February 2018 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-9620) ServletContext.getResourceAsStream, for deployments which have (Java EE) servlet overlays, serves files which are outside of the deployment

by Yeray Borges (JIRA)

[ https://issues.jboss.org/browse/WFLY-9620?page=com.atlassian.jira.plugin.... ] Yeray Borges updated WFLY-9620: ------------------------------- Git Pull Request: https://github.com/wildfly/wildfly/pull/10748, https://github.com/wildfly/wildfly/pull/10784, https://github.com/wildfly/wildfly/pull/10815 (was: https://github.com/wildfly/wildfly/pull/10748, https://github.com/wildfly/wildfly/pull/10784) > ServletContext.getResourceAsStream, for deployments which have (Java EE) servlet overlays, serves files which are outside of the deployment > ------------------------------------------------------------------------------------------------------------------------------------------- > > Key: WFLY-9620 > URL: https://issues.jboss.org/browse/WFLY-9620 > Project: WildFly > Issue Type: Bug > Components: Web (Undertow) > Affects Versions: 9.0.2.Final, 10.1.0.Final, 11.0.0.Final > Reporter: Laurent ROUSSEL > Assignee: Yeray Borges > Priority: Critical > Fix For: 12.0.0.Alpha1 > > > A user has reported in the forums that there appears to be an issue (since 9.0.x till present 11.0.0 WildFly releases) where files like `/etc/passwd` are served by the web container to the clients, when the client requests a crafted URL against a Java EE deployment which has (Java EE) servlet overlays. Please see the referenced forum thread[1] for more details. > Although, the steps noted in that thread involves Spring framework and gets triggered in a very specific way, the root cause appears to be the call to `ServletContext.getResourceAsInputStream` (which is what the spring framework ends up calling with a path like "/../../../../../../../..//etc/passwd", ends up actually serving the resource even if the path is outside the scope of the deployment to which the servlet context belongs. > I could reproduce this against the latest WildFly in a simple test case that's here [2] > [1] https://developer.jboss.org/thread/276826 > [2] https://github.com/jaikiran/wildfly/commit/ed05258aa824ab91a52ef6554e9707... > P.S: The credit for reporting this issue should go to Laurent Roussel who reported this in the forum thread, but I don't have access to change the "Reporter" field of the JIRA -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9758) Update jboss-openjdk-orb library

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFLY-9758?page=com.atlassian.jira.plugin.... ] Kabir Khan commented on WFLY-9758: ---------------------------------- [~mminar] [~psakar] I merged the pull request. Licenses seemed ok for the previous version from http://10.8.242.116/license-check-record?rootPomGav=org.jboss.openjdk-orb... and I can't find upstream to check this is still the case. Also you're not around, and I really need to get control over the PR queue > Update jboss-openjdk-orb library > -------------------------------- > > Key: WFLY-9758 > URL: https://issues.jboss.org/browse/WFLY-9758 > Project: WildFly > Issue Type: Bug > Components: IIOP > Affects Versions: 11.0.0.Final > Reporter: Tomasz Adamski > Assignee: Tomasz Adamski > Fix For: 12.0.0.Alpha1 > > > Update jboss-openjdk-orb library to 8.1.0.Final > Reason: rebase - apply our patches on top of current OpenJDK ORB. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9765) CdiFailoverTestCase should be based on regular failover test case

by Radoslav Husar (JIRA)

[ https://issues.jboss.org/browse/WFLY-9765?page=com.atlassian.jira.plugin.... ] Radoslav Husar updated WFLY-9765: --------------------------------- Description: This test case was just copy/paste of the original test. This is wrong since it doesn't benefit from the extensions and validations of the main web test class. > CdiFailoverTestCase should be based on regular failover test case > ----------------------------------------------------------------- > > Key: WFLY-9765 > URL: https://issues.jboss.org/browse/WFLY-9765 > Project: WildFly > Issue Type: Task > Components: Clustering, Test Suite > Affects Versions: 11.0.0.Final > Reporter: Radoslav Husar > Assignee: Radoslav Husar > Priority: Minor > > This test case was just copy/paste of the original test. This is wrong since it doesn't benefit from the extensions and validations of the main web test class. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9765) CdiFailoverTestCase should be based on generic web failover test case

by Radoslav Husar (JIRA)

[ https://issues.jboss.org/browse/WFLY-9765?page=com.atlassian.jira.plugin.... ] Radoslav Husar updated WFLY-9765: --------------------------------- Summary: CdiFailoverTestCase should be based on generic web failover test case (was: CdiFailoverTestCase should be based on regular failover test case) > CdiFailoverTestCase should be based on generic web failover test case > --------------------------------------------------------------------- > > Key: WFLY-9765 > URL: https://issues.jboss.org/browse/WFLY-9765 > Project: WildFly > Issue Type: Task > Components: Clustering, Test Suite > Affects Versions: 11.0.0.Final > Reporter: Radoslav Husar > Assignee: Radoslav Husar > Priority: Minor > > This test case was just copy/paste of the original test. This is wrong since it doesn't benefit from the extensions and validations of the main web test class. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9765) CdiFailoverTestCase should be based on regular failover test case

by Radoslav Husar (JIRA)

