You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/01/18 15:02:48 UTC

[Bug 57458] New: Mixed up responses sent to wrong users

https://issues.apache.org/bugzilla/show_bug.cgi?id=57458

            Bug ID: 57458
           Summary: Mixed up responses sent to wrong users
           Product: Tomcat 7
           Version: 7.0.39
          Hardware: PC
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: mahmoud.alyasein@gmail.com

Some of users reported that they came to be another user, after long
investigation using a JMeter scripts we're able to duplicate it, we found that
when stressing tomcat for a while using huge response (like download files or
big pages) some users got wrong response from another users and in some cases
users received images instead of html pages, in same time we got null pointer
coming from the connector (we are using
"org.apache.coyote.http11.Http11NioProtocol"), so we changed it to
"org.apache.coyote.http11.Http11Protocol" then we could not duplicated again
using the Http11Protocol protocol

We're using Tomcat 7.0.39 with JDK 1.6_10, is there is any known fix for this
issue and in which version?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57458] Mixed up responses sent to wrong users

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57458

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO
                 OS|                            |All

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
7.0.39 is getting on for 2 years old and has a number of known security
vulnerabilities including one that can result in response mix ups.

Please upgrade to the latest stable 7.0.x release (7.0.58 as I type this) and
retest.

The more information you provide, the more likely we are to be able to help
you. A copy of the stack trace for the NPE you mention would be a start. Other
things of interest are does your application use any of the following:
- Comet (I'm guessing not because you could switch to BIO)
- WebSocket
- Servlet 3.0 async
- sendFile

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57458] Mixed up responses sent to wrong users

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57458

--- Comment #2 from Mahmoud Al-Yasein <ma...@gmail.com> ---
We are not using any of mentioned items, unfortunately I don't have the stack
trace just null pointer exception without stack trace, I'll try to use the
latest version and see

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57458] Mixed up responses sent to wrong users

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57458

--- Comment #3 from Konstantin Kolinko <kn...@gmail.com> ---
(In reply to Mark Thomas from comment #1)
> 7.0.39 is getting on for 2 years old and has a number of known security
> vulnerabilities including one that can result in response mix ups.
> 
> Please upgrade to the latest stable 7.0.x release (7.0.58 as I type this)
> and retest.

+1

Correction:
7.0.57 is the last released version. (7.0.58 has not been tagged yet).

I also recommend to add the following line to conf/catalina.properties
org.apache.catalina.connector.RECYCLE_FACADES=true

Documentation:
http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security

That settings helps to prevent and detect programming errors in web
applications such as illegal access to request/response objects outside of
their life cycle.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 57458] Mixed up responses sent to wrong users

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=57458

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |RESOLVED
         Resolution|---                         |INVALID

--- Comment #4 from Mark Thomas <ma...@apache.org> ---
No response in 2+ weeks. Closing on the assumption that the application is
retaining a reference that it shouldn't.

Feel free to re-open this if you can provide a simple test case that
demonstrates this issue on the latest 7.0.x release.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org