Re: [tomcat] branch master updated: Use SVG logo for a more modern and consistent look

2020-10-15 Thread Christopher Schultz
Igal, On 10/10/20 16:08, isa...@apache.org wrote: > This is an automated email from the ASF dual-hosted git repository. > > isapir pushed a commit to branch master > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > The following commit(s) were added to refs/heads/master by

Re: TCK status

2020-10-08 Thread Christopher Schultz
Mark, On 10/3/20 14:39, Mark Thomas wrote: > Hi all, > > I mentioned TCK status during a couple of ApacheCon presentations. > Having checked the current status I thought it would be worth sending a > brief note to the list. More detail is on the wiki: >

Re: Removing the APR connector

2020-09-29 Thread Christopher Schultz
Rémy, On 9/29/20 07:57, Rémy Maucherat wrote: > On Tue, Sep 29, 2020 at 1:32 PM Mark Thomas wrote: > >> All, >> >> Removing the APR connector (HTTP and AJP) is currently on the TODO list >> for Tomcat 10.0.x (i.e. the current development branch). >> >> I am wondering whether we are still happy

Re: CATALINA_BASE vs CATALINA_HOME: What must be where?

2020-09-28 Thread Christopher Schultz
Konstantin, On 9/27/20 14:33, Konstantin Kolinko wrote: > сб, 26 сент. 2020 г. в 18:12, Christopher Schultz > : >> >> All, >> >> I'm writing about the above topic for ApacheCon @ Home and I wanted to >> get some confirmation about a few statements.

CATALINA_BASE vs CATALINA_HOME: What must be where?

2020-09-26 Thread Christopher Schultz
All, I'm writing about the above topic for ApacheCon @ Home and I wanted to get some confirmation about a few statements. The code is ... large and complex and it will be easier to just ask for help from those who Know. " Many files in CATALINA_BASE are optional * Override those in CATALINA_HOME

Application-accesible Executors

2020-09-18 Thread Christopher Schultz
All, I've recently been thinking about application uses of servlet-async and Websocket for long-running operations, or really for any interactions where you want to allow the request-processing thread to go back into the pool, but the application is still doing useful things and therefore needs

Request for documentation improvement: changelog UI

2020-09-09 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, Could someone better at CSS look into this for me? I sometimes find myself searching the changelog for some string e.g. "keystore". I generally do that by loading-up the changelog in my browser and using the browser's "Find" feature to search

Re: [VOTE][RESULT][OT] Release Apache Tomcat Native 1.2.25

2020-09-03 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 9/3/20 10:34, Mark Thomas wrote: > The following votes were cast: > > Binding: +1: markt, mgrigorov, fschumacher > > +0: schultz > > The vote therefore passes. > > I think it is worth noting that there were crashes / unit test > failures

Re: [VOTE] Release Apache Tomcat Native 1.2.25

2020-09-02 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 8/21/20 14:22, Mark Thomas wrote: > Version 1.2.25 includes the following changes compared to 1.2.24 > > - Improvements to LibreSSL support > > - Improvements to HP_UX support > > Various other fixes and improvements. See the changelog for

Re: security.txt

2020-09-02 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 9/1/20 14:38, Mark Thomas wrote: > On 01/09/2020 18:01, Christopher Schultz wrote: >> All, >> >> I'd like to propose that we publish a security.txt[1] file on our >> web site under /.well-known/sec

security.txt

2020-09-01 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'd like to propose that we publish a security.txt[1] file on our web site under /.well-known/security.txt and /security.txt This file contains information we all already know, but it's in obviously "proprietary" locations on our web site and

Re: [tomcat] branch master updated: Change forcedRemainingCapacity from Integer to int

2020-08-27 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 8/27/20 07:55, mgrigo...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > mgrigorov pushed a commit to branch master in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > > The

Re: [tomcat] 02/02: Update Commons DBCP to latest

2020-08-26 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 8/26/20 13:36, Mark Thomas wrote: > On 26/08/2020 17:56, Christopher Schultz wrote: >> Mark, >> >> On 8/26/20 11:19, ma...@apache.org wrote: >>> This is an automated email from the ASF dual-hosted git >&

