Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java
Am Sonntag, 05.01.03 um 02:15 Uhr schrieb Roberto Casanova: You should not revert completely to revision 1.32. There were two changes done to StandardServer.java in your commit of revision 1.33. We discussed only the first change (in method convertStr around line 824) and I think we agree it should be reverted. But the second change done in that same commit actually fixes the original problem (bug 15762) and should be preserved. I agree. I simply forgot to point that out in my last post. In discussing this bug, and looking at bug 15798 (which is Windows-specific, I guess, but nevertheless concerns a similiar issue), I think that the way the XML files are written 'by hand' through PrintWriters is prone to produce bugs of this kind, because it is easy to forget that some strings must be encoded. Isn't there some standard API for _writing_ XML, which takes care of these encoding issues transparently? I thought about maybe having a look at the Cocoon project's Serializers, which I think do something like this via SAX events. Of course, one could also construct a DOM tree and write that out, but I don't know whether this is a good idea in terms of performance. Also, I don't know if encoding issues are taken care of in each approach. Ciao, Christoph -- --- Christoph Seibert [EMAIL PROTECTED] --- -- Farlon Dragon -==(UDIC)==-http://home.pages.de/~seibert/ -- - Who can possibly rule if no one- - who wants to can be allowed to? - D. Adams, HHGTTG - -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java
Am Freitag, 03.01.03 um 23:48 Uhr schrieb Roberto Casanova: I see another problem with this code. Suppose for some reason we have an attribute or resource parameter value like the following (without the quotes): gt; corresponds to The correct XML for this string is: amp;gt; corresponds to gt; However this code would write to server.xml: gt; corresponds to gt; The next time the server.xml file is read in, we end up with: corresponds to which is different than the original string. In my opinion this portion of the code should be left as it was in revision 1.32: Actually, after reading the code in context (that is, I've had a look at StandardServer.java), I agree with this. The change to convertStr() results in inconsistent handling of input strings. The question I've been asking myself is: Why should convertStr() treat the input string as if it was a mixture of unescaped and already escaped ,,,' and characters? Since I still don't have the full context, I don't know where the input string comes from, so I can't really answer that. If the input string comes from a form, it should be treated as in revision 1.32, because of what Roberto points out. If it comes from an XML file, no conversion should be necessary, because the XML parser checks for well-formedness of the input file - unless the parser resolves the entity and character references before passing the string, in which case the conversion becomes necessary again. (Wow, I hope this doesn't sound like complete drivel... ;-)) Ciao, Christoph -- --- Christoph Seibert [EMAIL PROTECTED] --- -- Farlon Dragon -==(UDIC)==-http://home.pages.de/~seibert/ -- - Who can possibly rule if no one- - who wants to can be allowed to? - D. Adams, HHGTTG - -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java
Am Freitag, 03.01.03 um 20:55 Uhr schrieb Amy Roh: Christoph Seibert wrote: Fix for bugzilla 15762. I'm sorry I don't have a better fix right now, but I assume one would have to iterate through the characters following the '' until either a ';' is found or a character occurs that is not a legal part of an entity reference name (or in the case of a character reference, not one of [0-9] for decimal or [0-9a-fA-F] for hexadecimal). I believe iterating through the characters following the '' to look for ';' is found will fix the problem. A character such as '#x00020' without following ';' will result in parsing error where as '#x00020;' will be written as a space(' '). I'm sorry (really - I'm new here and already I start correcting other people's code without having contributed any myself), but I don't think this is sufficient. On encountering a string like 'I like to spell as amp;' your solution would treat ' as amp;' as a valid entity reference, and would not escape the first '' character. However, please also see my answer to Roberto's mail before making another change. Ciao, Christoph -- --- Christoph Seibert [EMAIL PROTECTED] --- -- Farlon Dragon -==(UDIC)==-http://home.pages.de/~seibert/ -- - Who can possibly rule if no one- - who wants to can be allowed to? - D. Adams, HHGTTG - -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java