Radoslav Husar created WFLY-9765: ------------------------------------ Summary: CdiFailoverTestCase should be based on regular failover test case Key: WFLY-9765 URL: https://issues.jboss.org/browse/WFLY-9765 Project: WildFly Issue Type: Task Components: Clustering, Test Suite Affects Versions: 11.0.0.Final Reporter: Radoslav Husar Assignee: Radoslav Husar Priority: Minor -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9764) State transfer chunk-size description is wrong.

by Paul Ferraro (JIRA)

Paul Ferraro created WFLY-9764: ---------------------------------- Summary: State transfer chunk-size description is wrong. Key: WFLY-9764 URL: https://issues.jboss.org/browse/WFLY-9764 Project: WildFly Issue Type: Bug Components: Clustering Affects Versions: 11.0.0.Final Reporter: Paul Ferraro Assignee: Paul Ferraro Chunk size refers to a number of cache entries - not bytes. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3577) Add support for coloured output to CLI

by Ingo Weiss (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3577?page=com.atlassian.jira.plugi... ] Ingo Weiss updated WFCORE-3577: ------------------------------- Issue Type: Feature Request (was: Enhancement) > Add support for coloured output to CLI > -------------------------------------- > > Key: WFCORE-3577 > URL: https://issues.jboss.org/browse/WFCORE-3577 > Project: WildFly Core > Issue Type: Feature Request > Components: CLI > Affects Versions: 4.0.0.Beta1 > Reporter: Ingo Weiss > Assignee: Jean-Francois Denise > > Add support to colour for CLI outputs -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 3 months

1
0
0 / 0

[JBoss JIRA] (JGRP-2249) CENTRAL_LOCK2: reconciliation protocol on coord change

by Bela Ban (JIRA)

[ https://issues.jboss.org/browse/JGRP-2249?page=com.atlassian.jira.plugin.... ] Bela Ban updated JGRP-2249: --------------------------- Summary: CENTRAL_LOCK2: reconciliation protocol on coord change (was: CENTRAL_LOCK2: reconciliation protocolon coord change) > CENTRAL_LOCK2: reconciliation protocol on coord change > ------------------------------------------------------ > > Key: JGRP-2249 > URL: https://issues.jboss.org/browse/JGRP-2249 > Project: JGroups > Issue Type: Feature Request > Reporter: Bela Ban > Assignee: Bela Ban > Fix For: 4.0.11 > > > Implement a reconciliation protocol when the coord changes: instead of backing up all lock information to another member, the new coord asks all members for their current lock information (acquired locks, pending acquire and release requests) and constructs the lock table accordingly. > This is described in https://issues.jboss.org/browse/JGRP-2234 (later comments). > Comment from 2234: > Clients need to have the following information: > * Locks they acquired > * Pending lock requests; locks which they want to acquire but for which they haven't yet received a LOCK_GRANTED response > * Pending lock release requests; lock that have been released, but for which no RELEASE_LOCK_OK response has been received > * Ditto for conditions, but we'll tackle them in a second stage > The reconciliation protocol queues all new requests on the coord and asks all members for their lock information. Once the coord has received this information from all members, it applies this and then drains the queue of pending requests. > It is important that the requests are ordered per member, ie. a release(L) cannot come before a lock(L). > Since {{CENTRAL_LOCK}} allows for multiple members to hold the same lock in a split brain scenario, we need to think about how to handle merging where the coord detects that multiple members hold the same lock... -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3577) Add support for coloured output to CLI

by Brian Stansberry (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3577?page=com.atlassian.jira.plugi... ] Brian Stansberry commented on WFCORE-3577: ------------------------------------------ If this is configurable it is a Feature Request not an Enhancement. Probably even if it's not configurable. :) > Add support for coloured output to CLI > -------------------------------------- > > Key: WFCORE-3577 > URL: https://issues.jboss.org/browse/WFCORE-3577 > Project: WildFly Core > Issue Type: Enhancement > Components: CLI > Affects Versions: 4.0.0.Beta1 > Reporter: Ingo Weiss > Assignee: Jean-Francois Denise > > Add support to colour for CLI outputs -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9763) Move legacy subsystems to a legacy feature pack

by Jeff Mesnil (JIRA)

[ https://issues.jboss.org/browse/WFLY-9763?page=com.atlassian.jira.plugin.... ] Jeff Mesnil updated WFLY-9763: ------------------------------ Fix Version/s: 13.0.0.CR1 > Move legacy subsystems to a legacy feature pack > ----------------------------------------------- > > Key: WFLY-9763 > URL: https://issues.jboss.org/browse/WFLY-9763 > Project: WildFly > Issue Type: Task > Affects Versions: 11.0.0.Final > Reporter: Jeff Mesnil > Assignee: Jeff Mesnil > Fix For: 13.0.0.CR1 > > > This issue is the result of the proposal to move legacy subsystems in a a legacy feature pack as explained in http://wildfly-development.1055759.n5.nabble.com/proposal-Move-legacy-ext... > Impacted subsystems: > * cmp > * configadmin > * jaxr > * messaging > * web > GA of the created feature-pack: org.wildfly:wildfly-legacy-feature-pack > The version will be final and will start at 12.0.0.Alpha1 so that there is no confusion with the GAV of the subsystems . > Proposed GitHub repository: github.com/wildfly/wildfly-legacy > All the subsystems will keep the same versions than WildFly for the time being. > The main functional change is that migration tests are no longer in the legacy subsystems but in the new subsystems that takes responsibility for the migration (e.g. undertow for web, messaging-activemq for messaging). -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 3 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira February 2018