https://issues.apache.org/bugzilla/show_bug.cgi?id=48891

Rainer Jung <rainer.jung@(protected):

      What   |Removed              |Added
----------------------------------------------------------------------------
        Status|RESOLVED             |REOPENED
     Resolution|FIXED               |

--- Comment #4 from Rainer Jung <rainer.jung@(protected) ---
Change reverted in r962825 due to Mladen's -1.

Will be discussed on dev list.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Author: kkolinko
Date: Sat Jul 10 15:05:58 2010
New Revision: 962855

URL: http://svn.apache.org/viewvc?rev=962855&view=rev
Log:
Add release date

Modified:
  tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=962855&r1=962854&r2=962855&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Sat Jul 10 15:05:58 2010
@@(protected) @@
<!-- Section names:
General, Catalina, Coyote, Jasper, Cluster, Webapps
-->
-<section name="Tomcat 5.5.30 (jim)">
+<section name="Tomcat 5.5.30 (jim)" rtext="released 2010-07-09">
 <subsection name="General">
  <changelog>
    <update>Update to Commons Daemon 1.0.2. Use service launcher (procrun)

Author: kkolinko
Date: Sat Jul 10 15:08:09 2010
New Revision: 962856

URL: http://svn.apache.org/viewvc?rev=962856&view=rev
Log:
Add release date

Modified:
  tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=962856&r1=962855&r2=962856&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sat Jul 10 15:08:09 2010
@@(protected) @@
<!-- Section names:
General, Catalina, Coyote, Jasper, Cluster, Webapps, Other
-->
-<section name="Tomcat 6.0.28 (jfclere)">
+<section name="Tomcat 6.0.28 (jfclere)" rtext="released 2010-07-09">
 <subsection name="Catalina">
  <changelog>
    <fix>Arrange filter logic. (jfclere)
@@(protected) @@
  </changelog>
 </subsection>
</section>
-<section name="Tomcat 6.0.27 (Not released)">
+<section name="Tomcat 6.0.27 (jfclere)" rtext="not released">
 <subsection name="General">
  <changelog>
    <update>

Author: kkolinko
Date: Sat Jul 10 15:12:24 2010
New Revision: 962857

URL: http://svn.apache.org/viewvc?rev=962857&view=rev
Log:
Add release date

Modified:
  tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=962857&r1=962856&r2=962857&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Jul 10 15:12:24 2010
@@(protected) @@
  </changelog>
 </subsection>
</section>
-<section name="Tomcat 7.0.0 (markt)">
+<section name="Tomcat 7.0.0 (markt)" rtext="beta, 2010-06-29">
 <subsection name="Catalina">
  <changelog>
    <update>

On 07/10/2010 01:56 PM, Rainer Jung wrote:
> On 09.07.2010 17:14, Mladen Turk wrote:
>
> Nevertheless I needed to do conversions a coupe of times myself and was
> always annoyed. Yes partially because I had the tarball at hand not the
> zip, partially because my Cgwin subversion used non-Windows line ends. I
> didn't change for a long time because well it seemed to be my fault.
>
> But frankly: what's wrong about having those in CRLF? Is there a
> reasonabe way of using them with Unix line end format?
>

Just to close the discussion and hopefully we don't open it again
in few years :) ...

1. diff and patch doesn't work well with CRLF on unix.
2. copy/paste automatically converts between CRLF and LF on unix
  in majority of editors.
3. Mailing patches will also wrongly translate line endings
4. some patch utils works with CRLF only by using brute force option.
  Even then, they can convert the CRLF to LF from hunks, in which
  case patched file is a mixture of CRLF-LF
5. We have a solution that unix2dos *.dsp and *.dsw as part of
  release process.

Finally .dsp and .dsw files should go away.

Thus (not only for mod_jk) all text files in svn repo should always
have native line endings. period.


Regards
--
^TM

Author: markt
Date: Sat Jul 10 16:05:52 2010
New Revision: 962864

URL: http://svn.apache.org/viewvc?rev=962864&view=rev
Log:
Align docs with reality

Modified:
  tomcat/trunk/webapps/docs/logging.xml

Modified: tomcat/trunk/webapps/docs/logging.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/logging.xml?rev=962864&r1=962863&r2=962864&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/logging.xml (original)
+++ tomcat/trunk/webapps/docs/logging.xml Sat Jul 10 16:05:52 2010
@@(protected).[
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/admin].handlers = \
  4admin.org.apache.juli.FileHandler

-# For example, set the com.xyz.foo logger to only log SEVERE
-# messages:
-#org.apache.catalina.startup.ContextConfig.level = FINE
-#org.apache.catalina.startup.HostConfig.level = FINE
-#org.apache.catalina.session.ManagerBase.level = FINE
+# For example, set the org.apache.catalina.util.LifecycleBase logger to log
+# each component that extends LifecycleBase changing state:
+#org.apache.catalina.util.LifecycleBase.level = FINE
  </source>
  </p>
 

Author: markt
Date: Sat Jul 10 16:10:33 2010
New Revision: 962865

URL: http://svn.apache.org/viewvc?rev=962865&view=rev
Log:
Improve CSRF protection filter by using SecureRandom rather than Random

Modified:
  tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
  tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=962865&r1=962864&r2=962865&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Sat Jul 10 16:10:33 2010
@@(protected) @@
package org.apache.catalina.filters;

import java.io.IOException;
+import java.security.SecureRandom;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
@@(protected)
  private static final Log log =
     LogFactory.getLog(CsrfPreventionFilter.class);
 
-   private final Random randomSource = new Random();
+   private final Random randomSource = new SecureRandom();

  private final Set<String> entryPoints = new HashSet<String>();
 

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=962865&r1=962864&r2=962865&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Jul 10 16:10:33 2010
@@(protected) @@
     Include session ID in error message logged when trying to set an
     attribute on an invalid session. (markt)
    </add>
+    <fix>
+     Improve the CSRF protection filter by using SecureRandom rather than
+     Random to generate nonces. (markt)
+    </fix>
  </changelog>
 </subsection>
 <subsection name="Jasper">

Author: markt
Date: Sat Jul 10 16:14:42 2010
New Revision: 962871

URL: http://svn.apache.org/viewvc?rev=962871&view=rev
Log:
Add CVE-2010-2227 test case

Added:
  tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java  (with props)