You should not revert completely to revision 1.32. There were two changes done to StandardServer.java in your commit of revision 1.33. We discussed only the first change (in method convertStr around line 824) and I think we agree it should be reverted. But the second change done in that same commit actually fixes the original problem (bug 15762) and should be preserved. This is in method storeNamingResources around line 1822: @@ -1822,7 +1830,7 @@ writer.print(' '); } writer.print(value); -writer.print(value); +writer.print(convertStr(value)); writer.println(/value); for (int j = 0; j indent + 2; j++) { writer.print(' '); Actually, I have been running Tomcat with this same fix for a month or so, and it works well. You can enter special characters (like ) in the data source url using the admin webapp (no need to escape them), they get stored in server.xml and read back properly. (I had attached that patch with the original bug report) Thanks Roberto From: Amy Roh Sent: Sunday, January 05, 2003 0:46 Roberto Casanova wrote: I see another problem with this code. Suppose for some reason we have an attribute or resource parameter value like the following (without the quotes): gt; corresponds to The correct XML for this string is: amp;gt; corresponds to gt; However this code would write to server.xml: gt; corresponds to gt; The next time the server.xml file is read in, we end up with: corresponds to which is different than the original string. In my opinion this portion of the code should be left as it was in revision 1.32: I see the problem with the previous commit - Sorry, I should have thought about it more before making the quick change. However, the original problem of second time admin saving url in invalid form still occurs with revision 1.32. The workaround is to make sure url is in valid form in datasource page everytime you commit any changes via admin. Is this workaround feasible? Amy Roberto Christoph Seibert wrote: Hi there, I think there is a problem with the following fix: amyroh 2003/01/02 17:59:09 Modified:catalina/src/share/org/apache/catalina/core StandardServer.java Log: Fix for bugzilla 15762. [...] diff -u -r1.32 -r1.33 --- StandardServer.java11 Sep 2002 14:19:33 -1.32 +++ StandardServer.java3 Jan 2003 01:59:08 -1.33 @@ -824,7 +824,15 @@ } else if (c == '') { filtered.append(quot;); } else if (c == '') { -filtered.append(amp;); +char s1 = input.charAt(i+3); +char s2 = input.charAt(i+4); +char s3 = input.charAt(i+5); +if (((s1 == ';') || (s2 == ';')) || (s3 == ';')) { +// do not convert if it's already in converted form +filtered.append(c); +} else { +filtered.append(amp;); +} } else { filtered.append(c); } (Note: I haven't had a look at the surrounding code yet, so I have to assume that 'i' is the position of 'c', that is the '' character.) This code assumes that character or entity references will not be shorter than 4 characters (including the delimiters '' and ';') and no longer than 6. However, the XML specification does not in any way define restrictions like that. For example, 'd;' is a valid entity reference (assuming it was defined in the DTD). Worse, character or entity references can have arbitrary length. For example, '#x00020' is a valid character reference to the ' ' (space) character. I'm sorry I don't have a better fix right now, but I assume one would have to iterate through the characters following the '' until either a ';' is found or a character occurs that is not a legal part of an entity reference name (or in the case of a character reference, not one of [0-9] for decimal or [0-9a-fA-F] for hexadecimal). (Actually, I believe this wheel must already have been invented, but with only looking at this code snippet, I don't really know.) I believe iterating through the characters following the '' to look for ';' is found will fix the problem. A character such as '#x00020' without following ';' will result in parsing error where as '#x00020;' will be written as a space(' '). Thanks, Amy Ciao, Christoph -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java
Hi there, I think there is a problem with the following fix: amyroh 2003/01/02 17:59:09 Modified:catalina/src/share/org/apache/catalina/core StandardServer.java Log: Fix for bugzilla 15762. [...] diff -u -r1.32 -r1.33 --- StandardServer.java 11 Sep 2002 14:19:33 - 1.32 +++ StandardServer.java 3 Jan 2003 01:59:08 - 1.33 @@ -824,7 +824,15 @@ } else if (c == '') { filtered.append(quot;); } else if (c == '') { -filtered.append(amp;); +char s1 = input.charAt(i+3); +char s2 = input.charAt(i+4); +char s3 = input.charAt(i+5); +if (((s1 == ';') || (s2 == ';')) || (s3 == ';')) { +// do not convert if it's already in converted form +filtered.append(c); +} else { +filtered.append(amp;); +} } else { filtered.append(c); } (Note: I haven't had a look at the surrounding code yet, so I have to assume that 'i' is the position of 'c', that is the '' character.) This code assumes that character or entity references will not be shorter than 4 characters (including the delimiters '' and ';') and no longer than 6. However, the XML specification does not in any way define restrictions like that. For example, 'd;' is a valid entity reference (assuming it was defined in the DTD). Worse, character or entity references can have arbitrary length. For example, '#x00020' is a valid character reference to the ' ' (space) character. I'm sorry I don't have a better fix right now, but I assume one would have to iterate through the characters following the '' until either a ';' is found or a character occurs that is not a legal part of an entity reference name (or in the case of a character reference, not one of [0-9] for decimal or [0-9a-fA-F] for hexadecimal). (Actually, I believe this wheel must already have been invented, but with only looking at this code snippet, I don't really know.) Ciao, Christoph -- --- Christoph Seibert [EMAIL PROTECTED] --- -- Farlon Dragon -==(UDIC)==-http://home.pages.de/~seibert/ -- - Who can possibly rule if no one- - who wants to can be allowed to? - D. Adams, HHGTTG - -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java
