7Brio!PccppzFjCMGwBbQzCDnWyF3kpvqgDVQZjxTwZ9Q1KyRdhCuJv1k7BsAkR2MEZ3Rcy6Y$


 




     * These early-access , open-source builds are provided
 under the
         o GNU General Public License, version 2, with the
 Classpath
           Exception
 >.

     * Schedule: *JDK 16 Rampdown Phase One Starts on 2020/12/10
 [1] *

     * Features [1]: Most recent Integrations:
         o Integrated JEP 389: Foreign Linker API (Incubator)
           > with this release.
             + JEP 389 introduces an API that offers
 statically-typed,
               pure-Java access to native code.
             + This API, together with the JEP 383
               >, will considerably
               simplify the otherwise error-prone process of
 binding
 to a
               native library.

   **

     * Release Notes [2]

     * Changes in recent builds that maybe of interest:
         o Build 26
             + JDK-8202343: *Disable TLS 1.0 and 1.1*
             + JDK-8251317:**Support for CLDR version 38**
             + JDK-8212879: Make JVMTI TagMap table concurrent
             + JDK-8236926: Concurrently uncommit memory in G1
             + JDK-8243559: Removed Root Certificates with
 1024-bit Keys
             + JDK-8253459: Argument index of zero or
 unrepresentable by
               int throws IllegalFormatException
             + JDK-8256643: Terminally deprecate ThreadGroup
 stop,
   destroy,
               isDe

Re: JDK 16 Early Access build 26 is now available

[Rory O'Donnell]

Hi Mark,

I think you might want to start a thread about the issue on the 
jdk8u-dev mailing list.


https://mail.openjdk.java.net/mailman/listinfo/jdk8u-dev


Rgds,Rory

On 13/01/2021 20:41, Mark Thomas wrote:

On 12/01/2021 13:53, Rory O'Donnell wrote:

Hi Mark,

Dev guys are still looking at this, not an easy fix !

One question, is this for OpenJDK 8 ?

Hi Rory,

Yes this is being observed with OpenJDK 8.

Mark



Rgds,Rory

On 03/12/2020 08:57, Rory O'Donnell wrote:

Hi Mark,

The bug was updated, unable to reproduce , can you provide details ?

Rgds,Rory

On 30/11/2020 17:00, Rory O'Donnell wrote:

Hi Marc,

Let me see what we can do.

Rgds,Rory

On 30/11/2020 14:47, Mark Thomas wrote:

Hi Rory,

I have been (slowly) working my way through the currently open issues
and I found time time today to investigate this one:
https://urldefense.com/v3/__https://bz.apache.org/bugzilla/show_bug.cgi?id=63802__;!!GqivPVa7Brio!PccppzFjCMGwBbQzCDnWyF3kpvqgDVQZjxTwZ9Q1KyRdhCuJv1k7BsAkR2ME3DDHE2Y$


That led me to this OpenJDK bug:
https://bugs.openjdk.java.net/browse/JDK-8238279

I have spent some time looking at this and I can confirm that the
OpenJDK bug is present in the latest OpenJDK 8.

The issue looks to have been forgotten about. Is there anything you can
do to get the right people to have a look at it? There is a simple to
use reproduction case provided and if the bugs triggers it has very
serious consequences for Tomcat.

It would be really good to get a fix for this in Java 8.

Thanks,

Mark


On 30/11/2020 14:02, Rory O'Donnell wrote:

Thanks for the feedback Martin!

On 30/11/2020 09:37, Martin Grigorov wrote:

Hi Rory,

Apache Tomcat's build and tests pass with JDK 16 b26 on Ubuntu
20.04.1
(x86_64 & aarch64)!

Regards,
Martin

On Fri, Nov 27, 2020 at 1:15 PM Rory O'Donnell
mailto:rory.odonn...@oracle.com>> wrote:

  Hi Mark,

  OpenJDK 16 Early Access build 26**is now available at
https://urldefense.com/v3/__http://jdk.java.net/16__;!!GqivPVa7Brio!PccppzFjCMGwBbQzCDnWyF3kpvqgDVQZjxTwZ9Q1KyRdhCuJv1k7BsAkR2MEZ3Rcy6Y$





    * These early-access , open-source builds are provided
under the
        o GNU General Public License, version 2, with the
Classpath
          Exception >.