Re: Fwd: Security concern about Tomcat's default value for HSTS MaxAge

2020-08-26 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dave, On 8/25/20 14:05, Dave Wichers wrote: > Per: > https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#HTTP_Heade r_Security_Filter > > and https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_ Security_Filter > > they

Re: [tomcat] 02/02: Update Commons DBCP to latest

2020-08-26 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 8/26/20 11:19, ma...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > markt pushed a commit to branch master in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > commit

Re: Use of "constants" in Manager to generate HTML/CSS content

2020-08-23 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 8/16/20 15:59, Konstantin Kolinko wrote: > вс, 16 авг. 2020 г. в 21:32, Igal Sapir : >> >> I don't see any scripts either. Why not add a CSP and set script >> to 'none'? I can add that if no one objects. >> > > sessionsList.jsp has

ApacheCon @ Home Tomcat Track Schedule

2020-08-14 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm happy to announce that the Apache Tomcat track schedule has been posted for ApacheCon @ Home, our virtual conference to replace "ApacheCon North America 2020". If you use social media to discuss this event, please use #ACAH2020 and tag

Re: Use of "constants" in Manager to generate HTML/CSS content

2020-08-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 8/12/20 10:02, Konstantin Kolinko wrote: > вт, 28 июл. 2020 г. в 16:55, Christopher Schultz > : >> >> All, >> >> I was looking at this PR[1] and wondering why we have huge swaths >> of CSS and

Re: Use of "constants" in Manager to generate HTML/CSS content

2020-08-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Igal, On 8/11/20 23:23, Igal Sapir wrote: > Chris, > > On Mon, Aug 10, 2020 at 12:20 PM Martin Grigorov > mailto:mgrigo...@apache.org>> wrote: > > > On Tue, Jul 28, 2020, 16:48 Christopher Schultz > <mailto:ch.

Re: [PROPOSAL] Remove the functional specs from docs webapp

2020-08-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 8/11/20 15:04, Mark Thomas wrote: > On 11/08/2020 17:30, Michael Osipov wrote: >> Am 2020-08-10 um 17:46 schrieb Mark Thomas: >>> Hi all, >>> >>> I'd like to propose removing all the functional spec pages from >>> the documentation web

Publishing EOL dates on whichversion?

2020-08-06 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm wondering if we shouldn't add EOL dates to the "which version" page. The table on that page is very busy, but I think it would help to know: 1. When a currently-supported version will be EOL'd (e.g. 7.0.x) 2. When a superseded version

Re: Discouraging Rogue Users In Tomcat

2020-08-04 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alan, On 8/3/20 21:25, Alan Basche wrote: > I have recently developed code for Tomcat 8.5 that defends against > black-hats probing Tomcat and the website apps for > vulnerabilities. This coding effort started a year ago, and the > latest code has

Re: First impressions from OpenSSL 3.0.0 and TC 10.0.0-M7 plus tcnative 1.2.24

2020-08-03 Thread Christopher Schultz
alueRK12methodHandleP17JavaCallArgum entsP6Thread > > (libjvm.so) > #10 0x7f2a393b8de0 > _ZL6invokeP13InstanceKlassRK12methodHandle6Handleb14objArrayHandle9Bas icTypeS5_bP6Thread > > (libjvm.so) > #11 0x7f2a393b9bc3 > _ZN10Reflection13invoke_methodEP7oopDesc6Handle14ob

Re: First impressions from OpenSSL 3.0.0 and httpd 2.4.45

2020-08-01 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rainer, On 8/1/20 11:44, Rainer Jung wrote: > Sorry, wrong dev list. I thought it was interesting anyway :) How about libtcnative built against OpenSSL 3.0.0? - -chris > Am 01.08.2020 um 12:07 schrieb Rainer Jung: >> Hi there, >> >> during