Added: tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java?rev=962871&view=auto
==============================================================================
--- tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java (added)
+++ tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java Sat Jul 10 16:14:42 2010
@@(protected) @@
+package org.apache.coyote.http11;
+
+import java.io.File;
+
+import org.apache.catalina.startup.SimpleHttpClient;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+
+public class TestAbstractHttp11Processor extends TomcatBaseTest {
+
+   public void testWithTEVoid() throws Exception {
+     Tomcat tomcat = getTomcatInstance();
+    
+     // Use the normal Tomcat ROOT context
+     File root = new File("test/webapp-3.0");
+     tomcat.addWebapp("", root.getAbsolutePath());
+    
+     tomcat.start();
+    
+     String request =
+        "POST /echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +
+        "Host: any" + SimpleHttpClient.CRLF +
+        "Transfer-encoding: void" + SimpleHttpClient.CRLF +
+        "Content-Length: 9" + SimpleHttpClient.CRLF +
+        "Content-Type: application/x-www-form-urlencoded" +
+             SimpleHttpClient.CRLF +
+        SimpleHttpClient.CRLF +
+        "test=data";
+
+     Client client = new Client();
+     client.setPort(getPort());
+     client.setRequest(new String[] {request});
+
+     client.connect();
+     client.processRequest();
+     assertTrue(client.isResponse501());
+   }
+
+   public void testWithTEBuffered() throws Exception {
+     Tomcat tomcat = getTomcatInstance();
+    
+     // Use the normal Tomcat ROOT context
+     File root = new File("test/webapp-3.0");
+     tomcat.addWebapp("", root.getAbsolutePath());
+    
+     tomcat.start();
+    
+     String request =
+        "POST /echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +
+        "Host: any" + SimpleHttpClient.CRLF +
+        "Transfer-encoding: buffered" + SimpleHttpClient.CRLF +
+        "Content-Length: 9" + SimpleHttpClient.CRLF +
+        "Content-Type: application/x-www-form-urlencoded" +
+             SimpleHttpClient.CRLF +
+        SimpleHttpClient.CRLF +
+        "test=data";
+
+     Client client = new Client();
+     client.setPort(getPort());
+     client.setRequest(new String[] {request});
+
+     client.connect();
+     client.processRequest();
+     assertTrue(client.isResponse501());
+   }
+
+
+   public void testWithTEIdentity() throws Exception {
+     Tomcat tomcat = getTomcatInstance();
+    
+     // Use the normal Tomcat ROOT context
+     File root = new File("test/webapp-3.0");
+     tomcat.addWebapp("", root.getAbsolutePath());
+    
+     tomcat.start();
+    
+     String request =
+        "POST /echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +
+        "Host: any" + SimpleHttpClient.CRLF +
+        "Transfer-encoding: identity" + SimpleHttpClient.CRLF +
+        "Content-Length: 9" + SimpleHttpClient.CRLF +
+        "Content-Type: application/x-www-form-urlencoded" +
+             SimpleHttpClient.CRLF +
+        "Connection: close" + SimpleHttpClient.CRLF +
+        SimpleHttpClient.CRLF +
+        "test=data";
+
+     Client client = new Client();
+     client.setPort(getPort());
+     client.setRequest(new String[] {request});
+
+     client.connect();
+     client.processRequest();
+     assertTrue(client.isResponse200());
+     assertTrue(client.getResponseBody().contains("test - data"));
+   }
+
+
+   public void testWithTESavedRequest() throws Exception {
+     Tomcat tomcat = getTomcatInstance();
+    
+     // Use the normal Tomcat ROOT context
+     File root = new File("test/webapp-3.0");
+     tomcat.addWebapp("", root.getAbsolutePath());
+    
+     tomcat.start();
+    
+     String request =
+        "POST /echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +
+        "Host: any" + SimpleHttpClient.CRLF +
+        "Transfer-encoding: savedrequest" + SimpleHttpClient.CRLF +
+        "Content-Length: 9" + SimpleHttpClient.CRLF +
+        "Content-Type: application/x-www-form-urlencoded" +
+             SimpleHttpClient.CRLF +
+        SimpleHttpClient.CRLF +
+        "test=data";
+
+     Client client = new Client();
+     client.setPort(getPort());
+     client.setRequest(new String[] {request});
+
+     client.connect();
+     client.processRequest();
+     assertTrue(client.isResponse501());
+   }
+
+
+   public void testWithTEUnsupported() throws Exception {
+     Tomcat tomcat = getTomcatInstance();
+    
+     // Use the normal Tomcat ROOT context
+     File root = new File("test/webapp-3.0");
+     tomcat.addWebapp("", root.getAbsolutePath());
+    
+     tomcat.start();
+    
+     String request =
+        "POST /echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +
+        "Host: any" + SimpleHttpClient.CRLF +
+        "Transfer-encoding: unsupported" + SimpleHttpClient.CRLF +
+        "Content-Length: 9" + SimpleHttpClient.CRLF +
+        "Content-Type: application/x-www-form-urlencoded" +
+             SimpleHttpClient.CRLF +
+        SimpleHttpClient.CRLF +
+        "test=data";
+
+     Client client = new Client();
+     client.setPort(getPort());
+     client.setRequest(new String[] {request});
+
+     client.connect();
+     client.processRequest();
+     assertTrue(client.isResponse501());
+   }
+
+
+   private static final class Client extends SimpleHttpClient {
+     @Override
+     public boolean isResponseBodyOK() {
+        return getResponseBody().contains("test - data");
+     }
+   }
+}

Propchange: tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java
------------------------------------------------------------------------------
  svn:eol-style = native

Author: markt
Date: Sat Jul 10 16:19:26 2010
New Revision: 962872

URL: http://svn.apache.org/viewvc?rev=962872&view=rev
Log:
Align implementation with docs. nonceCacheSize should be configurable

Modified:
  tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java

Modified: tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=962872&r1=962871&r2=962872&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Sat Jul 10 16:19:26 2010
@@(protected)

  private final Set<String> entryPoints = new HashSet<String>();
 
-   private final int nonceCacheSize = 5;
+   private int nonceCacheSize = 5;

  @Override
  protected Log getLogger() {
@@(protected)
     }
  }

+   /**
+   * Sets the number of previously issued nonces that will be cached on a LRU
+   * basis to support parallel requests, limited use of the refresh and back
+   * in the browser and similar behaviors that may result in the submission
+   * of a previous nonce rather than the current one. If not set, the default
+   * value of 5 will be used.
+   *
+   * @param nonceCacheSize   The number of nonces to cache
+   */
+   public void setNonceCacheSize(int nonceCacheSize) {
+     this.nonceCacheSize = nonceCacheSize;
+   }
+  
  public void doFilter(ServletRequest request, ServletResponse response,
        FilterChain chain) throws IOException, ServletException {

