Why does the Rfc6265CookieProcessor handle the version 1 cookie?

2016-07-12 Thread Kyohei Nakamura 
Hi all,

The documentation of the Cookie Processor says that the
Rfc6265CookieProcessor is based on the RFC6265.
The RFC6265 specification does not allow the Version attribute in the
Cookie header.
However the Rfc6265CookieProcessor handles the version 1 cookie ($Version=1).
I think the Rfc6265CookieProcessor should complies with the RFC6265
specification that does not allow the Version attribute.

Why does the Rfc6265CookieProcessor handle the version 1 cookie?


Best regards,
Kyohei Nakamura

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY][CORRECTION] CVE-2016-3092 Apache Tomcat Denial of Service

2016-06-30 Thread Kyohei Nakamura 
Hi,

I have a question about the maxHttpHeaderSize.

In this announcement, the recommended value is 3072 bytes.
However, in the announcement from the Apache Commons project, the
recommended value is 2048 bytes.
http://mail-archives.apache.org/mod_mbox/www-announce/201606.mbox/%3c45a20804-abff-4fed-a297-69ac95ab9...@apache.org%3E

If an application uses the Apache Commons FileUpload (not use the
Tomcat File Upload feature), which one should I use? "3072" or "2048".


2016-06-22 19:02 GMT+09:00 Mark Thomas :
> Note: This announcement corrects several errors and omissions in the
> Tomcat aspects of the announcement for CVE-2016-3092 from the Apache
> Commons project that was recently forwarded to various Apache Tomcat
> mailing lists.
>
> For the sake of clarity, the Tomcat specific corrections are as follows:
> 1. This is a Denial of Service vulnerability, not an Information
> Disclosure vulnerability.
> 2. Apache Tomcat 8.5.x is also affected. The vulnerability exists in
> 8.5.0 to 8.5.2 and affected users of 8.5.x should upgrade to 8.5.3.
> 3. Apache Tomcat 6.x and earlier are not affected.
> 4. Applications that do not use the File Upload feature introduced in
> Servlet 3.0 are not vulnerable via Tomcat.
>
> A corrected announcement, for Tomcat only, follows.
>
>
> CVE-2016-3092: Apache Tomcat Denial of Service
>
> Severity: Moderate
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.0M6
> Apache Tomcat 8.5.0 to 8.5.2
> Apache Tomcat 8.0.0.RC1 to 8.0.35
> Apache Tomcat 7.0.0 to 7.0.69
> Earlier versions are not affected.
>
> Description:
> CVE-2016-3092 is a denial of service vulnerability that has been
> corrected in the Apache Commons FileUpload component. It occurred when
> the length of the multipart boundary was just below the size of the
> buffer (4096 bytes) used to read the uploaded file. This caused the file
> upload process to take several orders of magnitude longer than if the
> boundary length was the typical tens of bytes.
>
> Apache Tomcat uses a package renamed copy of Apache Commons FileUpload
> to implement the file upload requirements of the Servlet specification
> and was therefore also vulnerable to the denial of service vulnerability.
>
> Applications that do not use the File Upload feature introduced in
> Servlet 3.0 are not affected by the Tomcat aspect of this vulnerability.
> If those applications use Apache Commons FileUpload, they may still be
> affected.
>
> Mitigation:
> Users of affected versions should apply one of the following mitigations
> - Upgrade to Apache Tomcat 9.0.0.M8 or later
>   (9.0.0.M7 has the fix but was not released)
> - Upgrade to Apache Tomcat 8.5.3 or later
> - Upgrade to Apache Tomcat 8.0.36 or later
> - Upgrade to Apache Tomcat 7.0.70 or later
>
> Workaround:
> The issue may be mitigated by limiting the length of the boundary.
> Applications could do this with a custom Filter to reject requests that
> use large boundaries.
> Tomcat provides the maxHttpHeaderSize attribute on the Connector that
> can be used to limit the total HTTP header size. Users should be aware
> that reducing this to 3072 (which should be low enough to protect
> against this DoS) may cause other issues as applications can require
> larger headers than this for correct operation, particularly if the
> application uses relatively large cookie values.
>
> Credit:
> This issue was identified by the TERASOLUNA Framework Development Team
> at the Software Engineering, Research and Development Headquarters and
> reported to the ASF via JPCERT.
>
> References:
> http://tomcat.apache.org/security-9.html
> http://tomcat.apache.org/security-8.html
> http://tomcat.apache.org/security-7.html
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8 Application dispatcherServlet Stats

2016-01-14 Thread Kyohei Nakamura 
What does "response time" mean?

The "Processing time" include a time that is from the end of service method
of servlet instance until the end of StandardWrapperValve#invoke().