    * Schedule: *JDK 16 Rampdown Phase One Starts on 2020/12/10
[1] *

    * Features [1]: Most recent Integrations:
        o Integrated JEP 389: Foreign Linker API (Incubator)
          > with this release.
            + JEP 389 introduces an API that offers
statically-typed,
              pure-Java access to native code.
            + This API, together with the JEP 383
              >, will considerably
              simplify the otherwise error-prone process of
binding
to a
              native library.

  **

    * Release Notes [2]

    * Changes in recent builds that maybe of interest:
        o Build 26
            + JDK-8202343: *Disable TLS 1.0 and 1.1*
            + JDK-8251317:**Support for CLDR version 38**
            + JDK-8212879: Make JVMTI TagMap table concurrent
            + JDK-8236926: Concurrently uncommit memory in G1
            + JDK-8243559: Removed Root Certificates with
1024-bit Keys
            + JDK-8253459: Argument index of zero or
unrepresentable by
              int throws IllegalFormatException
            + JDK-8256643: Terminally deprecate ThreadGroup stop,
  destroy,
              isDestroyed, setDaemon and isDaemon
        o Build 25
            + JDK-8247781: Day period support added to java.time
formats
            + JDK-8202471: (ann) Cannot read type annotations on
generic
              receiver type's type variables *[**Reported by
ByteBuddy]*
            + JDK-8255947: [macos] Signed macOS jpackage app
doesn't
              filter spurious '-psn' argument *[**Reported by
JOSM]*
            + JDK-8256063: Module::getPackages returns the set of
  package
              names in this module

    * JDK 16 - topics of interest
        o Inside Java Episode 7 “The Vector API” with John Rose
and
Paul
          Sandoz
            +
https://urldefense.com/v3/__https://inside.java/2020/11/17/podcast-007/__;!!GqivPVa7Brio!PccppzFjCMGwBbQzCDnWyF3kpvqgDVQZjxTwZ9Q1KyRdhCuJv1k7BsAkR2MEtW5xauw$

[Bug 64830] HTTP2 : GOAWAY sent with Protocol Error and Frame Size Error

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=64830

--- Comment #21 from Mark Thomas  ---
Found it. It wasn't in the HPACK decoder at all.

I've applied a patch and I can no longer get the test case to fail. Could you
retest with a new 9.0.x build?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated: Simplify the code and fix an edge case for BZ 64830

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new bb0e7c1  Simplify the code and fix an edge case for BZ 64830
bb0e7c1 is described below

commit bb0e7c1e0d737a0de7d794572517bce0e91d30fa
Author: Mark Thomas 
AuthorDate: Thu Jan 14 16:59:43 2021 +

Simplify the code and fix an edge case for BZ 64830

https://bz.apache.org/bugzilla/show_bug.cgi?id=64830
---
 java/org/apache/coyote/AbstractProtocol.java | 6 +++---
 webapps/docs/changelog.xml   | 4 
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/coyote/AbstractProtocol.java 
b/java/org/apache/coyote/AbstractProtocol.java
index a26f1ba..c83b22a 100644
--- a/java/org/apache/coyote/AbstractProtocol.java
+++ b/java/org/apache/coyote/AbstractProtocol.java
@@ -833,8 +833,10 @@ public abstract class AbstractProtocol implements 
ProtocolHandler,
 if (state == SocketState.UPGRADING) {
 // Get the HTTP upgrade handler
 UpgradeToken upgradeToken = 
processor.getUpgradeToken();
-// Retrieve leftover input
+// Restore leftover input to the wrapper so the upgrade
+// processor can process it.
 ByteBuffer leftOverInput = 
processor.getLeftoverInput();
+wrapper.unRead(leftOverInput);
 if (upgradeToken == null) {
 // Assume direct HTTP/2 connection
 UpgradeProtocol upgradeProtocol = 
getProtocol().getUpgradeProtocol("h2c");
@@ -843,7 +845,6 @@ public abstract class AbstractProtocol implements 
ProtocolHandler,
 release(processor);
 // Create the upgrade processor
 processor = 
upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
-wrapper.unRead(leftOverInput);
 // Associate with the processor with the 
connection
 connections.put(socket, processor);
 } else {
@@ -865,7 +866,6 @@ public abstract class AbstractProtocol implements 
ProtocolHandler,
 
getLog().debug(sm.getString("abstractConnectionHandler.upgradeCreate",
 processor, wrapper));
 }
-wrapper.unRead(leftOverInput);
 // Associate with the processor with the connection
 connections.put(socket, processor);
 // Initialise the upgrade handler (which may 
trigger
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e9e7988..61defd3 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -163,6 +163,10 @@
   