Author: markt
Date: Sat Jul 10 16:41:59 2010
New Revision: 962881

URL: http://svn.apache.org/viewvc?rev=962881&view=rev
Log:
Make the random source used for nonces user configurable

Modified:
  tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
  tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
  tomcat/trunk/webapps/docs/changelog.xml
  tomcat/trunk/webapps/docs/config/filter.xml

Modified: tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=962881&r1=962880&r2=962881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Sat Jul 10 16:41:59 2010
@@(protected);
import java.util.Set;

import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
@@(protected)
  private static final Log log =
     LogFactory.getLog(CsrfPreventionFilter.class);
 
-   private final Random randomSource = new SecureRandom();
+   private String randomClass = SecureRandom.class.getName();
+  
+   private Random randomSource;

  private final Set<String> entryPoints = new HashSet<String>();
 
@@(protected)
     this.nonceCacheSize = nonceCacheSize;
  }
 
+   /**
+   * Specify the class to use to generate the nonces. Must be in instance of
+   * {@(protected)}.
+   *
+   * @param randomClass  The name of the class to use
+   */
+   public void setRandomClass(String randomClass) {
+     this.randomClass = randomClass;
+   }
+
+   @Override
+   public void init(FilterConfig filterConfig) throws ServletException {
+     // Set the parameters
+     super.init(filterConfig);
+    
+     try {
+        Class<?> clazz = Class.forName(randomClass);
+        randomSource = (Random) clazz.newInstance();
+     } catch (ClassNotFoundException e) {
+        ServletException se = new ServletException(sm.getString(
+             "csrfPrevention.invalidRandomClass", randomClass), e);
+        throw se;
+     } catch (InstantiationException e) {
+        ServletException se = new ServletException(sm.getString(
+             "csrfPrevention.invalidRandomClass", randomClass), e);
+        throw se;
+     } catch (IllegalAccessException e) {
+        ServletException se = new ServletException(sm.getString(
+             "csrfPrevention.invalidRandomClass", randomClass), e);
+        throw se;
+     }
+   }
+
  public void doFilter(ServletRequest request, ServletResponse response,
        FilterChain chain) throws IOException, ServletException {


Modified: tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties?rev=962881&r1=962880&r2=962881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties Sat Jul 10 16:41:59 2010
@@(protected) @@
# See the License for the specific language governing permissions and
# limitations under the License.

+csrfPrevention.invalidRandomClass=Unable to create Random source using class [{0}]
filterbase.noSuchProperty=The property "{0}" is not defined for filters of type "{1}"
-
+
http.403=Access to the specified resource ({0}) has been forbidden.

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=962881&r1=962880&r2=962881&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Jul 10 16:41:59 2010
@@(protected) @@
    </add>
    <fix>
     Improve the CSRF protection filter by using SecureRandom rather than
-     Random to generate nonces. (markt)
+     Random to generate nonces. Also make the implementation class used user
+     configurable. (markt)
    </fix>
  </changelog>
 </subsection>

Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=962881&r1=962880&r2=962881&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Sat Jul 10 16:41:59 2010
@@(protected) @@
     value of 5 will be used.</p>
    </attribute>
   
+    <attribute name="randomClass" required="false">
+     <p>The name of the class to use to generate nonces. The class must be an
+     instance of <code>java.util.Rnadom</code>. If not set, the default value
+     of <code>java.security.SecureRandom</code> will be used.</p>
+    </attribute>
+    
  </attributes>
 
 </subsection>

2010/7/10 <markt@(protected)>:
> Author: markt
> Date: Sat Jul 10 16:41:59 2010
> New Revision: 962881
>

> --- tomcat/trunk/webapps/docs/config/filter.xml (original)
> +++ tomcat/trunk/webapps/docs/config/filter.xml Sat Jul 10 16:41:59 2010
> @@(protected) @@
>         value of 5 will be used.</p>
>       </attribute>
>
> +      <attribute name="randomClass" required="false">
> +        <p>The name of the class to use to generate nonces. The class must be an
> +        instance of <code>java.util.Rnadom</code>. If not set, the default value
> +        of <code>java.security.SecureRandom</code> will be used.</p>
> +      </attribute>
> +
>     </attributes>

A typo in the docs patch above. s/Rnadom/Random/

Best regards,
Konstantin Kolinko

On 10/07/2010 19:31, Konstantin Kolinko wrote:
> 2010/7/10 <markt@(protected)>:
>> Author: markt
>> Date: Sat Jul 10 16:41:59 2010
>> New Revision: 962881
>>
>
>> --- tomcat/trunk/webapps/docs/config/filter.xml (original)
>> +++ tomcat/trunk/webapps/docs/config/filter.xml Sat Jul 10 16:41:59 2010
>> @@(protected) @@
>>      value of 5 will be used.</p>
>>     </attribute>
>>
>> +    <attribute name="randomClass" required="false">
>> +     <p>The name of the class to use to generate nonces. The class must be an
>> +     instance of <code>java.util.Rnadom</code>. If not set, the default value
>> +     of <code>java.security.SecureRandom</code> will be used.</p>
>> +    </attribute>
>> +
>>   </attributes>
>
> A typo in the docs patch above. s/Rnadom/Random/

Thanks.

Mark

Author: markt
Date: Sat Jul 10 16:43:16 2010
New Revision: 962883

URL: http://svn.apache.org/viewvc?rev=962883&view=rev
Log:
Update proposal.
Remove pero's vote due to size of changes

Modified:
  tomcat/tc6.0.x/trunk/STATUS.txt

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=962883&r1=962882&r2=962883&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sat Jul 10 16:43:16 2010
@@(protected):
 but using the new roles (manager-gui, admin-gui etc.) will not bypass the CSRF
 protection.
 http://people.apache.org/~markt/patches/2010-06-26-crsf-prevention-filter-tc6.patch
- +1: markt, pero
+ http://svn.apache.org/viewvc?rev=962865&view=rev
+ http://svn.apache.org/viewvc?rev=962872&view=rev
+ http://svn.apache.org/viewvc?rev=962881&view=rev
+ +1: markt
 -1:

* Add support for *.jar pattern in VirtualWebappLoader

https://issues.apache.org/bugzilla/show_bug.cgi?id=49570

Mark Thomas <markt@(protected):

      What   |Removed              |Added
----------------------------------------------------------------------------
        Status|NEW                 |RESOLVED
     Resolution|                   |FIXED

--- Comment #1 from Mark Thomas <markt@(protected) ---
The current approach to gzip compression is fundamentally flawed. See bug46538
and bug39727 for an explanation of why. Transfer-Encoding is the correct way to
go but browser support is still patchy.

