JBossWeb SVN: r1527 - branches/2.1.x/java/org/apache/catalina/core.
by jbossweb-commits@lists.jboss.org
Author: jfrederic.clere(a)jboss.com
Date: 2010-08-16 02:58:18 -0400 (Mon, 16 Aug 2010)
New Revision: 1527
Modified:
branches/2.1.x/java/org/apache/catalina/core/AprLifecycleListener.java
Log:
use debug.
Modified: branches/2.1.x/java/org/apache/catalina/core/AprLifecycleListener.java
===================================================================
--- branches/2.1.x/java/org/apache/catalina/core/AprLifecycleListener.java 2010-08-11 17:15:11 UTC (rev 1526)
+++ branches/2.1.x/java/org/apache/catalina/core/AprLifecycleListener.java 2010-08-16 06:58:18 UTC (rev 1527)
@@ -96,7 +96,7 @@
}
try {
// terminateAPR();
- log.error("terminateAPR skipped for JBPAPP-4753");
+ log.debug("terminateAPR skipped for JBPAPP-4753");
} catch (Throwable t) {
if (!log.isDebugEnabled()) {
log.info(sm.getString("aprListener.aprDestroy"));
14 years, 4 months
JBossWeb SVN: r1526 - branches/2.1.x/java/org/apache/tomcat/util/net.
by jbossweb-commits@lists.jboss.org
Author: jfrederic.clere(a)jboss.com
Date: 2010-08-11 13:15:11 -0400 (Wed, 11 Aug 2010)
New Revision: 1526
Modified:
branches/2.1.x/java/org/apache/tomcat/util/net/JIoEndpoint.java
Log:
Try to reduce the JBPAPP-4779.
Modified: branches/2.1.x/java/org/apache/tomcat/util/net/JIoEndpoint.java
===================================================================
--- branches/2.1.x/java/org/apache/tomcat/util/net/JIoEndpoint.java 2010-08-11 17:00:08 UTC (rev 1525)
+++ branches/2.1.x/java/org/apache/tomcat/util/net/JIoEndpoint.java 2010-08-11 17:15:11 UTC (rev 1526)
@@ -163,6 +163,10 @@
public void setThreadPriority(int threadPriority) { this.threadPriority = threadPriority; }
public int getThreadPriority() { return threadPriority; }
+ /*
+ * wait for free worker when MaxThreads is reached.
+ */
+ protected boolean WAITFORWORKER = Boolean.valueOf(System.getProperty("org.apache.tomcat.util.net.WAITFORWORKER", "false")).booleanValue();
/**
* Server socket port.
@@ -700,7 +704,7 @@
protected Worker getWorkerThread() {
// Allocate a new worker thread
Worker workerThread = createWorkerThread();
- while (workerThread == null) {
+ while (workerThread == null && WAITFORWORKER) {
try {
synchronized (workers) {
workers.wait();
@@ -734,7 +738,11 @@
protected boolean processSocket(Socket socket) {
try {
if (executor == null) {
- getWorkerThread().assign(socket);
+ Worker worker = getWorkerThread();
+ if (worker != null)
+ worker.assign(socket);
+ else
+ return false;
} else {
executor.execute(new SocketProcessor(socket));
}
14 years, 4 months
JBossWeb SVN: r1525 - branches/2.1.x/java/org/apache/catalina/core.
by jbossweb-commits@lists.jboss.org
Author: jfrederic.clere(a)jboss.com
Date: 2010-08-11 13:00:08 -0400 (Wed, 11 Aug 2010)
New Revision: 1525
Modified:
branches/2.1.x/java/org/apache/catalina/core/AprLifecycleListener.java
Log:
Work-around for JBPAPP-4753
Modified: branches/2.1.x/java/org/apache/catalina/core/AprLifecycleListener.java
===================================================================
--- branches/2.1.x/java/org/apache/catalina/core/AprLifecycleListener.java 2010-08-10 21:11:09 UTC (rev 1524)
+++ branches/2.1.x/java/org/apache/catalina/core/AprLifecycleListener.java 2010-08-11 17:00:08 UTC (rev 1525)
@@ -95,7 +95,8 @@
return;
}
try {
- terminateAPR();
+ // terminateAPR();
+ log.error("terminateAPR skipped for JBPAPP-4753");
} catch (Throwable t) {
if (!log.isDebugEnabled()) {
log.info(sm.getString("aprListener.aprDestroy"));
14 years, 4 months
JBossWeb SVN: r1524 - in branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache: catalina/connector and 6 other directories.
