cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util RequestUtil.java

remm00/12/11 23:50:17 Modified:catalina/src/share/org/apache/catalina/util RequestUtil.java Log: - Minor fix : will handle quoted charset names. Revision ChangesPath 1.10 +8 -4 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/RequestUtil.java

Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2

On Mon, 11 Dec 2000, Craig R. McClanahan wrote: > > Tomcat 3.2 final has the following security vulnerabilities that have > subsequently been fixed in the CVS repository: > * A URL like "http://localhost:8080/examples//WEB-INF/web.xml" can > expose sensitive information (note the double slash

Compiling JSP's with debugging info in Tomcat 3.3

> BTW, another piece of feedback - would it be possible to implement part > of this as an interceptor ? I was assuming for Tomcat 3.3 the JSP option properties would be implemented in JspInterceptor since it is tied to Jasper anyway. Do you have more general plans for JspInterceptor that would

cvs commit: jakarta-tomcat/src/webpages index.html

craigmcc00/12/11 20:51:39 Modified:.Tag: tomcat_32 RELEASE-NOTES src/share/org/apache/tomcat/core Tag: tomcat_32 Constants.java src/webpages Tag: tomcat_32 index.html Log: Change version numbers (and update the release no

RE: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2

> Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security > problems +1 > Proposal #2: Release a Tomcat 3.2.1 that fixes the following security > problems > plus the patches committed to date. + 1 Larry

Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2

on 12/11/2000 5:59 PM, "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: > I'm certainly game to remove 3.1 once we know that 3.1.1 doesn't introduce any > nasty > problems, but just removing 3.1 doesn't help all the thousands of people who > have > apps running on 3.1 and who cannot, for various

Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2

on 12/11/2000 5:19 PM, "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: > Over the last three days, a review of published and soon-to-be-published > reports > of security vulnerabilities in Tomcat has uncovered a series of problems in > the > 3.1 final release, and a couple of less serious (but s

Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2

Hans Bergsten wrote: > "Craig R. McClanahan" wrote: > > [...] > > Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security problems > > +0. Is removing TC 3.1 from the download pages an alternative? There shouldn't > be any reason for anyone to use TC 3.1 now when 3.2 is released. Upgr

cvs commit: jakarta-tomcat/src/webpages index.html

craigmcc00/12/11 17:56:02 Modified:src/share/org/apache/tomcat/core Tag: TOMCAT_31_BRANCH Constants.java src/share/org/apache/tomcat/session Tag: TOMCAT_31_BRANCH ServerSessionManager.java src/webpages Tag: TO

Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2

"Craig R. McClanahan" wrote: > [...] > Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security problems +0. Is removing TC 3.1 from the download pages an alternative? There shouldn't be any reason for anyone to use TC 3.1 now when 3.2 is released. Upgrading to 3.2.1 could be the recom

Re: CVS Help

On Mon, 11 Dec 2000, Sean wrote: > I am trying to get CVS working on my machine so I can get download the > latest Tomcat codebase but ... the documentation on the website does > not say what or how to get a login and password to the CVS server. > How do I get these so I can get access to the

Re: [SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2

> Proposal #1: Release a Tomcat 3.1.1 that fixes *only* the security problems +1. > Proposal #2: Release a Tomcat 3.2.1 that fixes the following security problems > plus the patches committed to date. +1. Remy

Re: PoolTcpEndpoint.java

I only applied a small patch to PoolTcpEndpoint.java. I am directing this to the tomcat-dev list, there are alot of different people who work on the tomcat source, so this type of question is best directed to the list. Glenn Boon Hian Tek wrote: > > Hi Glenn, > > I saw that you were the last o