Use of "constants" in Manager to generate HTML/CSS content

2020-07-28 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I was looking at this PR[1] and wondering why we have huge swaths of CSS and HTML in a Java source file, instead of using e.g. JSP or some other content-generation framework. I know, I hate JSP, too, but having large blocks of HTML and CSS in

Re: [tomcat] branch master updated: Avoid reflection for default instantiation

2020-07-23 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Filip, On 7/22/20 12:41, Filip Hanik wrote: > Hi Christopher, >>> environments. -Class clazz = >>> Class.forName(className); -return >>> (AuthConfigFactory)

Re: [tomcat] branch master updated: Avoid reflection for default instantiation

2020-07-22 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Filip, On 7/21/20 11:22, fha...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > fhanik pushed a commit to branch master in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > > The following

Re: [ANN] ApacheCon NA 2020 is virtual/online, completely free to attend, and call-for-presentations is CLOSED

2020-07-17 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, While the CFP is officially closed for ApacheCon, there is still some space in the Tomcat track if anyone is still considering a presentation. Please email me privately if you'd like to submit a topic. Just put "apachecon" in the subject.

Re: Support for LetsEncrypt certs, and update process, in Tomcat without restart.

2020-07-14 Thread Christopher Schultz
app to > alter the allowed TLS levels? This should work. - -chris > -----Original Message- From: Christopher Schultz > Sent: 13 July 2020 11:44 PM To: > dev@tomcat.apache.org Subject: Re: Support for LetsEncrypt certs, > and update process, in Tomcat without restart. > >

Re: Native Image - Reflectionless Concept

2020-07-13 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Filip, On 7/13/20 17:59, Filip Hanik wrote: > for discussion, all feedback and questions welcome: > > > I've created a concept of having Apache Tomcat, embedded, run > without reflection in a native image. This concept creates a jar, >

Re: Support for LetsEncrypt certs, and update process, in Tomcat without restart.

2020-07-13 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Merlin, On 7/13/20 06:09, Merlin Beedell wrote: > Hi all, > > Thank you for your valuable assistance and suggestions so far. > > > > I did eventually try this (again, using ‘groovy’ as a > simple-to-use scriptable wrapper to Java), which looks like

Re: [ANN] ApacheCon NA 2020 is virtual/online, completely free to attend, and call-for-presentations is OPEN!

2020-07-09 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, On 7/8/20 18:37, Christopher Schultz wrote: > All, > > [Cross-posting to dev@, please reply to users@] > > ApacheCon NA 2020 is now "ApacheCon @Home" due to the COVID-19 > pandemic, and will be held online 2

[ANN] ApacheCon NA 2020 is virtual/online, completely free to attend, and call-for-presentations is OPEN!

2020-07-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, [Cross-posting to dev@, please reply to users@] ApacheCon NA 2020 is now "ApacheCon @Home" due to the COVID-19 pandemic, and will be held online 29 September - 1 October 2020. This is a great opportunity for anyone who has never attended an

Re: Improving SameSite support

2020-07-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rémy, On 7/8/20 11:47, Rémy Maucherat wrote: > On Wed, Jul 8, 2020 at 5:10 PM Christopher Schultz > <mailto:ch...@christopherschultz.net>> wrote: > > Rémy, > > On 7/8/20 10:35, Rémy Maucherat wrote: >> On Wed, J

Re: Improving SameSite support

2020-07-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rémy, On 7/8/20 10:35, Rémy Maucherat wrote: > On Wed, Jul 8, 2020 at 4:26 PM Christopher Schultz > <mailto:ch...@christopherschultz.net>> wrote: > >>> Clearly, no, with multiple elements, the digester rules added

Re: Improving SameSite support

2020-07-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rémy, On 7/8/20 10:20, Rémy Maucherat wrote: > On Wed, Jul 8, 2020 at 4:14 PM Christopher Schultz > <mailto:ch...@christopherschultz.net>> wrote: > > Rémy, > > On 7/8/20 04:16, Rémy Maucherat wrote: >> On Tue, J