by jbossweb-commits@lists.jboss.org
Author: mmillson
Date: 2010-08-10 17:11:09 -0400 (Tue, 10 Aug 2010)
New Revision: 1524
Added:
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/deploy/SessionCookie.java
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/tomcat/util/http/TomcatCookie.java
Modified:
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/Context.java
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/connector/Request.java
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/connector/Response.java
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/core/StandardContext.java
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/startup/ContextRuleSet.java
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/Http11AprProcessor.java
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/Http11NioProcessor.java
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/Http11Processor.java
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/filters/BufferedInputFilter.java
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/tomcat/util/http/ServerCookie.java
Log:
Fix CVE-2010-2227 and add HttpOnly Cookie support for [JBPAPP-4864].
Modified: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/Context.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/Context.java 2010-08-10 19:29:32 UTC (rev 1523)
+++ branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/Context.java 2010-08-10 21:11:09 UTC (rev 1524)
@@ -30,6 +30,7 @@
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.NamingResources;
import org.apache.catalina.deploy.SecurityConstraint;
+import org.apache.catalina.deploy.SessionCookie;
import org.apache.catalina.util.CharsetMapper;
@@ -173,8 +174,21 @@
*/
public boolean getCookies();
+ /**
+ * Set the session cookie configuration.
+ *
+ * @param sessionCookie The new value
+ */
+ public void setSessionCookie(SessionCookie sessionCookie);
+
/**
+ * Return the session cookie configuration.
+ */
+ public SessionCookie getSessionCookie();
+
+
+ /**
* Set the "use cookies for session ids" flag.
*
* @param cookies The new flag
Modified: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/connector/Request.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/connector/Request.java 2010-08-10 19:29:32 UTC (rev 1523)
+++ branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/connector/Request.java 2010-08-10 21:11:09 UTC (rev 1524)
@@ -52,6 +52,7 @@
import org.apache.tomcat.util.http.FastHttpDateFormat;
import org.apache.tomcat.util.http.Parameters;
import org.apache.tomcat.util.http.ServerCookie;
+import org.apache.tomcat.util.http.TomcatCookie;
import org.apache.tomcat.util.http.mapper.MappingData;
import org.apache.coyote.ActionCode;
@@ -2296,7 +2297,7 @@
// Creating a new session cookie based on that session
if ((session != null) && (getContext() != null)
&& getContext().getCookies()) {
- Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
+ TomcatCookie cookie = new TomcatCookie(Globals.SESSION_COOKIE_NAME,
session.getIdInternal());
configureSessionCookie(cookie);
response.addCookieInternal(cookie);
@@ -2316,7 +2317,7 @@
*
* @param cookie The JSESSIONID cookie to be configured
*/
- protected void configureSessionCookie(Cookie cookie) {
+ protected void configureSessionCookie(TomcatCookie cookie) {
cookie.setMaxAge(-1);
String contextPath = null;
if (!connector.getEmptySessionPath() && (getContext() != null)) {
@@ -2327,6 +2328,9 @@
} else {
cookie.setPath("/");
}
+ if (context.getSessionCookie().isHttpOnly()) {
+ cookie.setHttpOnly(true);
+ }
if (isSecure()) {
cookie.setSecure(true);
}
Modified: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/connector/Response.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/connector/Response.java 2010-08-10 19:29:32 UTC (rev 1523)
+++ branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/connector/Response.java 2010-08-10 21:11:09 UTC (rev 1524)
@@ -51,6 +51,7 @@
import org.apache.tomcat.util.http.FastHttpDateFormat;
import org.apache.tomcat.util.http.MimeHeaders;
import org.apache.tomcat.util.http.ServerCookie;
+import org.apache.tomcat.util.http.TomcatCookie;
import org.apache.tomcat.util.net.URL;
/**
@@ -962,7 +963,7 @@
(sb, cookie.getVersion(), cookie.getName(),
cookie.getValue(), cookie.getPath(),
cookie.getDomain(), cookie.getComment(),
- cookie.getMaxAge(), cookie.getSecure());
+ cookie.getMaxAge(), cookie.getSecure(), false);
return null;
}
});
@@ -970,7 +971,7 @@
ServerCookie.appendCookieValue
(sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
cookie.getPath(), cookie.getDomain(), cookie.getComment(),
- cookie.getMaxAge(), cookie.getSecure());
+ cookie.getMaxAge(), cookie.getSecure(), false);
}
// if we reached here, no exception, cookie is valid
// the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
@@ -983,6 +984,47 @@
/**
+ * Add the specified Cookie to those that will be included with
+ * this Response.