2016-01-14 17:27 GMT+09:00 Theo Sweeny <theo.swe...@avios.com>:

> Hello Kyohei,
>
> -Original Message-
> From: Kyohei Nakamura [mailto:nakamura.kyohei@gmail.com]
> Sent: 14 January 2016 06:45
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: Tomcat 8 Application dispatcherServlet Stats
>
> Hello
>
> The "Processing time" metric represents the execution time of
> StandardWrapperValve#invoke().
> This is the execution time of the servlet and filters.
> This value of "Processing time" is the total time of each request
> execution time.
>
> What is the dispatcherServlet?
> If dispatcherServlet accept all request as a front controller(like
> Spring's DispatcherServlet), then this value is the total execution time of
> all request that the context receive.
>
>
> 2016-01-13 20:19 GMT+09:00 Theo Sweeny <theo.swe...@avios.com>:
>
> > Hello - at the moment stats can be found for Tomcat 8 web services
> > using the manager UI /manager/status/all
> >
> > Is the "Processing time" metric found under dispatcherServlet [ / ]
> > subsection, the total time take to serve all requests, including the
> > response time for each request?
> >
> > Regards,
> >
> > Theo
> > Avios Group (AGL) Ltd is a limited company registered in England
> > (registered number 2260073 and VAT number 512566754) whose registered
> > address is Astral Towers, Betts Way, London Road, Crawley, West Sussex
> > RH10 9XY . Avios Group (AGL) Limited is part of the IAG group of
> > companies This email and any files transmitted with it are
> > confidential and intended solely for the use of the individual or entity
> to whom they are addressed.
> > If you have received this email in error please notify the system
> manager.
> >
>
> Does the total execution time for each request include the response time?
>
> Thank you,
>
> Theo
>
> Avios Group (AGL) Ltd is a limited company registered in England
> (registered number 2260073 and VAT number 512566754) whose registered
> address is Astral Towers, Betts Way, London Road, Crawley, West Sussex RH10
> 9XY . Avios Group (AGL) Limited is part of the IAG group of companies This
> email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
>

Re: Tomcat 8 Application dispatcherServlet Stats

2016-01-13 Thread Kyohei Nakamura 
Hello

The "Processing time" metric represents the execution time of
StandardWrapperValve#invoke().
This is the execution time of the servlet and filters.
This value of "Processing time" is the total time of each request execution
time.

What is the dispatcherServlet?
If dispatcherServlet accept all request as a front controller(like Spring's
DispatcherServlet), then this value is the total execution time of all
request that the context receive.


2016-01-13 20:19 GMT+09:00 Theo Sweeny :

> Hello - at the moment stats can be found for Tomcat 8 web services using
> the manager UI /manager/status/all
>
> Is the "Processing time" metric found under dispatcherServlet [ / ]
> subsection, the total time take to serve all requests, including the
> response time for each request?
>
> Regards,
>
> Theo
> Avios Group (AGL) Ltd is a limited company registered in England
> (registered number 2260073 and VAT number 512566754) whose registered
> address is Astral Towers, Betts Way, London Road, Crawley, West Sussex RH10
> 9XY . Avios Group (AGL) Limited is part of the IAG group of companies This
> email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
>

Re: Upload big file for data

2016-01-11 Thread Kyohei Nakamura 
Hi Edwin

First, you don't provide the information about your apps.
If you want to get a better answer, you should provide your Tomcat version,
configuration and apps infomation.

If you use the multipart/form-data in order to uploading a file, you can
use the following settings.

* web.xml

  
x
  


Or you can use the following annotation.

  @MultipartConfig(maxFileSize=x)

In addition, when the allowCasualMultipartParsing attribute of the Context
element set to true (the default is false), will be able to parse
multipart/form-data request bodies.
At the time, the max file size is used the value of the maxPostSize
attribute of the Connector element.


If you use the POST data, you can see the maxPostSize attribute description
of the Connector docs.

2016-01-12 0:25 GMT+09:00 Edwin Quijada :

> Hi!
> I am newbie using Tomcat and I have a problem uploadind a Big file. I
> wanna upload a big file CSV, 140 mb, but when this begins doesnt happen
> anything . There is any setting to change for allowing to upload this file.
> This file has record will be procesed into my app.
>
>
> Thks in Advance
>

Re: How to set up log rotate for Catalina.out

2015-12-01 Thread Kyohei Nakamura 
2015-12-02 5:30 GMT+09:00 jins abraham <jinsrabra...@yahoo.com.invalid>:

> > Hi
> Is there an option to do log rotate for Catalina.out within the
> configuration.
>
> Thanks
> Jins Abraham


There is no such option within Tomcat configuration.
In order to rotate the catalina.out, you can use techniques such as is
shown on the following pages.

 http://wiki.apache.org/tomcat/FAQ/Logging#Q10

Kyohei Nakamura

Re: Tomcat 8, Log4j, setting environment variables in setenv.sh

2015-02-25 Thread Kyohei Nakamura 
How about using an extras package If you want to use Log4j for Tomcat
logging?
http://tomcat.apache.org/tomcat-8.0-doc/logging.html#Using_Log4j

2015-02-26 5:23 GMT+09:00 Owens, Stephen (ITD) stephen.ow...@state.ma.us:

 Hello,

 For tomcat 8 using log4j and apache commons logging, what would be the
 correct values to specify in setenv.sh for:
 LOGGING_MANAGER
 LOGGING_CONFIG

 For a tomcat-7.0.26 installation, the values in setenv.sh were:
 export LOGGING_CONFIG=-Dlog4j.configuration=log4j.properties
 export
 LOGGING_MANAGER=-Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger

 Are those the correct values for Tomcat 8 as well?

 Thanks,

 Stephen R. Owens
 Email: stephen.ow...@state.ma.usmailto:stephen.ow...@state.ma.us