 
   
+Additional fix for 64830 to address an edge case that could
+trigger request corruption with h2c connections. (markt)
+  
+  
 64974: Improve handling of pipelined HTTP requests in
 combination with the Servlet non-blocking IO API. It was possible that
 some requests could get dropped. (markt)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 9.0.x updated: Simplify the code and fix an edge case for BZ 64830

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new d47c20a  Simplify the code and fix an edge case for BZ 64830
d47c20a is described below

commit d47c20a776e8919eaca8da9390a32bc8bf8210b1
Author: Mark Thomas 
AuthorDate: Thu Jan 14 16:59:43 2021 +

Simplify the code and fix an edge case for BZ 64830

https://bz.apache.org/bugzilla/show_bug.cgi?id=64830
---
 java/org/apache/coyote/AbstractProtocol.java | 6 +++---
 webapps/docs/changelog.xml   | 4 
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/coyote/AbstractProtocol.java 
b/java/org/apache/coyote/AbstractProtocol.java
index 39a4f8a..227f9c1 100644
--- a/java/org/apache/coyote/AbstractProtocol.java
+++ b/java/org/apache/coyote/AbstractProtocol.java
@@ -889,8 +889,10 @@ public abstract class AbstractProtocol implements 
ProtocolHandler,
 if (state == SocketState.UPGRADING) {
 // Get the HTTP upgrade handler
 UpgradeToken upgradeToken = 
processor.getUpgradeToken();
-// Retrieve leftover input
+// Restore leftover input to the wrapper so the upgrade
+// processor can process it.
 ByteBuffer leftOverInput = 
processor.getLeftoverInput();
+wrapper.unRead(leftOverInput);
 if (upgradeToken == null) {
 // Assume direct HTTP/2 connection
 UpgradeProtocol upgradeProtocol = 
getProtocol().getUpgradeProtocol("h2c");
@@ -899,7 +901,6 @@ public abstract class AbstractProtocol implements 
ProtocolHandler,
 release(processor);
 // Create the upgrade processor
 processor = 
upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
-wrapper.unRead(leftOverInput);
 // Associate with the processor with the 
connection
 wrapper.setCurrentProcessor(processor);
 } else {
@@ -921,7 +922,6 @@ public abstract class AbstractProtocol implements 
ProtocolHandler,
 
getLog().debug(sm.getString("abstractConnectionHandler.upgradeCreate",
 processor, wrapper));
 }
-wrapper.unRead(leftOverInput);
 // Associate with the processor with the connection
 wrapper.setCurrentProcessor(processor);
 // Initialise the upgrade handler (which may 
trigger
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6b0c60c..0a8762e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -156,6 +156,10 @@
   
 
   
+Additional fix for 64830 to address an edge case that could
+trigger request corruption with h2c connections. (markt)
+  
+  
 64974: Improve handling of pipelined HTTP requests in
 combination with the Servlet non-blocking IO API. It was possible that
 some requests could get dropped. (markt)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch master updated: Simplify the code and fix an edge case for BZ 64830

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
 new dd757c0  Simplify the code and fix an edge case for BZ 64830
dd757c0 is described below

commit dd757c0a893e2e35f8bc1385d6967221ae8b9b9b
Author: Mark Thomas 
AuthorDate: Thu Jan 14 16:59:43 2021 +