+ *
+ * @param cookie Cookie to be added
+ */
+ public void addCookieInternal(final TomcatCookie cookie) {
+
+ if (isCommitted())
+ return;
+
+ final StringBuffer sb = new StringBuffer();
+ // web application code can receive a IllegalArgumentException
+ // from the appendCookieValue invocation
+ if (SecurityUtil.isPackageProtectionEnabled()) {
+ AccessController.doPrivileged(new PrivilegedAction() {
+ public Object run(){
+ ServerCookie.appendCookieValue
+ (sb, cookie.getVersion(), cookie.getName(),
+ cookie.getValue(), cookie.getPath(),
+ cookie.getDomain(), cookie.getComment(),
+ cookie.getMaxAge(), cookie.getSecure(), cookie.getHttpOnly());
+ return null;
+ }
+ });
+ } else {
+ ServerCookie.appendCookieValue
+ (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
+ cookie.getPath(), cookie.getDomain(), cookie.getComment(),
+ cookie.getMaxAge(), cookie.getSecure(), cookie.getHttpOnly());
+ }
+ // if we reached here, no exception, cookie is valid
+ // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
+ // RFC2965 is not supported by browsers and the Servlet spec
+ // asks for 2109.
+ addHeader("Set-Cookie", sb.toString());
+
+ cookies.add(cookie);
+ }
+
+
+ /**
* Add the specified date header to the specified value.
*
* @param name Name of the header to set
Modified: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/core/StandardContext.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/core/StandardContext.java 2010-08-10 19:29:32 UTC (rev 1523)
+++ branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/core/StandardContext.java 2010-08-10 21:11:09 UTC (rev 1524)
@@ -83,6 +83,7 @@
import org.apache.catalina.deploy.NamingResources;
import org.apache.catalina.deploy.SecurityCollection;
import org.apache.catalina.deploy.SecurityConstraint;
+import org.apache.catalina.deploy.SessionCookie;
import org.apache.catalina.loader.WebappLoader;
import org.apache.catalina.session.StandardManager;
import org.apache.catalina.startup.ContextConfig;
@@ -515,6 +516,11 @@
*/
private long sequenceNumber = 0;
+ /**
+ * The session cookie.
+ */
+ private SessionCookie sessionCookie = new SessionCookie();
+
/**
* The status code error pages for this web application, keyed by
* HTTP status code (as an Integer).
@@ -1375,6 +1381,25 @@
/**
+ * Set the session cookie configuration.
+ *
+ * @param sessionCookie The new value
+ */
+ public void setSessionCookie(SessionCookie sessionCookie) {
+ SessionCookie oldSessionCookie = this.sessionCookie;
+ this.sessionCookie = sessionCookie;
+ support.firePropertyChange("sessionCookie", oldSessionCookie, sessionCookie);
+ }
+
+
+ /**
+ * Return the session cookie configuration.
+ */
+ public SessionCookie getSessionCookie() {
+ return this.sessionCookie;
+ }
+
+ /**
* Return the login configuration descriptor for this web application.