That said, the majority of the current botched solutions - Tomcat included - do
set the Vary header. The proposed patch isn't quite right - see bug 48660 for
details.

I have applied a corrected patch to to 7.0.x and it will be included in 7.0.1
onwards.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Author: markt
Date: Sat Jul 10 17:20:41 2010
New Revision: 962889

URL: http://svn.apache.org/viewvc?rev=962889&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49570
When using the example compression filter, set the Vary header on compressed responses

Modified:
  tomcat/trunk/webapps/docs/changelog.xml
  tomcat/trunk/webapps/examples/WEB-INF/classes/compressionFilters/CompressionResponseStream.java

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=962889&r1=962888&r2=962889&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Jul 10 17:20:41 2010
@@(protected) @@
     naming resources that broke the complete server status page in the
     manager application. Note these MBeans now have a new name. (markt)
    </fix>
+    <fix>
+     <bug>49570</bug>: When using the example compression filter, set the
+     Vary header on compressed responses. (markt)
+    </fix>
  </changelog>
 </subsection>
</section>

Modified: tomcat/trunk/webapps/examples/WEB-INF/classes/compressionFilters/CompressionResponseStream.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/classes/compressionFilters/CompressionResponseStream.java?rev=962889&r1=962888&r2=962889&view=diff
==============================================================================
--- tomcat/trunk/webapps/examples/WEB-INF/classes/compressionFilters/CompressionResponseStream.java (original)
+++ tomcat/trunk/webapps/examples/WEB-INF/classes/compressionFilters/CompressionResponseStream.java Sat Jul 10 17:20:41 2010
@@(protected)
          gzipstream = output;
        } else {
          response.addHeader("Content-Encoding", "gzip");
+           String vary = response.getHeader("Vary");
+           if (vary == null) {
+             // Add a new Vary header
+             response.setHeader("Vary", "Accept-Encoding");
+           } else if (vary.equals("*")) {
+             // No action required
+           } else {
+             // Merge into current header
+             response.setHeader("Vary", vary + ",Accept-Encoding");
+           }
          gzipstream = new GZIPOutputStream(output);
        }
     }

Author: markt
Date: Sat Jul 10 18:33:14 2010
New Revision: 962900

URL: http://svn.apache.org/viewvc?rev=962900&view=rev
Log:
Typo

Modified:
  tomcat/trunk/webapps/docs/config/filter.xml

Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=962900&r1=962899&r2=962900&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Sat Jul 10 18:33:14 2010
@@(protected) @@
   
    <attribute name="randomClass" required="false">
     <p>The name of the class to use to generate nonces. The class must be an
-     instance of <code>java.util.Rnadom</code>. If not set, the default value
+     instance of <code>java.util.Random</code>. If not set, the default value
     of <code>java.security.SecureRandom</code> will be used.</p>
    </attribute>
   

Author: markt
Date: Sat Jul 10 18:37:23 2010
New Revision: 962901

URL: http://svn.apache.org/viewvc?rev=962901&view=rev
Log:
Add fix for typo

Modified:
  tomcat/tc6.0.x/trunk/STATUS.txt

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=962901&r1=962900&r2=962901&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sat Jul 10 18:37:23 2010
@@(protected):
 http://svn.apache.org/viewvc?rev=962865&view=rev
 http://svn.apache.org/viewvc?rev=962872&view=rev
 http://svn.apache.org/viewvc?rev=962881&view=rev
+ http://svn.apache.org/viewvc?rev=962900&view=rev
 +1: markt
 -1:

https://issues.apache.org/bugzilla/show_bug.cgi?id=48861

--- Comment #2 from dbz <tomcat_mailbox@(protected) ---
Created an attachment (id=25747)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25747)
A patch which add the AL header to several classes of the tomcat-lite module

This patch adds AL headers to several classes of the tomcat-lite module.

This patch has been build from the trunk.

The following classes of the tomcat-trunk _rat.dat file haven't been find :
modules/tomcat-lite/examples/spring/tomcat-spring.xml
modules/tomcat-lite/java/org/apache/tomcat/lite/io/SslConnector.java
modules/tomcat-lite/java/org/apache/tomcat/lite/servlet/JspLoader.java
modules/tomcat-lite/java/org/apache/tomcat/lite/servlet/ServletApi.java
modules/tomcat-lite/java/org/apache/tomcat/lite/servlet/ServletApi25.java
modules/tomcat-lite/java/org/apache/tomcat/lite/servlet/ServletApi30.java
modules/tomcat-lite/java/org/apache/tomcat/servlets/config/ConfigLoader.java
modules/tomcat-lite/java/org/apache/tomcat/servlets/config/ServletContextConfig.java
modules/tomcat-lite/java/org/apache/tomcat/servlets/config/deploy/AnnotationsProcessor.java
modules/tomcat-lite/java/org/apache/tomcat/servlets/config/deploy/DomUtil.java
modules/tomcat-lite/java/org/apache/tomcat/servlets/config/deploy/WarDeploy.java
modules/tomcat-lite/java/org/apache/tomcat/servlets/config/deploy/WebXml.java
modules/tomcat-lite/java/org/apache/tomcat/servlets/file/Filesystem.java
modules/tomcat-lite/java/org/apache/tomcat/servlets/file/LocalFilesystem.java
modules/tomcat-lite/java/org/apache/tomcat/servlets/jspc/JasperRuntime.java
modules/tomcat-lite/java/org/apache/tomcat/servlets/sec/UserAuthentication.java
modules/tomcat-lite/java/org/apache/tomcat/servlets/session/UserSessionManager.java

The classes found in the file tomcat-trunk _rat.dat file plus the following
classes have been patched :
org.apache.tomcat.lite.io.SslProvider
org.apache.tomcat.lite.http.HttpServer
org.apache.tomcat.lite.http.HttpClient
org.apache.tomcat.lite.io.jsse.JsseSslProvider

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

2010/7/10 Jim Jagielski <jim@(protected)>:
> The Apache Tomcat Team announces the immediate availability of Apache
> Tomcat 5.5.30 stable.
>

It seems that this announcement was not sent to the following list:
announce@(protected)

Archive:
http://mail-archives.apache.org/mod_mbox/www-announce/201007.mbox/browser


BTW, the only place that I know that lists the mail-lists where the
announcements go is in mod_jk,
http://svn.apache.org/repos/asf/tomcat/jk/trunk/HOWTO-RELEASE.txt

Best regards,
Konstantin Kolinko

Author: markt
Date: Sat Jul 10 21:13:23 2010
New Revision: 962917

URL: http://svn.apache.org/viewvc?rev=962917&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49478
Add support for user specified character sets to the AddDefaultCharsetFilter. Based on a patch by Felix Schumacher.