Simplify the code and fix an edge case for BZ 64830

https://bz.apache.org/bugzilla/show_bug.cgi?id=64830
---
 java/org/apache/coyote/AbstractProtocol.java | 6 +++---
 webapps/docs/changelog.xml   | 4 
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/coyote/AbstractProtocol.java 
b/java/org/apache/coyote/AbstractProtocol.java
index bbe393c..09b60dd 100644
--- a/java/org/apache/coyote/AbstractProtocol.java
+++ b/java/org/apache/coyote/AbstractProtocol.java
@@ -866,8 +866,10 @@ public abstract class AbstractProtocol implements 
ProtocolHandler,
 if (state == SocketState.UPGRADING) {
 // Get the HTTP upgrade handler
 UpgradeToken upgradeToken = 
processor.getUpgradeToken();
-// Retrieve leftover input
+// Restore leftover input to the wrapper so the upgrade
+// processor can process it.
 ByteBuffer leftOverInput = 
processor.getLeftoverInput();
+wrapper.unRead(leftOverInput);
 if (upgradeToken == null) {
 // Assume direct HTTP/2 connection
 UpgradeProtocol upgradeProtocol = 
getProtocol().getUpgradeProtocol("h2c");
@@ -876,7 +878,6 @@ public abstract class AbstractProtocol implements 
ProtocolHandler,
 release(processor);
 // Create the upgrade processor
 processor = 
upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
-wrapper.unRead(leftOverInput);
 // Associate with the processor with the 
connection
 wrapper.setCurrentProcessor(processor);
 } else {
@@ -898,7 +899,6 @@ public abstract class AbstractProtocol implements 
ProtocolHandler,
 
getLog().debug(sm.getString("abstractConnectionHandler.upgradeCreate",
 processor, wrapper));
 }
-wrapper.unRead(leftOverInput);
 // Associate with the processor with the connection
 wrapper.setCurrentProcessor(processor);
 // Initialise the upgrade handler (which may 
trigger
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6a08be2..6d871c4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -156,6 +156,10 @@
   
 
   
+Additional fix for 64830 to address an edge case that could
+trigger request corruption with h2c connections. (markt)
+  
+  
 64974: Improve handling of pipelined HTTP requests in
 combination with the Servlet non-blocking IO API. It was possible that
 some requests could get dropped. (markt)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure

[Mark Thomas]

CVE-2021-24122 Apache Tomcat Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M9
Apache Tomcat 9.0.0.M1 to 9.0.39
Apache Tomcat 8.5.0 to 8.5.59
Apache Tomcat 7.0.0 to 7.0.106

Description:
When serving resources from a network location using the NTFS file
system it was possible to bypass security constraints and/or view the
source code for JSPs in some configurations. The root cause was the
unexpected behaviour of the JRE API File.getCanonicalPath() which in
turn was caused by the inconsistent behaviour of the Windows API
(FindFirstFileW) in some circumstances.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.0-M10 or later
- Upgrade to Apache Tomcat 9.0.40 or later
- Upgrade to Apache Tomcat 8.5.60 or later
- Upgrade to Apache Tomcat 7.0.107 or later

Credit:
This issue was identified by Ilja Brander.

History:
2021-01-14 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
[4] https://tomcat.apache.org/security-7.html

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1885488 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs

[markt]

Author: markt
Date: Thu Jan 14 14:19:10 2021
New Revision: 1885488

URL: http://svn.apache.org/viewvc?rev=1885488&view=rev
Log:
Update site for CVE-2021-24122

Modified:
tomcat/site/trunk/docs/security-10.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-10.xml
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml

Modified: tomcat/site/trunk/docs/security-10.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-10.html?rev=1885488&r1=1885487&r2=1885488&view=diff
==
--- tomcat/site/trunk/docs/security-10.html (original)
+++ tomcat/site/trunk/docs/security-10.html Thu Jan 14 14:19:10 2021
@@ -41,6 +41,25 @@
 
   17 
November 2020 Fixed in Apache Tomcat 10.0.0-M10
 
+Important: Information disclosure
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24122"; 
rel="nofollow">CVE-2021-24122
+
+When serving resources from a network location using the NTFS file 
system
+   it was possible to bypass security constraints and/or view the source
+   code for JSPs in some configurations. The root cause was the unexpected
+   behaviour of the JRE API File.getCanonicalPath() which in
+   turn was caused by the inconsistent behaviour of the Windows API
+   (FindFirstFileW) in some circumstances.
+
+
+This was fixed with commit
+   https://github.com/apache/tomcat/commit/7f004ac4531c45f9a2a2d1470561fe135cf27bc2";>7f004ac4.
+
+This issue was reported the Apache Tomcat Security team by Ilja Brander
+   on 26 October 2020. The issue was made public on 14 January 2021.
+
+Affects: 10.0.0-M1 to 10.0.0-M9
+
 Moderate: HTTP/2 request header mix-up
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17527"; 
rel="nofollow">CVE-2020-17527
 

