Why does the Rfc6265CookieProcessor handle the version 1 cookie?
Hi all, The documentation of the Cookie Processor says that the Rfc6265CookieProcessor is based on the RFC6265. The RFC6265 specification does not allow the Version attribute in the Cookie header. However the Rfc6265CookieProcessor handles the version 1 cookie ($Version=1). I think the Rfc6265CookieProcessor should complies with the RFC6265 specification that does not allow the Version attribute. Why does the Rfc6265CookieProcessor handle the version 1 cookie? Best regards, Kyohei Nakamura - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY][CORRECTION] CVE-2016-3092 Apache Tomcat Denial of Service
Hi, I have a question about the maxHttpHeaderSize. In this announcement, the recommended value is 3072 bytes. However, in the announcement from the Apache Commons project, the recommended value is 2048 bytes. http://mail-archives.apache.org/mod_mbox/www-announce/201606.mbox/%3c45a20804-abff-4fed-a297-69ac95ab9...@apache.org%3E If an application uses the Apache Commons FileUpload (not use the Tomcat File Upload feature), which one should I use? "3072" or "2048". 2016-06-22 19:02 GMT+09:00 Mark Thomas: > Note: This announcement corrects several errors and omissions in the > Tomcat aspects of the announcement for CVE-2016-3092 from the Apache > Commons project that was recently forwarded to various Apache Tomcat > mailing lists. > > For the sake of clarity, the Tomcat specific corrections are as follows: > 1. This is a Denial of Service vulnerability, not an Information > Disclosure vulnerability. > 2. Apache Tomcat 8.5.x is also affected. The vulnerability exists in > 8.5.0 to 8.5.2 and affected users of 8.5.x should upgrade to 8.5.3. > 3. Apache Tomcat 6.x and earlier are not affected. > 4. Applications that do not use the File Upload feature introduced in > Servlet 3.0 are not vulnerable via Tomcat. > > A corrected announcement, for Tomcat only, follows. > > > CVE-2016-3092: Apache Tomcat Denial of Service > > Severity: Moderate > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Tomcat 9.0.0.M1 to 9.0.0M6 > Apache Tomcat 8.5.0 to 8.5.2 > Apache Tomcat 8.0.0.RC1 to 8.0.35 > Apache Tomcat 7.0.0 to 7.0.69 > Earlier versions are not affected. > > Description: > CVE-2016-3092 is a denial of service vulnerability that has been > corrected in the Apache Commons FileUpload component. It occurred when > the length of the multipart boundary was just below the size of the > buffer (4096 bytes) used to read the uploaded file. This caused the file > upload process to take several orders of magnitude longer than if the > boundary length was the typical tens of bytes. > > Apache Tomcat uses a package renamed copy of Apache Commons FileUpload > to implement the file upload requirements of the Servlet specification > and was therefore also vulnerable to the denial of service vulnerability. > > Applications that do not use the File Upload feature introduced in > Servlet 3.0 are not affected by the Tomcat aspect of this vulnerability. > If those applications use Apache Commons FileUpload, they may still be > affected. > > Mitigation: > Users of affected versions should apply one of the following mitigations > - Upgrade to Apache Tomcat 9.0.0.M8 or later > (9.0.0.M7 has the fix but was not released) > - Upgrade to Apache Tomcat 8.5.3 or later > - Upgrade to Apache Tomcat 8.0.36 or later > - Upgrade to Apache Tomcat 7.0.70 or later > > Workaround: > The issue may be mitigated by limiting the length of the boundary. > Applications could do this with a custom Filter to reject requests that > use large boundaries. > Tomcat provides the maxHttpHeaderSize attribute on the Connector that > can be used to limit the total HTTP header size. Users should be aware > that reducing this to 3072 (which should be low enough to protect > against this DoS) may cause other issues as applications can require > larger headers than this for correct operation, particularly if the > application uses relatively large cookie values. > > Credit: > This issue was identified by the TERASOLUNA Framework Development Team > at the Software Engineering, Research and Development Headquarters and > reported to the ASF via JPCERT. > > References: > http://tomcat.apache.org/security-9.html > http://tomcat.apache.org/security-8.html > http://tomcat.apache.org/security-7.html > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8 Application dispatcherServlet Stats