Added:
  tomcat/trunk/test/org/apache/catalina/filters/TestAddCharSetFilter.java  (with props)
Modified:
  tomcat/trunk/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java
  tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
  tomcat/trunk/webapps/docs/changelog.xml
  tomcat/trunk/webapps/docs/config/filter.xml

Modified: tomcat/trunk/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java?rev=962917&r1=962916&r2=962917&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java Sat Jul 10 21:13:23 2010
@@(protected) @@

package org.apache.catalina.filters;

-
import java.io.IOException;
+import java.nio.charset.Charset;

-import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
@@(protected);
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;

+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+

/**
* Filter that explicitly sets the default character set for media subtypes of
- * the "text" type to ISO-8859-1. RFC2616 explicitly states that browsers must
- * use ISO-8859-1 in these circumstances. However, browsers may attempt to
+ * the "text" type to ISO-8859-1, or another user defined character set. RFC2616
+ * explicitly states that browsers must use ISO-8859-1 if no character set is
+ * defined for media with subtype "text". However, browsers may attempt to
* auto-detect the character set. This may be exploited by an attacker to
* perform an XSS attack. Internet Explorer has this behaviour by default. Other
- * browsers have an option to enable it.
+ * browsers have an option to enable it.<br/>
*
* This filter prevents the attack by explicitly setting a character set. Unless
* the provided character set is explicitly overridden by the user - in which
* case they deserve everything they get - the browser will adhere to an
* explicitly set character set, thus preventing the XSS attack.
*/
-public class AddDefaultCharsetFilter implements Filter {
+public class AddDefaultCharsetFilter extends FilterBase {
+
+   private static final Log log =
+     LogFactory.getLog(AddDefaultCharsetFilter.class);
+
+   private static final String DEFAULT_ENCODING = "ISO-8859-1";
+  
+   private String encoding;
+
+   public void setEncoding(String encoding) {
+     this.encoding = encoding;
+   }
+
+   @Override
+   protected Log getLogger() {
+     return log;
+   }

-   public void destroy() {
-     // NOOP
+   @Override
+   public void init(FilterConfig filterConfig) throws ServletException {
+     super.init(filterConfig);
+     if (encoding == null || encoding.length() == 0 ||
+           encoding.equalsIgnoreCase("default")) {
+        encoding = DEFAULT_ENCODING;
+     } else if (encoding.equalsIgnoreCase("system")) {
+        encoding = Charset.defaultCharset().name();
+     } else if (!Charset.isSupported(encoding)) {
+        throw new IllegalArgumentException(sm.getString(
+             "addDefaultCharset.unsupportedCharset", encoding));
+     }
  }

  public void doFilter(ServletRequest request, ServletResponse response,
@@(protected)
     // Wrap the response
     if (response instanceof HttpServletResponse) {
        ResponseWrapper wrapped =
-           new ResponseWrapper((HttpServletResponse)response);
+           new ResponseWrapper((HttpServletResponse)response, encoding);
        chain.doFilter(request, wrapped);
     } else {
        chain.doFilter(request, response);
     }
  }

-   public void init(FilterConfig filterConfig) throws ServletException {
-     // NOOP
-   }
-
  /**
-   * Wrapper that adds the default character set for text media types if no
-   * character set is specified.
+   * Wrapper that adds a character set for text media types if no character
+   * set is specified.
   */
-   public class ResponseWrapper extends HttpServletResponseWrapper {
+   public static class ResponseWrapper extends HttpServletResponseWrapper {
+
+     private String encoding;
+    
+     public ResponseWrapper(HttpServletResponse response, String encoding) {
+        super(response);
+        this.encoding = encoding;
+     }

     @Override
     public void setContentType(String ct) {
       
-        if (ct != null && ct.startsWith("text/") &&
-             ct.indexOf("charset=") < 0) {
-           // Use getCharacterEncoding() in case the charset has already
-           // been set by a separate call.
-           super.setContentType(ct + ";charset=" + getCharacterEncoding());
+        if (ct != null && ct.startsWith("text/")) {
+           if (ct.indexOf("charset=") < 0) {
+             super.setContentType(ct + ";charset=" + encoding);
+           } else {
+             super.setContentType(ct);
+             encoding = getCharacterEncoding();
+           }
        } else {
          super.setContentType(ct);
        }

     }

-     public ResponseWrapper(HttpServletResponse response) {
-        super(response);
+     @Override
+     public void setCharacterEncoding(String charset) {
+        super.setCharacterEncoding(charset);
+        encoding = charset;
     }
-    
  }
}

Modified: tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties?rev=962917&r1=962916&r2=962917&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties Sat Jul 10 21:13:23 2010
@@(protected) @@
# See the License for the specific language governing permissions and
# limitations under the License.

+addDefaultCharset.unsupportedCharset=Specified character set [{0}] is not supported
csrfPrevention.invalidRandomClass=Unable to create Random source using class [{0}]
filterbase.noSuchProperty=The property "{0}" is not defined for filters of type "{1}"


