[Bug 68119] Significant overhead in javax.el.CompositeELResolver.convertToType

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=68119

Anurag Dubey  changed:

   What|Removed |Added

 CC||anura...@amazon.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Backporting patch for CVE-2023-46589 to Tomcat 8.0.14

[Emmanuel Bourg]

Le 18/12/2023 à 18:00, Mark Thomas a écrit :


Am I understanding this request correctly?


Mostly, but for the context, if ever that makes it morally more 
acceptable, Freexian here is merely a vehicle to found independent 
contributors to work and maintain old packages, it's nothing like a 
RedHat sized company trying to maximize its profits and the dividends of 
its shareholders.


That said, I agree with Mark that it isn't reasonable to expect support 
for an EOLed version. For Debian ELTS I usually advise aligning the 
Tomcat version with the one in the following Debian release to ease the 
maintenance. So that would mean pulling the Tomcat 8.5 package from 
Debian Stretch to Jessie.


Emmanuel Bourg


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Backporting patch for CVE-2023-46589 to Tomcat 8.0.14

[Emmanuel Bourg]

Le 18/12/2023 à 18:15, Michael Osipov a écrit :


SCNR: https://unixsheikh.com/articles/the-delusions-of-debian.html


That's a low blow, this post smells more like an old systemd rant mixed 
with a complete misunderstanding on how Debian works than a well founded 
criticism.


Emmanuel Bourg


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [PR] Csrf filter improvements [tomcat]

[via GitHub]

michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1430461949


##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
 
 private String nonceRequestParameterName = 
Constants.CSRF_NONCE_REQUEST_PARAM;
 
+private boolean enforce = true;
+
+private Collection> noNoncePatterns = 
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+private static final Collection> 
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+static {
+ArrayList> defaultNoNonceURLPatterns = new 
ArrayList<>();
+
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".css"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".js"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".gif"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".png"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".jpg"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".svg"));
+
+DEFAULT_NO_NONCE_URL_PATTERNS = 
Collections.unmodifiableList(defaultNoNonceURLPatterns);

Review Comment:
   Is this really dead https://en.wikipedia.org/wiki/Favicon#How_to_use?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [PR] Csrf filter improvements [tomcat]

[via GitHub]

michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1430459964


##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
 
 private String nonceRequestParameterName = 
Constants.CSRF_NONCE_REQUEST_PARAM;
 
+private boolean enforce = true;
+
+private Collection> noNoncePatterns = 
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+private static final Collection> 
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+static {
+ArrayList> defaultNoNonceURLPatterns = new 
ArrayList<>();
+
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".css"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".js"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".gif"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".png"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".jpg"));

Review Comment:
   The original extension is `.jpeg`. `.jpg` only exists because IBM's Disk 
Operating System as too stupid to handle more than three chars for file 
extensions.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [PR] Csrf filter improvements [tomcat]

[via GitHub]

markt-asf commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1430459910


##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
 
 private String nonceRequestParameterName = 
Constants.CSRF_NONCE_REQUEST_PARAM;
 
+private boolean enforce = true;
+
+private Collection> noNoncePatterns = 
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+private static final Collection> 
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+static {
+ArrayList> defaultNoNonceURLPatterns = new 
ArrayList<>();
+
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".css"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".js"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".gif"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".png"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".jpg"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".svg"));
+
+DEFAULT_NO_NONCE_URL_PATTERNS = 
Collections.unmodifiableList(defaultNoNonceURLPatterns);

Review Comment:
   Might this be better handled by looking at content type rather than file 
extension? 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [PR] Csrf filter improvements [tomcat]

[via GitHub]

isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1430457497


##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
 
 private String nonceRequestParameterName = 
Constants.CSRF_NONCE_REQUEST_PARAM;
 
+private boolean enforce = true;
+
+private Collection> noNoncePatterns = 
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+private static final Collection> 
DEFAULT_NO_NONCE_URL_PATTERNS;

Review Comment:
   I had to read these two lines a couple of times.  Can you move line 65 to be 
before line 63?  It will make the code easier to read IMO, in the sense that 
first you declare a field and only afterwards you use it



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [PR] Csrf filter improvements [tomcat]

[via GitHub]

ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1430451465


##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
 
 private String nonceRequestParameterName = 
Constants.CSRF_NONCE_REQUEST_PARAM;
 
+private boolean enforce = true;
+
+private Collection> noNoncePatterns = 
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+private static final Collection> 
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+static {
+ArrayList> defaultNoNonceURLPatterns = new 
ArrayList<>();
+
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".css"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".js"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".gif"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".png"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".jpg"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".svg"));
+
+DEFAULT_NO_NONCE_URL_PATTERNS = 
Collections.unmodifiableList(defaultNoNonceURLPatterns);