Re: Improving SameSite support

2020-07-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rémy, On 7/8/20 04:16, Rémy Maucherat wrote: > On Tue, Jul 7, 2020 at 4:26 PM Christopher Schultz > <mailto:ch...@christopherschultz.net>> wrote: > > Rémy, > > On 7/7/20 03:10, Rémy Maucherat wrote: >> On Mon, J

Re: Improving SameSite support

2020-07-07 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rémy, On 7/7/20 03:10, Rémy Maucherat wrote: > On Mon, Jul 6, 2020 at 9:27 PM Christopher Schultz > <mailto:ch...@christopherschultz.net>> wrote: > > All, > > Jakarta EE 5.0 does not appear to include support for S

Re: Catalina internals available from HttpServletRequest?

2020-07-07 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 7/6/20 16:45, Mark Thomas wrote: > On 06/07/2020 21:23, Christopher Schultz wrote: >> All, >> >> I'm looking at modifying the existing LoadBalancerDrainingValve >> to also function as a Filter if necessary (my a

Catalina internals available from HttpServletRequest?

2020-07-06 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm looking at modifying the existing LoadBalancerDrainingValve to also function as a Filter if necessary (my application uses a Filter to establish authentication information, so I'd like the "valve" to act *after* the filter if possible) and

Improving SameSite support

2020-07-06 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, Jakarta EE 5.0 does not appear to include support for SameSite cookies. Tomcat's CookieProcessor allows an administrator to set the SameSite cookie policy, but it's a blanket policy. So for example, if you want a JSESSIONID cookie to be

Re: [tomcat] branch master updated: Use StringBuilder instead of StringBuffer

2020-07-06 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/6/20 03:09, mgrigo...@apache.org wrote: > diff --git > a/java/org/apache/catalina/connector/CoyotePrincipal.java > b/java/org/apache/catalina/connector/CoyotePrincipal.java index > 1ae5608..93d7c02 100644 --- >

Better handling of AJP errors if corruption is discovered?

2020-07-02 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I recently had the displeasure of tracking-down a mismatched AJP "max packet size" on a service. The symptom was that when a large POST request came in ( > 8192 bytes ), Tomcat would log two errors in quick succession: 1.

Re: Changing the name of the default branch in our git repos

2020-06-26 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/26/20 10:48, Mark Thomas wrote: > Picking up this thread again I see a range of views. "main" seems > to be the most popular although several folks suggested "10.0.x" > and "use whatever GitHub use". There was also interest in "trunk". >

New home for EncryptInterceptor.BaseEncryptionManager and friends

2020-06-19 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'd like to refactor a bit and move BaseEncryptionManager and associated code out of the EncryptInterceptor class. Where would be a good place to put it? Some potential candidates: org/apache/catalina/util org/apache/catalina/security

Re: Implementing TNO (Trust No One) for Session Stores

2020-06-19 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/9/20 08:13, Mark Thomas wrote: > On 08/06/2020 22:29, Christopher Schultz wrote: >> I think that's enough for now. So the questions are: >> >> 1. Does anyone really want Tomcat to be worried about this stuff?

Re: Changing the name of the default branch in our git repos

2020-06-19 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/16/20 04:02, Mark Thomas wrote: > All, > > You may have seen the recent discussions both inside and outside > the ASF about the user of "master" as the name of the default git > branch. If you haven't, the short version is that the name

Re: Java library bug in JCEKS keystore loader

2020-06-16 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Michael, On 6/13/20 14:54, Michael Osipov wrote: > Am 2020-06-12 um 23:54 schrieb Christopher Schultz: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >> >> All, >> >> I've been writing a Java-based certificati

Building mod_jk for Windows

2020-06-13 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I see Mladen has gone crazy updating mod_jk for IIS. The build process looks fairly straightforward in a way that isn't so straightforward for e.g. libtcnative. I suspect most of it is the work that has gone into his "Custom Microsoft

Java library bug in JCEKS keystore loader

2020-06-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I've been writing a Java-based certification-expiration checking utility that can handle all kinds of file formats like PEM and the various keystore formats supported by the JVM. Since it's not possible to tell what type of keystore is being

Re: Support for LetsEncrypt certs, and update process, in Tomcat without restart.