*/
public LoginConfig getLoginConfig() {
Added: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/deploy/SessionCookie.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/deploy/SessionCookie.java (rev 0)
+++ branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/deploy/SessionCookie.java 2010-08-10 21:11:09 UTC (rev 1524)
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.deploy;
+
+import java.io.Serializable;
+
+public class SessionCookie implements Serializable {
+
+ protected String domain = null;
+ protected String path = null;
+ protected String comment = null;
+ protected boolean httpOnly = false;
+ protected boolean secure = false;
+
+ public SessionCookie() {
+ }
+
+ public String getDomain() {
+ return domain;
+ }
+
+ public String getPath() {
+ return path;
+ }
+
+ public String getComment() {
+ return comment;
+ }
+
+ public boolean isHttpOnly() {
+ return httpOnly;
+ }
+
+ public boolean isSecure() {
+ return secure;
+ }
+
+ public void setDomain(String domain) {
+ this.domain = domain;
+ }
+
+ public void setPath(String path) {
+ this.path = path;
+ }
+
+ public void setComment(String comment) {
+ this.comment = comment;
+ }
+
+ public void setHttpOnly(boolean httpOnly) {
+ this.httpOnly = httpOnly;
+ }
+
+ public void setSecure(boolean secure) {
+ this.secure = secure;
+ }
+}
Modified: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/startup/ContextRuleSet.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/startup/ContextRuleSet.java 2010-08-10 19:29:32 UTC (rev 1523)
+++ branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/catalina/startup/ContextRuleSet.java 2010-08-10 21:11:09 UTC (rev 1524)
@@ -192,6 +192,12 @@
digester.addRule(prefix + "Context/ResourceLink",
new SetNextNamingRule("addResourceLink",
"org.apache.catalina.deploy.ContextResourceLink"));
+
+ digester.addObjectCreate(prefix + "Context/SessionCookie",
+ "org.apache.catalina.deploy.SessionCookie");
+ digester.addSetProperties(prefix + "Context/SessionCookie");
+ digester.addSetNext(prefix + "Context/SessionCookie",
+ "setSessionCookie", "org.apache.catalina.deploy.SessionCookie");
digester.addObjectCreate(prefix + "Context/Valve",
null, // MUST be specified in the element
Modified: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/Http11AprProcessor.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/Http11AprProcessor.java 2010-08-10 19:29:32 UTC (rev 1523)
+++ branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/Http11AprProcessor.java 2010-08-10 21:11:09 UTC (rev 1524)
@@ -1155,9 +1155,9 @@
if (ssl && (socket != 0)) {
// Consume and buffer the request body, so that it does not
// interfere with the client's handshake messages
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
try {
// Renegociate certificates
SSLSocket.renegotiate(socket);
@@ -1699,9 +1699,6 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
Modified: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/Http11NioProcessor.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/Http11NioProcessor.java 2010-08-10 19:29:32 UTC (rev 1523)
+++ branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/Http11NioProcessor.java 2010-08-10 21:11:09 UTC (rev 1524)
@@ -1195,11 +1195,9 @@
* Consume and buffer the request body, so that it does not
* interfere with the client's handshake messages
*/
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter
- (inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
try {
Object sslO = sslSupport.getPeerCertificateChain(true);
if( sslO != null) {
@@ -1734,9 +1732,6 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
Modified: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/Http11Processor.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/Http11Processor.java 2010-08-10 19:29:32 UTC (rev 1523)
+++ branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/Http11Processor.java 2010-08-10 21:11:09 UTC (rev 1524)
@@ -1089,11 +1089,9 @@
* Consume and buffer the request body, so that it does not
* interfere with the client's handshake messages
*/
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter
- (inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
try {
Object sslO = sslSupport.getPeerCertificateChain(true);
if( sslO != null) {
@@ -1620,9 +1618,6 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
Modified: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/filters/BufferedInputFilter.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-08-10 19:29:32 UTC (rev 1523)
+++ branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-08-10 21:11:09 UTC (rev 1524)
@@ -102,10 +102,13 @@
}
public void recycle() {
- if (buffered.getBuffer().length > 65536) {
- buffered = null;
- } else {
- buffered.recycle();
+ if (buffered != null) {
+ if (buffered.getBuffer() != null
+ && buffered.getBuffer().length > 65536) {
+ buffered = null;
+ } else {
+ buffered.recycle();
+ }
}
tempRead.recycle();
hasRead = false;
Modified: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/tomcat/util/http/ServerCookie.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/tomcat/util/http/ServerCookie.java 2010-08-10 19:29:32 UTC (rev 1523)
+++ branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/tomcat/util/http/ServerCookie.java 2010-08-10 21:11:09 UTC (rev 1524)
@@ -260,7 +260,8 @@
String domain,
String comment,
int maxAge,
- boolean isSecure )
+ boolean isSecure,
+ boolean httpOnly)
{
StringBuffer buf = new StringBuffer();
// Servlet implementation checks name
@@ -324,6 +325,11 @@
buf.append ("; Secure");
}
+ // HttpOnly
+ if (httpOnly) {
+ buf.append ("; HttpOnly");
+ }
+
headerBuf.append(buf);
}
Added: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/tomcat/util/http/TomcatCookie.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/tomcat/util/http/TomcatCookie.java (rev 0)
+++ branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/src/share/classes/org/apache/tomcat/util/http/TomcatCookie.java 2010-08-10 21:11:09 UTC (rev 1524)
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.tomcat.util.http;
+
+import javax.servlet.http.Cookie;
+
+public class TomcatCookie extends Cookie {
+
+ boolean httpOnly = false;
+
+ public TomcatCookie(String name, String value) {
+ super(name, value);
+ }
+
+ public boolean getHttpOnly() {
+ return httpOnly;
+ }
+
+ public void setHttpOnly(boolean httpOnly) {
+ this.httpOnly = httpOnly;
+ }
+
+}
14 years, 4 months
JBossWeb SVN: r1523 - branches.