Modified: tomcat/site/trunk/docs/security-7.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1885488&r1=1885487&r2=1885488&view=diff
==
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Thu Jan 14 14:19:10 2021
@@ -2,7 +2,7 @@
 Apache Tomcat® - Apache Tomcat 7 
vulnerabilitieshttp://tomcat.apache.org/";>Apache 
Tomcat®https://www.apache.org/foundation/contributing.html"; target="_blank" 
class="pull-left">https://www.apache.org/images/SupportApache-small.png"; class="support-asf" 
alt="Support Apache">http://www.apache.org/"; target="_blank" class="pull-left">https://www.google.com/search"; method="get">GOhttps://www.apache.org/events/current-event.html";>https://www.apache.org/events/current-event-234x60.png"; alt="Next ASF 
event">
   Save the date!
 Apache TomcatHomeTaglibsMaven 
PluginDownloadWhich version?https://tomcat.apache.org/download-10.cgi";>Tomcat 10 
(beta)https://tomcat.apache.org/download-90.cgi";>Tomcat 
9https://tomcat.apache.org/download-80.cgi";>Tomcat 
8https://tomcat.apache.org/download-70.cgi";>Tomcat 
7https://tomcat.apache.org/download-connectors.cgi";>Tomcat 
Connectorshttps://tomcat.apache.org/download-native.cgi";>Tomcat 
Nativehttps://tomcat.apache.org/download-taglibs.cgi";>Taglibshttps://archive.apache.org/dist/tomcat/";>ArchivesDocumentation
 Tomcat 10.0 (beta)Tomcat 
9.0Tomcat 8.5Tomcat 7.0Tomcat ConnectorsTomcat Nativehttps://cwiki.apache.org/confluence/display/TOMCAT";>WikiMigration GuidePresentationshttps://cwiki.apache.org/confluence/x/Bi8lBg";>SpecificationsProblems?Security ReportsFind helphttps://cwiki.apache.org/confluence/display/TOMCAT/FAQ";>FAQMailing ListsBug 
DatabaseIRCGet 
InvolvedOverviewSource 
codeBuildbothttps://cwiki.apache.org/confluence/x/vIPzBQ";>TranslationsToolsMediahttps://twitter.com/theapachetomcat";>Twitterhttps://www.youtube.com/c/ApacheTomcatOfficial";>YouTubehttps://blogs.apache.org/tomcat/";>BlogMiscWho We Arehttps://www.redbubble.com/people/comdev/works/30885254-apache-tomcat";>SwagHeritagehttp://www.apache.org";>Apache HomeResourcesContactLegalhttps://www.apache.org/foundation/contributing.html";>Support 
Apache<
 li>https://www.apache.org/foundation/sponsorship.html";>Sponsorshiphttp://www.apache.org/foundation/thanks.html";>Thankshttp://www.apache.org/licenses/";>LicenseContentTable of Contents
-Apache Tomcat 7.x 
vulnerabilitiesFixed in 
Apache Tomcat 7.0.105Fixed in Apache Tomcat 
7.0.104Fixed in Apache 
Tomcat 7.0.100Fixed in 
Apache Tomcat 7.0.99Fixed 
in Apache Tomcat 7.0.94Fixed in Apache Tomcat 
7.0.91Fixed in Apache 
Tomcat 7.0.90Fixed in 
Apache Tomcat 7.0.89Fixed 
in Apache Tomcat 7.0.88Fixed in Apache Tomcat 
7.0.85Fixed in Apache 
Tomca
 t 7.0.84Fixed in Apache 
Tomcat 7.0.82Fixed in 
Apache Tomcat 7.0.81Fixed 
in Apache Tomcat 7.0.79Fixed in Apache Tomcat 
7.0.78Fixed