[SECURITY] Security Vulnerabilities in Tomcat 3.1 and 3.2

Over the last three days, a review of published and soon-to-be-published reports of security vulnerabilities in Tomcat has uncovered a series of problems in the 3.1 final release, and a couple of less serious (but still significant) problems in 3.2. Please vote (quickly) on the following two issu

please ignore my previous post

I apologize. This question was supposed to be sent to tomcat-user. > -Original Message- > From: Cherie Yoon > Sent: Monday, December 11, 2000 6:32 PM > To: '[EMAIL PROTECTED]' > Subject: path > > Hi, > > I got apache-tomcat working on linux. now i would like to load js

cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util SessionIdGenerator.java SessionUtil.java

craigmcc00/12/11 17:01:06 Modified:.Tag: TOMCAT_31_BRANCH build.xml src/admin/WEB-INF Tag: TOMCAT_31_BRANCH web.xml src/etc Tag: TOMCAT_31_BRANCH web.xml src/examples/WEB-INF Tag: TOMCAT_31_BRANCH web.xml src/examples/

Can't stop tomcat on solaris

Hello,   I have installed Tomcat 3.1 on Solaris and I have not modified any of the XML files so this is a pretty generic install. After starting tomcat using ./tomcat.sh start   I issue the command: ./tomcat.sh stop  to stop Tomcat and the process does not stop.   It looks as if classes

cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/startup Main.java

costin 00/12/11 16:42:50 Modified:src/facade22/org/apache/tomcat/facade Servlet22Interceptor.java ServletWrapper.java WebXmlReader.java src/facade22/org/apache/tomcat/modules/facade22 JspInterceptor.

BugRat Report #567 has been filed.

Bug report #567 has just been filed. You can view the report at the following URL: REPORT #567 Details. Project: Tomcat Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: medium Severity: non-crit

CVS Help

I am trying to get CVS working on my machine so I can get download the latest Tomcat codebase but ... the documentation on the website does not say what or how to get a login and password to the CVS server.  How do I get these so I can get access to the server?  Any help you can provide on g

cvs commit: jakarta-tomcat/src/native/iis jk_isapi_plugin.c

nacho 00/12/11 13:18:26 Modified:src/native/iis Tag: tomcat_32 jk_isapi_plugin.c Log: Bug #61 http://znutar.cortexity.com/BugRatAdmin/ShowBug/61 Redirect fails with IE after posting a form to a servlet Reported & Solved by Joe Prevo ( [EMAIL PROTECTED] ) Revision Cha

cvs commit: jakarta-tomcat/src/native/mod_jk/iis jk_isapi_plugin.c

nacho 00/12/11 13:17:49 Modified:src/native/mod_jk/iis jk_isapi_plugin.c Log: Bug #61 http://znutar.cortexity.com/BugRatAdmin/ShowBug/61 Redirect fails with IE after posting a form to a servlet Reported & Solved by Joe Prevo ( [EMAIL PROTECTED] ) Revision ChangesPat

Re: [VOTE] Compiling JSP's with debugging info

> > The only feedback on the more specific proposal was from Costin > relating to Tomcat 3.3. I'm not sure if I should interpret this > as an overall -1 for committing any of these changes to Tomcat It's a +1 - the feedback tries to help you with a different perspective and a different idea. I d

[PATCH] Initialize SessionIdGenerator PRNG

Attached are patches to StandardManager.java and SessionIdGenerator.java. These changes cause the PRNG used to generate session ids to be initialized when a context is initialized instead of when the first session id is generated. The PRNG used by default in 3.2 (java.security.SecureRandom) takes

Load Balancing Info

Hi All,   The examples in the tomcat docs that talk about load balancing etc seem to be incorrect.   Are there any good docs out there that can explain to me how to set up a load balanced environment ?   I think what I want to do is set up multiple worker threads, but all of them need to serv

Re: HTTP Extension Framework Spec

I have written a jsp that contains some java script the browser(netscape 4.73 and ie 4.0) is not executing script functions when i submit the form. what is the problem?. I deadly need it. some one please reply. Iam using tomcat webserver. --   

[VOTE] Compiling JSP's with debugging info

Hi, The only feedback on the more specific proposal was from Costin relating to Tomcat 3.3. I'm not sure if I should interpret this as an overall -1 for committing any of these changes to Tomcat 3.2M1. I have no problem making these changes local to SAS Institute's copy of Tomcat 3.2. To better