Added: tomcat/trunk/test/org/apache/catalina/filters/TestAddCharSetFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/filters/TestAddCharSetFilter.java?rev=962917&view=auto
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/filters/TestAddCharSetFilter.java (added)
+++ tomcat/trunk/test/org/apache/catalina/filters/TestAddCharSetFilter.java Sat Jul 10 21:13:23 2010
@@(protected) @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.filters;
+
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.deploy.FilterDef;
+import org.apache.catalina.deploy.FilterMap;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.tomcat.util.buf.ByteChunk;
+
+public class TestAddCharSetFilter extends TomcatBaseTest {
+
+   public void testNoneSpecifiedMode1() throws Exception {
+     doTest(null, "ISO-8859-1");
+   }
+
+   public void testNoneSpecifiedMode2() throws Exception {
+     doTest(null, "ISO-8859-2", 2);
+   }
+
+   public void testNoneSpecifiedMode3() throws Exception {
+     doTest(null, "ISO-8859-3", 3);
+   }
+
+   public void testDefault() throws Exception {
+     doTest("default", "ISO-8859-1");
+   }
+
+   public void testDefaultMixedCase() throws Exception {
+     doTest("dEfAuLt", "ISO-8859-1");
+   }
+
+   public void testSystem() throws Exception {
+     doTest("system", Charset.defaultCharset().name());
+   }
+
+   public void testSystemMixedCase() throws Exception {
+     doTest("SyStEm", Charset.defaultCharset().name());
+   }
+
+   public void testUTF8() throws Exception {
+     doTest("utf-8", "utf-8");
+   }
+
+
+   private void doTest(String encoding, String expected) throws Exception {
+     doTest(encoding, expected, 1);
+   }
+  
+   private void doTest(String encoding, String expected, int mode)
+        throws Exception {
+     // Setup Tomcat instance
+     Tomcat tomcat = getTomcatInstance();
+    
+     // Must have a real docBase - just use temp
+     Context ctx =
+        tomcat.addContext("/", System.getProperty("java.io.tmpdir"));
+
+     // Add the Servlet
+     CharsetServlet servlet = new CharsetServlet(mode);
+     Tomcat.addServlet(ctx, "servlet", servlet);
+     ctx.addServletMapping("/", "servlet");
+    
+     // Add the Filter
+     FilterDef filterDef = new FilterDef();
+     filterDef.setFilterClass(AddDefaultCharsetFilter.class.getName());
+     filterDef.setFilterName("filter");
+     if (encoding != null) {
+        filterDef.addInitParameter("encoding", encoding);
+     }
+     ctx.addFilterDef(filterDef);
+     FilterMap filterMap = new FilterMap();
+     filterMap.setFilterName("filter");
+     filterMap.addServletName("servlet");
+     ctx.addFilterMap(filterMap);
+    
+     tomcat.start();
+
+     Map<String, List<String>> headers = new HashMap<String, List<String>>();
+     getUrl("http://localhost:" + getPort() + "/", new ByteChunk(), headers);
+    
+     List<String> ctHeaders = headers.get("Content-Type");
+     assertEquals(1, ctHeaders.size());
+     String ct = ctHeaders.get(0);
+     assertEquals("text/plain;charset=" + expected, ct);
+   }
+
+   private static class CharsetServlet extends HttpServlet {
+     private static final long serialVersionUID = 1L;
+     private static final String OUTPUT = "OK";
+    
+     private final int mode;
+    
+     public CharsetServlet(int mode) {
+        this.mode = mode;
+     }
+
+     @Override
+     protected void doGet(HttpServletRequest req, HttpServletResponse resp)
+           throws ServletException, IOException {
+        
+        switch (mode) {
+           case 1:
+             resp.setContentType("text/plain");
+             break;
+           case 2:
+             resp.setContentType("text/plain;charset=ISO-8859-2");
+             break;
+           case 3:
+             resp.setContentType("text/plain");
+             resp.setCharacterEncoding("ISO-8859-3");
+             break;
+           default:
+             resp.setContentType("text/plain;charset=ISO-8859-4");
+             break;
+        }
+        resp.getWriter().print(OUTPUT);
+     }
+   }
+}

Propchange: tomcat/trunk/test/org/apache/catalina/filters/TestAddCharSetFilter.java
------------------------------------------------------------------------------
  svn:eol-style = native

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=962917&r1=962916&r2=962917&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Jul 10 21:13:23 2010
@@(protected) @@
     Use a LockOutRealm in the default configuration to prevent attempts to
     guess user passwords by brute-force. (markt)
    </add>
+    <add>
+     <bug>49478</bug>: Add support for user specified character sets to the
+     <code>AddDefaultCharsetFilter</code>. Based on a patch by Felix
+     Schumacher. (markt)
+    </add>
    <fix>
     <bug>49503</bug>: Make sure connectors bind to their associated ports
     sufficiently early to allow jsvc and the

Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=962917&r1=962916&r2=962917&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Sat Jul 10 21:13:23 2010
@@(protected) @@

 <subsection name="Initialisation parameters">

-   <p>The Add Default Character Set Filter does not support any initialization
-   parameters.</p>
+   <p>The Add Default Character Set Filter supports the following initialization
+   parameters:</p>
+
+   <attributes>
+
+    <attribute name="encoding" required="false">
+     <p>Name of the character set which should be set, if no other character set
+     was set explicitly by a Servlet. This parameter has two special values
+     <code>default</code> and <code>system</code>. A value of <code>system</code>
+     uses the JVM wide default character set, which is usually set by locale.
+     A value of <code>default</code> will use <strong>ISO-8859-1</strong>.</p>
+    </attribute>
+
+   </attributes>

 </subsection>

https://issues.apache.org/bugzilla/show_bug.cgi?id=49478

Mark Thomas <markt@(protected):

      What   |Removed              |Added
----------------------------------------------------------------------------
        Status|NEW                 |RESOLVED
     Resolution|                   |FIXED

--- Comment #2 from Mark Thomas <markt@(protected) ---
Thanks for the patch. I applied a slightly modified version (handles a few edge
cases, added a test case, i18n support, extended FilterBase) to 7.0.x and it
will be included in 7.0.1 onwards.

Thanks again.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Author: markt
Date: Sat Jul 10 21:22:12 2010
New Revision: 962919

URL: http://svn.apache.org/viewvc?rev=962919&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49442
Trivial code clean-up. No functional change.
Based on a patch provided by Sebb.

Modified:
  tomcat/trunk/java/org/apache/tomcat/util/res/StringManager.java

Modified: tomcat/trunk/java/org/apache/tomcat/util/res/StringManager.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/res/StringManager.java?rev=962919&r1=962918&r2=962919&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/res/StringManager.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/res/StringManager.java Sat Jul 10 21:22:12 2010
@@(protected) {
  /**
   * The ResourceBundle for this StringManager.
   */
-   private ResourceBundle bundle;
-   private Locale locale;
+   private final ResourceBundle bundle;
+   private final Locale locale;

  /**
   * Creates a new StringManager for a given package. This is a
@@(protected) {
   */
  private StringManager(String packageName) {
     String bundleName = packageName + ".LocalStrings";
+     ResourceBundle bnd = null;
     try {
-        bundle = ResourceBundle.getBundle(bundleName, Locale.getDefault());
+        bnd = ResourceBundle.getBundle(bundleName, Locale.getDefault());
     } catch( MissingResourceException ex ) {
        // Try from the current loader (that's the case for trusted apps)
        // Should only be required if using a TC5 style classloader structure
@@(protected) {
        ClassLoader cl = Thread.currentThread().getContextClassLoader();
        if( cl != null ) {
          try {
-             bundle = ResourceBundle.getBundle(
+             bnd = ResourceBundle.getBundle(
                  bundleName, Locale.getDefault(), cl);
          } catch(MissingResourceException ex2) {
             // Ignore
          }
        }
     }
+     bundle = bnd;
     // Get the actual locale, which may be different from the requested one
     if (bundle != null) {
        locale = bundle.getLocale();
+     } else {
+        locale = null;
     }
  }