I see another problem with this code. Suppose for some reason we have an attribute or resource parameter value like the following (without the quotes): gt; corresponds to The correct XML for this string is: amp;gt; corresponds to gt; However this code would write to server.xml: gt; corresponds to gt; The next time the server.xml file is read in, we end up with: corresponds to which is different than the original string. In my opinion this portion of the code should be left as it was in revision 1.32: Roberto -Original Message- From: Amy Roh [mailto:[EMAIL PROTECTED]] Sent: Friday, January 03, 2003 20:55 To: Tomcat Developers List Subject: Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java Christoph Seibert wrote: Hi there, I think there is a problem with the following fix: amyroh 2003/01/02 17:59:09 Modified:catalina/src/share/org/apache/catalina/core StandardServer.java Log: Fix for bugzilla 15762. [...] diff -u -r1.32 -r1.33 --- StandardServer.java11 Sep 2002 14:19:33 -1.32 +++ StandardServer.java3 Jan 2003 01:59:08 -1.33 @@ -824,7 +824,15 @@ } else if (c == '') { filtered.append(quot;); } else if (c == '') { -filtered.append(amp;); +char s1 = input.charAt(i+3); +char s2 = input.charAt(i+4); +char s3 = input.charAt(i+5); +if (((s1 == ';') || (s2 == ';')) || (s3 == ';')) { +// do not convert if it's already in converted form +filtered.append(c); +} else { +filtered.append(amp;); +} } else { filtered.append(c); } (Note: I haven't had a look at the surrounding code yet, so I have to assume that 'i' is the position of 'c', that is the '' character.) This code assumes that character or entity references will not be shorter than 4 characters (including the delimiters '' and ';') and no longer than 6. However, the XML specification does not in any way define restrictions like that. For example, 'd;' is a valid entity reference (assuming it was defined in the DTD). Worse, character or entity references can have arbitrary length. For example, '#x00020' is a valid character reference to the ' ' (space) character. I'm sorry I don't have a better fix right now, but I assume one would have to iterate through the characters following the '' until either a ';' is found or a character occurs that is not a legal part of an entity reference name (or in the case of a character reference, not one of [0-9] for decimal or [0-9a-fA-F] for hexadecimal). (Actually, I believe this wheel must already have been invented, but with only looking at this code snippet, I don't really know.) I believe iterating through the characters following the '' to look for ';' is found will fix the problem. A character such as '#x00020' without following ';' will result in parsing error where as '#x00020;' will be written as a space(' '). Thanks, Amy Ciao, Christoph -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java
craigmcc02/01/31 12:56:03 Modified:catalina/src/share/org/apache/catalina/connector/http HttpConnector.java catalina/src/share/org/apache/catalina/core StandardServer.java Log: Enhance the exception message produced when creating a server socket fails (typically due to an Address in use situation) to include the port number of the failed open. Enhancements to the proposed patch include: * If the socket is only for a particular IP address, report that also. * Add a similar enhancement to the message for the shutdown port opening (although you will normally encounter an error on the connector before running in to this one). PR: Bugzilla #6130 Submitted by: Jon Stevens [EMAIL PROTECTED] +1 for the change. Sorry Jon, I didn't have much time to apply it :-( Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java
PR: Bugzilla #6130 Submitted by: Jon Stevens [EMAIL PROTECTED] +1 for the change. Does that mean ok for 4.0.2 as well? Nope, but +1 too. I don't see what anything it could break. Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardServer.java
On Tue, Aug 21, 2001 at 06:51:52PM -, [EMAIL PROTECTED] wrote: craigmcc01/08/21 11:51:52 Modified:catalina/src/share/org/apache/catalina/core StandardServer.java Log: Fix for a DoS attack against the shutdown port, that could cause an out of memory exception by sending a continuous stream of characters. Now, Tomcat will only listen for enough characters to match or not-match the required password, then it shuts the port. Now I'll know exactly how long the shutdown password is. =-) -- justin