RE: cvs commit:jakarta-tomcat/src/examples/WEB-INF/classes/examples ShowSource.java

> (Don't ask me what I think of stupid operating systems that > accept "//" in a > pathname and simply ignore them like Linux does ... grrr). SGI IRIX 6.5.8 and FreeBSD 4.1-STABLE also behave the same way, I would expect all Unix machines to do the same. -Dave

Re: [PROPOSAL] JSSI for Tomcat

Kief Morris wrote: > > Hans Bergsten typed the following on 19:17 10/12/2000 -0800 > >But maybe I'm missing something. Are you saying the whole SSI processing > >should be done as an interceptor instead of as a servlet? > > Is this something that could be done as a Servlet 2.3 Filter, and so b

cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/request SimpleMapper1.java StaticInterceptor.java

craigmcc00/12/11 09:52:31 Modified:src/share/org/apache/tomcat/request Tag: tomcat_32 SimpleMapper1.java StaticInterceptor.java Log: Fix a security vulnerability that would display the contents of sensitive files when a URL like this was used: ht

Re: BugRat Report #557 has been filed.

This sounds like an DNS issue.  One of the things that the Netscape plugin does is try to resolve the remote host name (jk_nsapi_plugin.c line 405).  This forces a DNS lookup which is notorious for having problems on NetWare.  There are a couple of ways around it.   1.  Make sure that the fi

Re: cvs commit:jakarta-tomcat/src/examples/WEB-INF/classes/examples ShowSource.java

Luc Vanlerberghe wrote: > Wouldn't it be a better idea NOT to expand the contents of the WEB-INF > and META-INF directories along with the rest of the webapp and expand > them into some other directory instead? > It would certainly be possible to do this, but I'm not sure it would help any on th

cvs commit: jakarta-tomcat/src/doc tomcat-ssl-howto.html

hgomez 00/12/11 09:13:30 Modified:src/doc Tag: tomcat_32 tomcat-ssl-howto.html Log: Updated documentation on SSL (SSLVars) Revision ChangesPath No revision No revision 1.1.2.2 +14 -3 jakarta-tomcat/src/doc/tomca

RE: relative redirect problem using port mapping vip

Thanks, looks good now Benoit Lalumiere Software Architect Jambala Innovation Cell Ericsson Canada (LMC) > -Original Message- > From: Nacho [SMTP:[EMAIL PROTECTED]] > Sent: Monday, December 11, 2000 12:02 PM > To: '[EMAIL PROTECTED]' > Subject: RE: relative redirect problem using

cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets DefaultServlet.java

remm00/12/11 09:07:27 Modified:catalina/src/share/org/apache/catalina/servlets DefaultServlet.java Log: - Fix a security problem where /WEB-INF could be accessed using a path like //WEB-INF. Now, the path is normalized before checking for /WEB-INF.

RE: relative redirect problem using port mapping vip

At requestImpl.initRequest() Saludos , Ignacio J. Ortega > -Mensaje original- > De: Benoit Lalumiere (LMC) [mailto:[EMAIL PROTECTED]] > Enviado el: lunes 11 de diciembre de 2000 17:52 > Para: '[EMAIL PROTECTED]' > Asunto: RE: relative redirect problem using port mapping vip > > > ye

Custom error pages!!

Hi ppl: I had posted a very simple query..but had not received any comments. So am i the only unlucky person who's stuck on this simple problem. Any suggestions are welcome plz.   I want Custom error pages, in my application, the two solutions i have is to use the "ErrorDocument" dire

RE: relative redirect problem using port mapping vip

yes it does solve the problem thanks, I guess I missed that change when I did my diffs. but where is the serverport initialized to -1, in the RequestImpl class, it is still initialized to 0... Benoit Lalumiere Software Architect Jambala Innovation Cell Ericsson Canada (LMC) > -Original Mess