2020-06-11 Thread Christopher Schultz
) impl > does not. Your LetsEncryptManager seems to call reloadSslHostConfigs. What does Meecrowave do differently? - -chris > Le jeu. 11 juin 2020 à 19:20, Christopher Schultz > <mailto:ch...@christopherschultz.net>> a écrit : > > Merlin, > > On 6/10/20 12:32, Merlin Bee

Re: Support for LetsEncrypt certs, and update process, in Tomcat without restart.

2020-06-11 Thread Christopher Schultz
has a plug-in for let's encrypt (or similar). Romain @ TomEE has written a WAR file that implements this inside-out approach as a generic ACME servlet (context listener?), but I can't seem to find his code anywhere... - -chris > -Original Message- > > From: Christopher Schultz

Likely incorrect wiki redirect

2020-06-11 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm not sure who can fix this, but when I go to wiki.apache.org/tomcat, I'm redirected to https://cwiki-test.apache.org/confluence/display/tomcat which returns a "Service Unavailable" error. Without the /tomcat, I get redirected to the new

Implementing TNO (Trust No One) for Session Stores

2020-06-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, Tomcat stores sessions without any encryption and/or authentication, and anyone with write-access to the session-store can poison a session and mount an attack. This kind of attack is (arguably appropriately) declared to be outside of the

Re: Support for LetsEncrypt certs, and update process, in Tomcat without restart.

2020-06-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Merlin, On 6/8/20 10:17, Merlin Beedell wrote: > I am getting a lot of flack from some senior devs who insist that > Tomcat must be put behind a Proxy – HA Proxy or Nginx, which will > handle the SSL offloading etc. > > While this seems sensible

Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when an AJP request is rejected

2020-06-02 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/2/20 11:44, Mark Thomas wrote: > On 02/06/2020 16:37, Christopher Schultz wrote: >> Mark, >> >> On 6/2/20 06:24, ma...@apache.org wrote: >>> This is an automated email from the ASF dual-hosted git >&

Re: [tomcat] branch master updated: Fix BZ 64483 Log a warning when an AJP request is rejected

2020-06-02 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/2/20 06:24, ma...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > markt pushed a commit to branch master in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > > The following

Re: [tomcat] 01/04: WIP for more TLS env resolution

2020-05-31 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rémy, On 5/29/20 11:25, r...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > remm pushed a commit to branch 8.5.x in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > commit

Re: [tomcat] branch 7.0.x updated: Use parametric replacement to ensure the proper version of wsdl4j is written to Eclipse's .classpath file.

2020-05-15 Thread Christopher Schultz
gt; is described below > > commit afda9f0d2d2d0bc7b5a870f6df97603354655109 Author: Christopher > Schultz AuthorDate: Fri May 15 > 10:05:59 2020 -0400 > > Use parametric replacement to ensure the proper version of wsdl4j > is written to Eclipse's .classpath file. --- build.xml > | 3 ++- res/ide-support/eclipse

Re: Session serialization uses wrapper objects instead of primitives

2020-05-15 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 5/15/20 07:36, Konstantin Kolinko wrote: > чт, 14 мая 2020 г. в 18:48, Christopher Schultz > : >> >> All, >> >> I'm interested in the history of the >> StandardSession.writeObjectData method. I've

Re: Session serialization uses wrapper objects instead of primitives

2020-05-14 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/14/20 14:21, Mark Thomas wrote: > On 14/05/2020 18:41, Christopher Schultz wrote: >> Mark, >> >> On 5/14/20 12:53, Mark Thomas wrote: >>> On 14/05/2020 17:46, Mark Thomas wrote: >>>> On 1

Re: Session serialization uses wrapper objects instead of primitives

2020-05-14 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/14/20 14:21, Mark Thomas wrote: > On 14/05/2020 18:41, Christopher Schultz wrote: >> Mark, >> >> On 5/14/20 12:53, Mark Thomas wrote: >>> On 14/05/2020 17:46, Mark Thomas wrote: >>>> On 1