What does "response time" mean? The "Processing time" include a time that is from the end of service method of servlet instance until the end of StandardWrapperValve#invoke(). 2016-01-14 17:27 GMT+09:00 Theo Sweeny <theo.swe...@avios.com>: > Hello Kyohei, > > -Original Message- > From: Kyohei Nakamura [mailto:nakamura.kyohei@gmail.com] > Sent: 14 January 2016 06:45 > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: Tomcat 8 Application dispatcherServlet Stats > > Hello > > The "Processing time" metric represents the execution time of > StandardWrapperValve#invoke(). > This is the execution time of the servlet and filters. > This value of "Processing time" is the total time of each request > execution time. > > What is the dispatcherServlet? > If dispatcherServlet accept all request as a front controller(like > Spring's DispatcherServlet), then this value is the total execution time of > all request that the context receive. > > > 2016-01-13 20:19 GMT+09:00 Theo Sweeny <theo.swe...@avios.com>: > > > Hello - at the moment stats can be found for Tomcat 8 web services > > using the manager UI /manager/status/all > > > > Is the "Processing time" metric found under dispatcherServlet [ / ] > > subsection, the total time take to serve all requests, including the > > response time for each request? > > > > Regards, > > > > Theo > > Avios Group (AGL) Ltd is a limited company registered in England > > (registered number 2260073 and VAT number 512566754) whose registered > > address is Astral Towers, Betts Way, London Road, Crawley, West Sussex > > RH10 9XY . Avios Group (AGL) Limited is part of the IAG group of > > companies This email and any files transmitted with it are > > confidential and intended solely for the use of the individual or entity > to whom they are addressed. > > If you have received this email in error please notify the system > manager. > > > > Does the total execution time for each request include the response time? > > Thank you, > > Theo > > Avios Group (AGL) Ltd is a limited company registered in England > (registered number 2260073 and VAT number 512566754) whose registered > address is Astral Towers, Betts Way, London Road, Crawley, West Sussex RH10 > 9XY . Avios Group (AGL) Limited is part of the IAG group of companies This > email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. >
Re: Tomcat 8 Application dispatcherServlet Stats
Hello The "Processing time" metric represents the execution time of StandardWrapperValve#invoke(). This is the execution time of the servlet and filters. This value of "Processing time" is the total time of each request execution time. What is the dispatcherServlet? If dispatcherServlet accept all request as a front controller(like Spring's DispatcherServlet), then this value is the total execution time of all request that the context receive. 2016-01-13 20:19 GMT+09:00 Theo Sweeny: > Hello - at the moment stats can be found for Tomcat 8 web services using > the manager UI /manager/status/all > > Is the "Processing time" metric found under dispatcherServlet [ / ] > subsection, the total time take to serve all requests, including the > response time for each request? > > Regards, > > Theo > Avios Group (AGL) Ltd is a limited company registered in England > (registered number 2260073 and VAT number 512566754) whose registered > address is Astral Towers, Betts Way, London Road, Crawley, West Sussex RH10 > 9XY . Avios Group (AGL) Limited is part of the IAG group of companies This > email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. >
Re: Upload big file for data
Hi Edwin First, you don't provide the information about your apps. If you want to get a better answer, you should provide your Tomcat version, configuration and apps infomation. If you use the multipart/form-data in order to uploading a file, you can use the following settings. * web.xml x Or you can use the following annotation. @MultipartConfig(maxFileSize=x) In addition, when the allowCasualMultipartParsing attribute of the Context element set to true (the default is false), will be able to parse multipart/form-data request bodies. At the time, the max file size is used the value of the maxPostSize attribute of the Connector element. If you use the POST data, you can see the maxPostSize attribute description of the Connector docs. 2016-01-12 0:25 GMT+09:00 Edwin Quijada: > Hi! > I am newbie using Tomcat and I have a problem uploadind a Big file. I > wanna upload a big file CSV, 140 mb, but when this begins doesnt happen > anything . There is any setting to change for allowing to upload this file. > This file has record will be procesed into my app. > > > Thks in Advance >
Re: How to set up log rotate for Catalina.out
2015-12-02 5:30 GMT+09:00 jins abraham <jinsrabra...@yahoo.com.invalid>: > > Hi > Is there an option to do log rotate for Catalina.out within the > configuration. > > Thanks > Jins Abraham There is no such option within Tomcat configuration. In order to rotate the catalina.out, you can use techniques such as is shown on the following pages. http://wiki.apache.org/tomcat/FAQ/Logging#Q10 Kyohei Nakamura
Re: Tomcat 8, Log4j, setting environment variables in setenv.sh
How about using an extras package If you want to use Log4j for Tomcat logging? http://tomcat.apache.org/tomcat-8.0-doc/logging.html#Using_Log4j 2015-02-26 5:23 GMT+09:00 Owens, Stephen (ITD) stephen.ow...@state.ma.us: Hello, For tomcat 8 using log4j and apache commons logging, what would be the correct values to specify in setenv.sh for: LOGGING_MANAGER LOGGING_CONFIG For a tomcat-7.0.26 installation, the values in setenv.sh were: export LOGGING_CONFIG=-Dlog4j.configuration=log4j.properties export LOGGING_MANAGER=-Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger Are those the correct values for Tomcat 8 as well? Thanks, Stephen R. Owens Email: stephen.ow...@state.ma.usmailto:stephen.ow...@state.ma.us