RE: relative redirect problem using port mapping vip

> > I ma still using 3.1 but I looked at the code of 3.2 and it > is doing the > same thing... from the redirect in the DefaultServlet class to the > toAbsolute method in the HttpServletResponseFacade class and the > HttpRequestAdapter.getServerPort() method Have a look in the HttpRequestAdapte

RE: relative redirect problem using port mapping vip

I ma still using 3.1 but I looked at the code of 3.2 and it is doing the same thing... from the redirect in the DefaultServlet class to the toAbsolute method in the HttpServletResponseFacade class and the HttpRequestAdapter.getServerPort() method Can you tell me in which class you put a fix such

RE: relative redirect problem using port mapping vip

Hola Benoit: > properly. It > takes the host name from the request header but takes the > port from the web > server (from HttpRequestAdapter.getServerPort). therefore creating a > redirect url command with the right IP address but the wrong > port (in our > case 8080 i.o. 80). That seems to

Re: Problem to limit the number of connections

Dear Arieh, Thank you for your response but I am afraid it does not work! I have entered the following lines in my server.xml file : I have chosen very small values to test it easilly. Unfortunately,

Re: cvs commit:jakarta-tomcat/src/examples/WEB-INF/classes/examples ShowSource.java

Wouldn't it be a better idea NOT to expand the contents of the WEB-INF and META-INF directories along with the rest of the webapp and expand them into some other directory instead? Instead of making everything available and try to restrict access afterwards, it would be much safer not to make it

BugRat Report #566 has been filed.

Bug report #566 has just been filed. You can view the report at the following URL: REPORT #566 Details. Project: Jasper Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: medium Severity: non-crit

nsapi_redirector.so for Solaris

I've had numerous requests for the compiled nsapi_redirector.so for Solaris.  This has been tested on Solaris 2.6 and 7 with Netscape (iPlanet) 3.6 and 4.0.   http://www.aressoftware.net/downloads/nsapi_redirector.zip          Allen Akers   Programmer Analyst   

cvs commit: jakarta-tomcat/src/doc tomcat-ssl-howto.html

hgomez 00/12/11 07:05:22 Modified:src/doc tomcat-ssl-howto.html Log: Updated documentation on SSL (SSLVars) Revision ChangesPath 1.3 +270 -259 jakarta-tomcat/src/doc/tomcat-ssl-howto.html Index: tomcat-ssl-howto.html ==

RE: relative redirect problem using port mapping vip

Thanks, that is what I tought also, but that relative redirect is on the welcome file code of tomcat so I was just verifying... Benoit Lalumiere Software Architect Jambala Innovation Cell Ericsson Canada (LMC) > -Original Message- > From: Joe Prevo [SMTP:[EMAIL PROTECTED]] > Sent: Friday

Re: Enterprise Tomcat

Falcon cheetah <[EMAIL PROTECTED]> wrote: > > I used to work in the second largest financial institute in the world, as they > call themselves, here in the US. And they were using stuff other than at that > time JServ and early version Tomcat. I believe you're talking about BofA... They're using

RE: TC 4.0M5 / TC 3.2.1

>Which can be a good thing if you're using Linux. But if you're doing >development on Windows, it's a PITA to take it to your Linux >box, and run it >through alien so you can put it on your Windows box. I think RPM must/could be used in Unix world but on Windows environnement you must use somet

Re: [PROPOSAL] JSSI for Tomcat

Hans Bergsten typed the following on 19:17 10/12/2000 -0800 >But maybe I'm missing something. Are you saying the whole SSI processing >should be done as an interceptor instead of as a servlet? Is this something that could be done as a Servlet 2.3 Filter, and so be completely container independ

BugRat Report #565 has been filed.

Bug report #565 has just been filed. You can view the report at the following URL: REPORT #565 Details. Project: Tomcat Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: critical C

RE: BugRat Report #487 - encodeURL() not working in SSL Scheme (Bug in HttpServletResponseFacade.toAbsolut(String url))

Hi, Sorry but bugrat swallowed the workaround: You can install JSSE (Java security Extensions) and set the properties to use the https URLStreamHandler included within there. (Put the JSSE jars in your classpath and add -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol to your Ja