@@(protected) {
  // STATIC SUPPORT METHODS
  // --------------------------------------------------------------

-   private static Hashtable<String, StringManager> managers =
+   private static final Hashtable<String, StringManager> managers =
     new Hashtable<String, StringManager>();

  /**

https://issues.apache.org/bugzilla/show_bug.cgi?id=49567

--- Comment #1 from Mark Thomas <markt@(protected) ---
Looks like you attached the wrong test case to this report.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

https://issues.apache.org/bugzilla/show_bug.cgi?id=49442

Mark Thomas <markt@(protected):

      What   |Removed              |Added
----------------------------------------------------------------------------
        Status|NEW                 |RESOLVED
     Resolution|                   |FIXED

--- Comment #1 from Mark Thomas <markt@(protected) ---
Fixed in 7.0.x. Will be in 7.0.1 onwards.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Author: markt
Date: Sat Jul 10 21:33:16 2010
New Revision: 962921

URL: http://svn.apache.org/viewvc?rev=962921&view=rev
Log:
Trivial cleanup no functional change

Modified:
  tomcat/trunk/test/org/apache/catalina/tribes/demos/EchoRpcTest.java

Modified: tomcat/trunk/test/org/apache/catalina/tribes/demos/EchoRpcTest.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/tribes/demos/EchoRpcTest.java?rev=962921&r1=962920&r2=962921&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/tribes/demos/EchoRpcTest.java (original)
+++ tomcat/trunk/test/org/apache/catalina/tribes/demos/EchoRpcTest.java Sat Jul 10 21:33:16 2010
@@(protected)
        int options = RpcChannel.ALL_REPLY;
        long timeout = 15000;
        String message = "EchoRpcMessage";
-        if ( args.length == 0 ) {
-           args = new String[] {"-help"};
+        if (args.length == 0) {
+           usage();
+           System.exit(1);
        }
        for (int i = 0; i < args.length; i++) {
          if ("-threads".equals(args[i])) {
@@(protected)
             else if ( "majority".equals(args[i]) ) options = RpcChannel.MAJORITY_REPLY;
          } else if ("-debug".equals(args[i])) {
             // Not used
-           } else if ("-help".equals(args[i]))
-           {
+           } else if ("-help".equals(args[i])) {
             usage();
             System.exit(1);
          }

Author: markt
Date: Sat Jul 10 21:39:58 2010
New Revision: 962922

URL: http://svn.apache.org/viewvc?rev=962922&view=rev
Log:
javax.mail is a dummy implementation - mark it as such to stop Eclipse complaining about empty methods and unused parameters

Modified:
  tomcat/trunk/java/javax/mail/Authenticator.java
  tomcat/trunk/java/javax/mail/PasswordAuthentication.java
  tomcat/trunk/java/javax/mail/Session.java
  tomcat/trunk/java/javax/mail/internet/InternetAddress.java
  tomcat/trunk/java/javax/mail/internet/MimeMessage.java
  tomcat/trunk/java/javax/mail/internet/MimePart.java
  tomcat/trunk/java/javax/mail/internet/MimePartDataSource.java

Modified: tomcat/trunk/java/javax/mail/Authenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/mail/Authenticator.java?rev=962922&r1=962921&r2=962922&view=diff
==============================================================================
--- tomcat/trunk/java/javax/mail/Authenticator.java (original)
+++ tomcat/trunk/java/javax/mail/Authenticator.java Sat Jul 10 21:39:58 2010
@@(protected) @@
package javax.mail;

public class Authenticator {
-
+   // Dummy implementation
}

Modified: tomcat/trunk/java/javax/mail/PasswordAuthentication.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/mail/PasswordAuthentication.java?rev=962922&r1=962921&r2=962922&view=diff
==============================================================================
--- tomcat/trunk/java/javax/mail/PasswordAuthentication.java (original)
+++ tomcat/trunk/java/javax/mail/PasswordAuthentication.java Sat Jul 10 21:39:58 2010
@@(protected) @@
*/
package javax.mail;

+@(protected)
public class PasswordAuthentication {
  public PasswordAuthentication(String user, String password) {
+     // Dummy implementation
  }
}

Modified: tomcat/trunk/java/javax/mail/Session.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/mail/Session.java?rev=962922&r1=962921&r2=962922&view=diff
==============================================================================
--- tomcat/trunk/java/javax/mail/Session.java (original)
+++ tomcat/trunk/java/javax/mail/Session.java Sat Jul 10 21:39:58 2010
@@(protected);

import java.util.Properties;

+@(protected)
public class Session {
  public static Session getInstance(Properties props, Authenticator auth) {
     return null;

Modified: tomcat/trunk/java/javax/mail/internet/InternetAddress.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/mail/internet/InternetAddress.java?rev=962922&r1=962921&r2=962922&view=diff
==============================================================================
--- tomcat/trunk/java/javax/mail/internet/InternetAddress.java (original)
+++ tomcat/trunk/java/javax/mail/internet/InternetAddress.java Sat Jul 10 21:39:58 2010
@@(protected) @@
*/
package javax.mail.internet;

+@(protected)
public class InternetAddress {
  public InternetAddress(String from) {
+     // Dummy implementation
  }
}

Modified: tomcat/trunk/java/javax/mail/internet/MimeMessage.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/mail/internet/MimeMessage.java?rev=962922&r1=962921&r2=962922&view=diff
==============================================================================
--- tomcat/trunk/java/javax/mail/internet/MimeMessage.java (original)
+++ tomcat/trunk/java/javax/mail/internet/MimeMessage.java Sat Jul 10 21:39:58 2010
@@(protected);

import javax.mail.Session;

+@(protected)
public class MimeMessage implements MimePart {
  public MimeMessage(Session session) {
+     // Dummy implementation
  }
  public void setFrom(InternetAddress from) {
+     // Dummy implementation
  }
  public void setSubject(String subject) {
+     // Dummy implementation
  }
}