Re: Session serialization uses wrapper objects instead of primitives

2020-05-14 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/14/20 12:53, Mark Thomas wrote: > On 14/05/2020 17:46, Mark Thomas wrote: >> On 14/05/2020 16:48, Christopher Schultz wrote: >>> All, >>> >>> I'm interested in the history of the >>> Stan

Encrypting session data

2020-05-14 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, Tomcat has provided session-persistence mechanisms as far back as I can remember, and on-disk/in-database/in-memcached/in-redis storage is a somewhat popular practice. Occasionally, we (the community) are asked how to protect the data in

Session serialization uses wrapper objects instead of primitives

2020-05-14 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm interested in the history of the StandardSession.writeObjectData method. I've been looking at it lately because I'm interested in possibly (optionally) encrypting the sessions in the backend session store. But this isn't about encryption

Re: [VOTE] Release Apache Tomcat 8.5.55

2020-05-06 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, Thanks for RM'ing. On 5/5/20 18:37, Mark Thomas wrote: > The proposed Apache Tomcat 8.5.55 release is now available for > voting. > > The major changes compared to the 8.5.54 release are: > > - Improve the handling of requests that use an

Re: [Bug 64402] New: mr.vta

2020-05-01 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/1/20 04:49, Mark Thomas wrote: >> Reporter: mblehkos...@gmail.com > > Yet another "security researcher" that failed to notice that if you > try and upload an attachment with MIME type text/html our Bugzilla > instances will always render

Re: Dropping reason phrase in WebDavServlet

2020-04-29 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Michael, On 4/29/20 15:37, Michael Osipov wrote: > Am 2020-04-29 um 18:51 schrieb Christopher Schultz: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >> >> Michael, >> >> On 4/28/20 18:06, Michael Osipov

Re: Dropping reason phrase in WebDavServlet

2020-04-29 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Michael, On 4/28/20 18:06, Michael Osipov wrote: > Am 2020-04-20 um 10:25 schrieb Mark Thomas: >> On 18/04/2020 21:19, Michael Osipov wrote: >>> Folks, >>> >>> the WebDAV servlet still sends a reason phrase on multistatus >>> (207).I'd like to drop

Re: CTR: requesting review of org.apache.catalina.startup.TestMultipartConfig

2020-04-29 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 4/28/20 14:03, Mark Thomas wrote: > On 28/04/2020 15:22, Christopher Schultz wrote: >> All, >> >> I'd like a review of the test-case I wrote for the multipart >> config stuff. >> >> It *works*,

Re: git-fu is (still) weak

2020-04-28 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Coty, On 4/28/20 10:45, Coty Sutherland wrote: > > > On Tue, Apr 28, 2020 at 10:21 AM Christopher Schultz > <mailto:ch...@christopherschultz.net>> wrote: > > Rémy, > > On 4/27/20 18:41, Rémy Maucherat wrote: &g

Eclipse error despite attempted suppression

2020-04-28 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm running Eclipse 2020-03 (4.15.0) on MacOS and I'm getting a build failure in org.apache.catalina.mbeans.JmxRemoteLifecycleListener.JmxRegistry because of the use of sun.rmi.registry.RegistryImpl. There is an attempt to suppress this for

CTR: requesting review of org.apache.catalina.startup.TestMultipartConfig

2020-04-28 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'd like a review of the test-case I wrote for the multipart config stuf f. It *works*, but perhaps there are better ways to do the things that I di d. Someone who is more familiar with all the various ways of testing Tomcat would probably

Re: git-fu is (still) weak

2020-04-28 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rémy, On 4/27/20 18:41, Rémy Maucherat wrote: > On Tue, Apr 28, 2020 at 12:21 AM Christopher Schultz > <mailto:ch...@christopherschultz.net>> wrote: > > All, > > I tried again to commit to