Review Comment:
   Sure. I'm happy to add some obvious things. I thought `.ico` was dead, 
actually.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [PR] Csrf filter improvements [tomcat]

[via GitHub]

ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1430450663


##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
 
 private String nonceRequestParameterName = 
Constants.CSRF_NONCE_REQUEST_PARAM;
 
+private boolean enforce = true;
+
+private Collection> noNoncePatterns = 
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+private static final Collection> 
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+static {
+ArrayList> defaultNoNonceURLPatterns = new 
ArrayList<>();
+
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".css"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".js"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".gif"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".png"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".jpg"));

Review Comment:
   I don't follow. How is allowing requests for .jpg and .jpeg (not mentioned 
here) a DOS problem? Feel free to message me privately if something should be 
kept quiet.
   
   Oh... did you mean Disk Operating System or Denial of Service?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Backporting patch for CVE-2023-46589 to Tomcat 8.0.14

[Michael Osipov]

On 2023/12/18 17:00:43 Mark Thomas wrote:
> On 17/12/2023 16:32, Sean Whitton wrote:
> > Hello,
> > 
> > I am working to backport the fix for CVE-2023-46589 to Tomcat version
> > 8.0.14, which is what we have in Debian "jessie".  This is under the
> > Extended LTS project for older Debian releases, run by Freexian SARL.
> >  
> 
> Sean,
> 
> Am I understanding this request correctly?
> 
> Freexian has sold at least one customer - probably multiple customers - 
> long term support for Tomcat 8.0.x and has now found that it is unable 
> to provide that support.
> 
> Feexian's solution to this dilemma is to ask the Tomcat community - who 
> stopped supporting Tomcat 8.0.x over five years ago in June 2018 - to 
> provide free support to fill this gap in Freexian's capability to 
> support Tomcat.
> 
> There are several things that don't seem right about the above so I am 
> looking forward to you correcting my understanding of the circumstances 
> of this request.

SCNR: https://unixsheikh.com/articles/the-delusions-of-debian.html

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Backporting patch for CVE-2023-46589 to Tomcat 8.0.14

[Mark Thomas]

On 17/12/2023 16:32, Sean Whitton wrote:

Hello,

I am working to backport the fix for CVE-2023-46589 to Tomcat version
8.0.14, which is what we have in Debian "jessie".  This is under the
Extended LTS project for older Debian releases, run by Freexian SARL.
 


Sean,

Am I understanding this request correctly?

Freexian has sold at least one customer - probably multiple customers - 
long term support for Tomcat 8.0.x and has now found that it is unable 
to provide that support.


Feexian's solution to this dilemma is to ask the Tomcat community - who 
stopped supporting Tomcat 8.0.x over five years ago in June 2018 - to 
provide free support to fill this gap in Freexian's capability to 
support Tomcat.


There are several things that don't seem right about the above so I am 
looking forward to you correcting my understanding of the circumstances 
of this request.


Mark




I am having a problem backporting this hunk of the fix:

--8<---cut here---start->8---
--- a/java/org/apache/catalina/connector/InputBuffer.java
+++ b/java/org/apache/catalina/connector/InputBuffer.java
@@ -346,11 +348,23 @@ public class InputBuffer extends Reader
  try {
  return coyoteRequest.doRead(bb);
  } catch (BadRequestException bre) {
+// Set flag used by asynchronous processing to detect errors on 
non-container threads
  coyoteRequest.setErrorException(bre);
+// In synchronous processing, this exception may be swallowed by 
the application so set error flags here.
+coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, bre);
+coyoteRequest.getResponse().setStatus(400);
+coyoteRequest.setError();
+// Make the exception visible to the application
  throw bre;
  } catch (IOException ioe) {
+// Set flag used by asynchronous processing to detect errors on 
non-container threads
  coyoteRequest.setErrorException(ioe);
+// In synchronous processing, this exception may be swallowed by 
the application so set error flags here.
+coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, ioe);
+coyoteRequest.getResponse().setStatus(400);
+coyoteRequest.setError();
  // Any other IOException on a read is almost always due to the 
remote client aborting the request.
+// Make the exception visible to the application
  throw new ClientAbortException(ioe);
  }
  }
--8<---cut here---end--->8---

The problem is that coyoteRequest does not have a setError method.
I believe that this is because Tomcat 8.0.14 is earlier than commit
662f9f4f0f.  I have not been able to determine whether this is
important.  Can I skip the setError() call, or do I need to call it some
other way?

Many thanks.