Modified: tomcat/trunk/java/javax/mail/internet/MimePart.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/mail/internet/MimePart.java?rev=962922&r1=962921&r2=962922&view=diff
==============================================================================
--- tomcat/trunk/java/javax/mail/internet/MimePart.java (original)
+++ tomcat/trunk/java/javax/mail/internet/MimePart.java Sat Jul 10 21:39:58 2010
@@(protected) @@
package javax.mail.internet;

public interface MimePart {
+   // Dummy implementation
}

Modified: tomcat/trunk/java/javax/mail/internet/MimePartDataSource.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/mail/internet/MimePartDataSource.java?rev=962922&r1=962921&r2=962922&view=diff
==============================================================================
--- tomcat/trunk/java/javax/mail/internet/MimePartDataSource.java (original)
+++ tomcat/trunk/java/javax/mail/internet/MimePartDataSource.java Sat Jul 10 21:39:58 2010
@@(protected) @@
*/
package javax.mail.internet;

+@(protected)
public class MimePartDataSource {
  public MimePartDataSource(MimePart part) {
+     // Dummy implementation
  }
}

Author: markt
Date: Sat Jul 10 21:43:02 2010
New Revision: 962923

URL: http://svn.apache.org/viewvc?rev=962923&view=rev
Log:
Eclipse warnings for annotations

Modified:
  tomcat/trunk/java/javax/annotation/PostConstruct.java
  tomcat/trunk/java/javax/annotation/PreDestroy.java
  tomcat/trunk/java/javax/annotation/security/DenyAll.java
  tomcat/trunk/java/javax/annotation/security/PermitAll.java

Modified: tomcat/trunk/java/javax/annotation/PostConstruct.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/annotation/PostConstruct.java?rev=962923&r1=962922&r2=962923&view=diff
==============================================================================
--- tomcat/trunk/java/javax/annotation/PostConstruct.java (original)
+++ tomcat/trunk/java/javax/annotation/PostConstruct.java Sat Jul 10 21:43:02 2010
@@(protected);
@Retention(RetentionPolicy.RUNTIME)

public @interface PostConstruct {
+   // No attributes
}

Modified: tomcat/trunk/java/javax/annotation/PreDestroy.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/annotation/PreDestroy.java?rev=962923&r1=962922&r2=962923&view=diff
==============================================================================
--- tomcat/trunk/java/javax/annotation/PreDestroy.java (original)
+++ tomcat/trunk/java/javax/annotation/PreDestroy.java Sat Jul 10 21:43:02 2010
@@(protected);
@Retention(RetentionPolicy.RUNTIME)

public @interface PreDestroy {
+   // No attributes
}

Modified: tomcat/trunk/java/javax/annotation/security/DenyAll.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/annotation/security/DenyAll.java?rev=962923&r1=962922&r2=962923&view=diff
==============================================================================
--- tomcat/trunk/java/javax/annotation/security/DenyAll.java (original)
+++ tomcat/trunk/java/javax/annotation/security/DenyAll.java Sat Jul 10 21:43:02 2010
@@(protected);
@Retention(RetentionPolicy.RUNTIME)

public @interface DenyAll {
+   // No attributes
}

Modified: tomcat/trunk/java/javax/annotation/security/PermitAll.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/annotation/security/PermitAll.java?rev=962923&r1=962922&r2=962923&view=diff
==============================================================================
--- tomcat/trunk/java/javax/annotation/security/PermitAll.java (original)
+++ tomcat/trunk/java/javax/annotation/security/PermitAll.java Sat Jul 10 21:43:02 2010
@@(protected);
@Retention(RetentionPolicy.RUNTIME)

public @interface PermitAll {
+   // No attributes
}

https://issues.apache.org/bugzilla/show_bug.cgi?id=49268

--- Comment #2 from Konstantin Kolinko <knst.kolinko@(protected) ---
Thank you for the effort.
I won't comment on the project policies - that is to be discussed and decided
on dev@.

Several comments on the patch itself:

1) Checkstyle version should not be hard-coded in build.xml.

> style="${checkstyle.home}/checkstyle-5.1/contrib/checkstyle-noframes.xsl"/>

2) What is the origin of the res/checkstyle.xml file? There is no copyright or
license notice there.

3) Contrary to the written "- activates only check for tabs", there are more
checks that are enabled in the proposed checkstyle file.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Adjusted the thread subject.
Was: Vote: Add Checkstyle roleset and make code cleanups!


2010/7/8 Peter Roßbach <pr@(protected)>:
> Hi,
>
> after the discussion about code style
> (http://tomcat.markmail.org/thread/2c7lkzmpcuxqpgjj), I think that we must
> vote for this fix:
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49268
> It includes a starting point for a very limited checkstyle ruleset.
>
> +1: progressively introduce checkstyle with checks for which a consensus
> exists (first TabSpacePolicy, @Version format)
> 0 : More discussion needed
> -1: no checkstyle integration. Tomcat shoudn't have code style rules

1. What is TabSpacePolicy? It is not listed at:
http://checkstyle.sourceforge.net/availablechecks.html

There is FileTabCharacter though.
http://checkstyle.sourceforge.net/config_whitespace.html#FileTabCharacter


2. There is NO consensus on @Version format.

Last time when it was discussed, about a year ago,
there was slight agreement to get rid of those tags at all.
http://marc.info/?t=124692531300003&r=1&w=2

Though, when I actually was performing the change recently I went for
a more safe route of just replacing $Date$ with $Id$.

One caveat with $Id$ that I noted in the last several months:
when filename is long, "@(protected)
characters and is wrapped when reformatting the file in IDE, thus
breaking this keyword. In several such cases I replaced $Id$ with
$Revision$.


3. From message in "Re: r960104" thread:
http://markmail.org/message/rkznrp2cnfkd4eob:
> FileTabCharacter -> currently 146 failures

In what packages are those files?

Fixing them can be discussed and done first,
before enabling any checkstyle nags in the project.


4. Is it possible to exclude some packages from checkstyle checks?

E.g., org.apache.tomcat.util.bcel ?


5. Is there experience whether checkstyle checks run fast, or there
are noticeable delays?

The "Re: r960104" thread was about preventing commits that have wrong
whitespace.  It probably means that checkstyle is run automatically
by IDE, or by the buildbot. Do others have positive experience with
such configurations?


Based on the above
[x] 0 : More discussion needed

I am +1 if someone else wants to add a separate "checkstyle" target to
build.xml.

I do not mind against checks that already succeed for the existing
code. Though if they always succeed they are not really useful.

Regarding the checks that fail -- before enabling the check I would
like to discuss whether we can fix the code in TC7, and whether we can
backport the fix. At least the affected files have to be listed.



Best regards,
Konstantin Kolinko