Tomcat 3.2.2 [Was: Re: BugRat Report #690 has been filed.]

[Hans Bergsten <ha...@gefionsoftware.com>]

"Craig R. McClanahan" wrote:
> 
> Glenn Nielsen wrote:
> 
> > I stand corrected.
> >
> > The below problem was a bug in Tomcat.  Wrapping the RequestDispatcher
> > forward() and include() methods with a doPrivileged() if a SecurityManager
> > is being used fixed the problem.  When Tomcat 3.2.2 is released you will
> > no longer need to edit the jre/lib/security/java.security file to comment
> > out the package.access=sun. line.
> >
> > This fix is in the 3.2 CVS branch, and will be in the Tomcat 3.2.2 release.
> >
> 
> Glenn (and others),
> 
> Have we accumulated enough bug fixes where it's worth creating a 3.2.2 release, 
> or are there more issues that should be
> dealt with first?

I've seen the problem most recently reported in BugReport #744 described
a 
few times now, but I haven't had a chance to verify it and look for a
solution. 
Since this is a security bug, it seems like something that should be
included 
in 3.2.2.

I'll try to take a closer look at it this weekend, but can't promise
anything.

Hans
-- 
Hans Bergsten		hans@gefionsoftware.com
Gefion Software		http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com

Re: Tomcat 3.2.2 [Was: Re: BugRat Report #690 has been filed.]

[Hans Bergsten <ha...@gefionsoftware.com>]

Marc Saegesser wrote:
> 
> Regarding BugReport #744.  I've been trying to duplicate it on my Win2000
> system and haven't had any luck.  I always get back the executed page.  Has
> anyone else been able to duplicate the problem behavior?

I actually tested it today (on a Red Hat 7 system, but I doubt that
matters)
and was able to reproduce it easily; just make a GET request without the
protocol. I haven't had a chance to try to figure out why yet though.

> [...]

Hans
-- 
Hans Bergsten		hans@gefionsoftware.com
Gefion Software		http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com

RE: Tomcat 3.2.2 [Was: Re: BugRat Report #690 has been filed.]

[Marc Saegesser <ma...@apropos.com>]

Regarding BugReport #744.  I've been trying to duplicate it on my Win2000
system and haven't had any luck.  I always get back the executed page.  Has
anyone else been able to duplicate the problem behavior?

As for 3.2.2, I think we should give 3.2.1 a little more soak time.  The
flow of bug reports seems to have increased which means that people are
using the release.  I don't think there are any really critical bugs fixed
so far so another week or so should hurt and with the extra usage we might
find something that should be addressed.

With any luck, 3.2.2 puts this release to bed and there won't be a need for
a 3.2.3.

> -----Original Message-----
> From: hans@servlets.net [mailto:hans@servlets.net]On Behalf Of Hans
> Bergsten
> Sent: Thursday, January 11, 2001 3:03 PM
> To: tomcat-dev@jakarta.apache.org
> Subject: Tomcat 3.2.2 [Was: Re: BugRat Report #690 has been filed.]
>
>
> "Craig R. McClanahan" wrote:
> >
> > Glenn Nielsen wrote:
> >
> > > I stand corrected.
> > >
> > > The below problem was a bug in Tomcat.  Wrapping the RequestDispatcher
> > > forward() and include() methods with a doPrivileged() if a
> SecurityManager
> > > is being used fixed the problem.  When Tomcat 3.2.2 is
> released you will
> > > no longer need to edit the jre/lib/security/java.security
> file to comment
> > > out the package.access=sun. line.
> > >
> > > This fix is in the 3.2 CVS branch, and will be in the Tomcat
> 3.2.2 release.
> > >
> >
> > Glenn (and others),
> >
> > Have we accumulated enough bug fixes where it's worth creating
> a 3.2.2 release,
> > or are there more issues that should be
> > dealt with first?
>
> I've seen the problem most recently reported in BugReport #744 described
> a
> few times now, but I haven't had a chance to verify it and look for a
> solution.
> Since this is a security bug, it seems like something that should be
> included
> in 3.2.2.
>
> I'll try to take a closer look at it this weekend, but can't promise
> anything.
>
> Hans
> --
> Hans Bergsten		hans@gefionsoftware.com
> Gefion Software		http://www.gefionsoftware.com
> Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org