Re: git-fu is (still) weak

2020-04-27 Thread Christopher Schultz
with github, and github can see the commit in tc10. Other than manually handing the diffs myself, I have no idea what to do, next. :( - -chris On 2/24/20 11:33, Christopher Schultz wrote: > All, > > I'm trying to cherry-pick a commit. The commit went through > github, merged a PR from a

Re: Position on failing tests with vendor-modified OpenSSL packages

2020-04-24 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark and Michael, On 4/24/20 07:24, Michael Osipov wrote: > Am 2020-04-24 um 08:57 schrieb Mark Thomas: >> On 24/04/2020 00:45, Michael Osipov wrote: >>> Folks, >>> >>> I run test from Tomcat master and libtcnative master on >>> FreeBSD, RHEL 7 and

Re: [tomcat-native] branch master updated: Introduce tcn_get_thread_id(void) to reduce code duplication

2020-04-24 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Michael, On 4/23/20 18:42, micha...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > michaelo pushed a commit to branch master in repository > https://gitbox.apache.org/repos/asf/tomcat-native.git > > >

Re: [VOTE] Release Apache Tomcat 8.5.54

2020-04-06 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 4/3/20 10:30, Mark Thomas wrote: > The proposed Apache Tomcat 8.5.54 release is now available for > voting. > > The major changes compared to the 8.5.53 release are: > > - Add support for default values when using ${...} property >

Re: Remaining Tomcat 10 items

2020-03-30 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 3/27/20 13:12, Mark Thomas wrote: > Spec - STRICT_SERVLET_COMPLIANCE Is a useful short-cut - Move the > remaining ones to the Context or related object where possible (I > haven't checked how easy that would be) Would it be possible to

Re: [tomcat] branch master updated: Remove two system properties used for configuration

2020-03-25 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rémy, Should there be a note about this in the migration guide? - -chris On 3/25/20 12:58, r...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > remm pushed a commit to branch master in repository >

Re: Adding Content-Security-Policy support to HttpHeaderSecurityFilter

2020-03-25 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 3/24/20 17:51, Mark Thomas wrote: > On 24/03/2020 21:28, Christopher Schultz wrote: >> All, >> >> While replying to James's recent message about this filter's >> anti click-jacking features[1], I was surprised

Adding Content-Security-Policy support to HttpHeaderSecurityFilter

2020-03-24 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, While replying to James's recent message about this filter's anti click-jacking features[1], I was surprised to see that this filter does not have any support for the Content-Security-Policy header. Adding such support would be fairly simple:

Re: Request line parsing

2020-03-23 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 3/23/20 11:35, Mark Thomas wrote: > On 23/03/2020 14:59, Christopher Schultz wrote: > > > >> My only concern here is that request line + header-processing >> really has to match whatever reverse proxy serv

Re: Request line parsing

2020-03-23 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 3/23/20 09:01, Mark Thomas wrote: > Hi, > > I am currently looking at the request line parsing. I'll try and > set out each issue in turn. > > End of line parsing === > > Prior to the recent changes, Tomcat allowed CRLF or

Re: Remaining Tomcat 10 items

2020-03-23 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rémy, On 3/23/20 05:37, Rémy Maucherat wrote: > I'm looking at the TODO list, in addition to some extra items. In > order ... > > - Remove APR connector. Is there still general approval for that, > and is that still the plan for Tomcat 10.0 ? See

Re: [tomcat] branch master updated: Add a check that the URIEncoding is a superset of US-ASCII.

2020-03-13 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 3/13/20 07:48, Mark Thomas wrote: > On 13/03/2020 11:37, ma...@apache.org wrote: >> This is an automated email from the ASF dual-hosted git >> repository. >> >> markt pushed a commit to branch master in repository >>

Re: [Bug 64210] parsing request headers fail

2020-03-10 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 3/10/20 08:52, Mark Thomas wrote: > On 10/03/2020 10:14, bugzi...@apache.org wrote: >> https://bz.apache.org/bugzilla/show_bug.cgi?id=64210 >> >> --- Comment #3 from Mark Thomas --- Thanks. >> I'm able to reproduce this. I'm working on