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch main updated: Cleanup error reporting

[remm]

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new d7d18b87b9 Cleanup error reporting
d7d18b87b9 is described below

commit d7d18b87b99202aeced09552abbc5f5f4ffa332c
Author: remm 
AuthorDate: Mon Dec 18 13:45:42 2023 +0100

Cleanup error reporting

Reduce code duplication and add more OpenSSL error checking.
---
 .../net/openssl/panama/LocalStrings.properties |   5 +-
 .../util/net/openssl/panama/OpenSSLContext.java| 158 +++--
 .../util/net/openssl/panama/OpenSSLEngine.java |  35 +
 3 files changed, 91 insertions(+), 107 deletions(-)

diff --git 
a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties 
b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
index 389d3f4ef2..4a36782136 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
@@ -47,13 +47,14 @@ openssl.checkConf=Checking OpenSSLConf
 openssl.doubleInit=SSL context already initialized, ignoring
 openssl.errApplyConf=Could not apply OpenSSLConf to SSL context
 openssl.errCheckConf=Error during OpenSSLConf check
-openssl.errMakeConf=Could not create OpenSSLConf context
+openssl.errMakeConf=Could not create OpenSSLConf context [{0}]
 openssl.errorAddingCertificate=Error adding certificate to chain: [{0}]
 openssl.errorConfiguringLocations=Error configuring CA certificate locations: 
[{0}]
 openssl.errorLoadingCertificate=Error loading certificate: [{0}]
+openssl.errorLoadingCertificateWithError=Error loading certificate [{0}] with 
error [{1}]
 openssl.errorLoadingPassword=Error loading password file: [{0}]
 openssl.errorLoadingPrivateKey=Error loading private key: [{0}]
-openssl.errorLoadingCertificateRevocationList=Error loading certificate 
revocation: [{0}]
+openssl.errorLoadingCertificateRevocationListWithError=Error loading 
certificate revocation [{0}] with error [{1}]
 openssl.errorPrivateKeyCheck=Private key does not match the certificate public 
key: [{0}]
 openssl.errorSSLCtxInit=Error initializing SSL context
 openssl.keyManagerMissing=No key manager found
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index a5aa2ea8a0..13691d58d8 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -22,7 +22,6 @@ import java.io.IOException;
 import java.io.InputStreamReader;
 import java.lang.foreign.Arena;
 import java.lang.foreign.MemorySegment;
-import java.lang.foreign.SegmentAllocator;
 import java.lang.foreign.SymbolLookup;
 import java.lang.foreign.ValueLayout;
 import java.lang.ref.Cleaner;
@@ -185,26 +184,17 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
 // Create OpenSSLConfCmd context if used
 OpenSSLConf openSslConf = sslHostConfig.getOpenSslConf();
 if (openSslConf != null) {
-try {
-if (log.isDebugEnabled()) {
-log.debug(sm.getString("openssl.makeConf"));
-}
-confCtx = SSL_CONF_CTX_new();
-long errCode = ERR_get_error();
-if (errCode != 0) {
-try (var localArena = Arena.ofConfined()) {
-var buf = 
localArena.allocate(ValueLayout.JAVA_BYTE, 128);
-ERR_error_string(errCode, buf);
-
log.error(sm.getString("openssl.errorLoadingCertificate", buf.getString(0)));
-}
-}
-SSL_CONF_CTX_set_flags(confCtx, SSL_CONF_FLAG_FILE() |
-SSL_CONF_FLAG_SERVER() |
-SSL_CONF_FLAG_CERTIFICATE() |
-SSL_CONF_FLAG_SHOW_ERRORS());
-} catch (Exception e) {
-throw new 
SSLException(sm.getString("openssl.errMakeConf"), e);
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("openssl.makeConf"));
+}
+confCtx = SSL_CONF_CTX_new();
+if (MemorySegment.NULL.equals(confCtx)) {
+throw new SSLException(sm.getString("openssl.errMakeConf", 
getLastError()));
 }
+SSL_CONF_CTX_set_flags(confCtx, SSL_CONF_FLAG_FILE() |
+SSL_CONF_FLAG_SERVER() |
+SSL_CONF_FLAG_CERTIFICATE() |
+SSL_CONF_FLAG_SHOW_ERRORS());
 }
 
 // SSL protocol
@@ -369,11 +359,9 @@ public class OpenSSLContext 

Re: [PR] [WIP] initial implementation of webresource based on path API [tomcat]

[via GitHub]

KoteswararaoGundapaneni commented on PR #630:
URL: https://github.com/apache/tomcat/pull/630#issuecomment-1860268262

   Any valid update regarding the work status of this 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org