by jbossweb-commits@lists.jboss.org
Author: mmillson
Date: 2010-08-10 15:29:32 -0400 (Tue, 10 Aug 2010)
New Revision: 1523
Added:
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864/
Log:
Create JBPAPP-4864 patch branch from JBOSSWEB_2_0_0_GA_CP13 tag
Copied: branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-4864 (from rev 1522, tags/JBOSSWEB_2_0_0_GA_CP13)
14 years, 4 months
JBossWeb SVN: r1522 - branches.
by jbossweb-commits@lists.jboss.org
Author: mmillson
Date: 2010-08-10 15:28:42 -0400 (Tue, 10 Aug 2010)
New Revision: 1522
Removed:
branches/JBOSSWEB_2_0_0_GA_CP14_JBPAPP-4864/
Log:
Patch branch created from wrong version due to incorrect build-thirdparty.xml.
14 years, 4 months
JBossWeb SVN: r1521 - branches.
by jbossweb-commits@lists.jboss.org
Author: mmillson
Date: 2010-08-10 14:26:43 -0400 (Tue, 10 Aug 2010)
New Revision: 1521
Added:
branches/JBOSSWEB_2_0_0_GA_CP14_JBPAPP-4864/
Log:
Create JBPAPP-4864 patch branch from JBOSSWEB_2_0_0_GA_CP14 tag
Copied: branches/JBOSSWEB_2_0_0_GA_CP14_JBPAPP-4864 (from rev 1520, tags/JBOSSWEB_2_0_0_GA_CP14)
14 years, 4 months
JBossWeb SVN: r1520 - branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4788/src/share/classes/org/apache/catalina/connector.
by jbossweb-commits@lists.jboss.org
Author: mmillson
Date: 2010-08-05 15:11:28 -0400 (Thu, 05 Aug 2010)
New Revision: 1520
Modified:
branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4788/src/share/classes/org/apache/catalina/connector/Request.java
Log:
Add null checks for [JBPAPP-4788].
Modified: branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4788/src/share/classes/org/apache/catalina/connector/Request.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4788/src/share/classes/org/apache/catalina/connector/Request.java 2010-08-05 19:00:25 UTC (rev 1519)
+++ branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4788/src/share/classes/org/apache/catalina/connector/Request.java 2010-08-05 19:11:28 UTC (rev 1520)
@@ -1339,6 +1339,9 @@
return;
}
+ if (context == null)
+ return;
+
// Notify interested application event listeners
Object listeners[] = context.getApplicationEventListeners();
if ((listeners == null) || (listeners.length == 0))
@@ -1409,6 +1412,9 @@
coyoteRequest.setAttribute(name, value);
}
+ if (context == null)
+ return;
+
// Notify interested application event listeners
Object listeners[] = context.getApplicationEventListeners();
if ((listeners == null) || (listeners.length == 0))
@@ -2254,9 +2260,7 @@
return (session);
// Return the requested session if it exists and is valid
- Manager manager = null;
- if (context != null)
- manager = context.getManager();
+ Manager manager = context.getManager();
if (manager == null)
return (null); // Sessions are not supported
if (requestedSessionId != null) {
@@ -2276,7 +2280,7 @@
// Create a new session if requested and the response is not committed
if (!create)
return (null);
- if ((context != null) && (response != null) &&
+ if ((response != null) &&
context.getCookies() &&
response.getResponse().isCommitted()) {
throw new IllegalStateException
@@ -2294,8 +2298,7 @@
}
// Creating a new session cookie based on that session
- if ((session != null) && (getContext() != null)
- && getContext().getCookies()) {
+ if ( (session != null) && context.getCookies() ) {
Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
session.getIdInternal());
configureSessionCookie(cookie);
@@ -2401,6 +2404,9 @@
protected void parseParameters() {
parametersParsed = true;
+
+ if (context == null)
+ return;
Parameters parameters = coyoteRequest.getParameters();
14 years, 4 months
JBossWeb SVN: r1519 - branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector.
by jbossweb-commits@lists.jboss.org
Author: mmillson
Date: 2010-08-05 15:00:25 -0400 (Thu, 05 Aug 2010)
New Revision: 1519
Modified:
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector/Request.java
Log:
Add null checks for [JBPAPP-4789].
Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector/Request.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector/Request.java 2010-08-05 02:37:25 UTC (rev 1518)
+++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector/Request.java 2010-08-05 19:00:25 UTC (rev 1519)
@@ -1340,6 +1340,9 @@
return;
}
+ if (context == null)
+ return;
+
// Notify interested application event listeners
Object listeners[] = context.getApplicationEventListeners();
if ((listeners == null) || (listeners.length == 0))
@@ -1410,6 +1413,9 @@
coyoteRequest.setAttribute(name, value);
}
+ if (context == null)
+ return;
+
// Notify interested application event listeners
Object listeners[] = context.getApplicationEventListeners();
if ((listeners == null) || (listeners.length == 0))
@@ -2255,9 +2261,7 @@
return (session);
// Return the requested session if it exists and is valid
- Manager manager = null;
- if (context != null)
- manager = context.getManager();
+ Manager manager = context.getManager();
if (manager == null)
return (null); // Sessions are not supported
if (requestedSessionId != null) {
@@ -2277,7 +2281,7 @@
// Create a new session if requested and the response is not committed
if (!create)
return (null);
- if ((context != null) && (response != null) &&
+ if ((response != null) &&
context.getCookies() &&
response.getResponse().isCommitted()) {
throw new IllegalStateException
@@ -2295,8 +2299,7 @@
}
// Creating a new session cookie based on that session
- if ((session != null) && (getContext() != null)
- && getContext().getCookies()) {
+ if ( (session != null) && context.getCookies() ) {
Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
session.getIdInternal());
configureSessionCookie(cookie);
@@ -2402,6 +2405,9 @@
protected void parseParameters() {
parametersParsed = true;
+
+ if (context == null)
+ return;
Parameters parameters = coyoteRequest.getParameters();
14 years, 4 months
JBossWeb SVN: r1518 - in branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11: filters and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: mmillson
Date: 2010-08-04 22:37:25 -0400 (Wed, 04 Aug 2010)
New Revision: 1518
Modified:
branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/Http11AprProcessor.java
branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/Http11NioProcessor.java
branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/Http11Processor.java
branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/filters/BufferedInputFilter.java
Log:
Fix CVE-2010-2227 / CVE-2010-1157 for [JBPAPP-4798].
Modified: branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/Http11AprProcessor.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/Http11AprProcessor.java 2010-08-04 21:14:14 UTC (rev 1517)
+++ branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/Http11AprProcessor.java 2010-08-05 02:37:25 UTC (rev 1518)
@@ -1155,9 +1155,9 @@
if (ssl && (socket != 0)) {
// Consume and buffer the request body, so that it does not
// interfere with the client's handshake messages
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
try {
// Renegociate certificates
SSLSocket.renegotiate(socket);
@@ -1699,9 +1699,6 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
Modified: branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/Http11NioProcessor.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/Http11NioProcessor.java 2010-08-04 21:14:14 UTC (rev 1517)
+++ branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/Http11NioProcessor.java 2010-08-05 02:37:25 UTC (rev 1518)
@@ -1195,11 +1195,9 @@
* Consume and buffer the request body, so that it does not
* interfere with the client's handshake messages
*/
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter
- (inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
try {
Object sslO = sslSupport.getPeerCertificateChain(true);
if( sslO != null) {
@@ -1734,9 +1732,6 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
Modified: branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/Http11Processor.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/Http11Processor.java 2010-08-04 21:14:14 UTC (rev 1517)
+++ branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/Http11Processor.java 2010-08-05 02:37:25 UTC (rev 1518)
@@ -1089,11 +1089,9 @@
* Consume and buffer the request body, so that it does not
* interfere with the client's handshake messages
*/
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter
- (inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
try {
Object sslO = sslSupport.getPeerCertificateChain(true);
if( sslO != null) {
@@ -1620,9 +1618,6 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
Modified: branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/filters/BufferedInputFilter.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-08-04 21:14:14 UTC (rev 1517)
+++ branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4798/src/share/classes/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-08-05 02:37:25 UTC (rev 1518)
@@ -102,10 +102,13 @@
}
public void recycle() {
- if (buffered.getBuffer().length > 65536) {
- buffered = null;
- } else {
- buffered.recycle();
+ if (buffered != null) {
+ if (buffered.getBuffer() != null
+ && buffered.getBuffer().length > 65536) {
+ buffered = null;
+ } else {
+ buffered.recycle();
+ }
}
tempRead.recycle();
hasRead = false;
14 years, 4 months