Re: [tomcat-native] Installation structure

2020-03-09 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Michael, On 3/9/20 10:20, Michael Osipov wrote: > Folks, > > I have been recently reviewing some downstream changes in > tomcat-native. Can someone explain me why we install headers files > along with .pc file? > >> . ├── bin ├── include │ ├──

Re: Trouble building and running Tomcat 10 unit tests

2020-03-04 Thread Christopher Schultz
; I use Ant 1.9.14 and OpenJDK 8 b242 and again everything is green. > BuildBot is also stable: > https://ci.apache.org/builders/tomcat-trunk Looks like a completely clean build got things working again: both the normal and the test build. - -chris > On Tue, Mar 3, 2020 at 10:31 PM Christ

Re: [tomcat] branch master updated: BZ 64190 Add 'proper' ms support to OneLineFormatter.

2020-03-04 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 3/3/20 09:36, ma...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > markt pushed a commit to branch master in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > > The following

Trouble building and running Tomcat 10 unit tests

2020-03-03 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm up-to-date with git master, using ant 1.9.13, JDK 13. $ ant test [...] test-compile: [javac] Compiling 1 source file to /Users/christopherschultz/git/tomcat-trunk/output/testclasses [javac] Ignoring source, target and

[jira] [Commented] (MTOMCAT-319) CVEs in the library dependencies

2020-03-01 Thread Christopher Schultz (Jira)
[ https://issues.apache.org/jira/browse/MTOMCAT-319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17048663#comment-17048663 ] Christopher Schultz commented on MTOMCAT-319: - h2 database is only used during testing

Re: [tomcat] branch master updated: Update request start time using nanoTime

2020-03-01 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 2/28/20 04:44, Martin Grigorov wrote: > Chris, > > On Fri, Feb 28, 2020 at 12:20 AM Christopher Schultz > <mailto:ch...@christopherschultz.net>> wrote: > > Rémy, > > On 2/27/20 10:49, r...@apache.o

Re: [tomcat] branch master updated: Update request start time using nanoTime

2020-02-27 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, Some interesting[1] reading: https://steveloughran.blogspot.com/2015/09/time-on-multi-core-multi-sock et-servers.html - -chris [1] For some definitions of "interesting" On 2/27/20 17:26, Christopher Schultz wrote: > Rémy, >

Re: [tomcat] branch master updated: Update request start time using nanoTime

2020-02-27 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rémy, On 2/27/20 17:20, Christopher Schultz wrote: > Rémy, > > On 2/27/20 10:49, r...@apache.org wrote: >> This is an automated email from the ASF dual-hosted git >> repository. > >> remm pushed a commit to branch

Re: [tomcat] branch master updated: Update request start time using nanoTime

2020-02-27 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rémy, On 2/27/20 10:49, r...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > remm pushed a commit to branch master in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > > The following

Re: Download stats

2020-02-27 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 2/27/20 02:59, Martin Grigorov wrote: > Hi, > > On Wed, Feb 26, 2020 at 5:40 PM Mark Thomas > wrote: > > Hi all, > > I took a look a the download stats from downloads.apache.org > .

Re: Enabling http to https redirects for tomcat.apache.org

2020-02-25 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/25/20 17:29, Mark Thomas wrote: > On 25/02/2020 20:45, Christopher Schultz wrote: >> Mark, >> >> On 2/25/20 14:34, Mark Thomas wrote: >>> On 25/02/2020 15:53, Felix Schumacher wrote: >>>> H

Re: [tomcat] branch master updated: BZ 64166. HttpServletResponse.getHeaderNames() now returns unique names

2020-02-25 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/25/20 14:38, ma...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > markt pushed a commit to branch master in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > > The following

Re: Enabling http to https redirects for tomcat.apache.org

2020-02-25 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/25/20 14:34, Mark Thomas wrote: > On 25/02/2020 15:53, Felix Schumacher wrote: >> Hi all, >> >> as more and more browsers are marking http as unsecure, we >> should redirect all http requests to tomcat.apache.org to https. > > I really

  1   2   3   4   5   6   7   8   9   10   >