You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2017/05/24 13:59:03 UTC

[Bug 61120] New: Tomcat 8.5.15 with HTTP/2: URL path parameters lost

https://bz.apache.org/bugzilla/show_bug.cgi?id=61120

            Bug ID: 61120
           Summary: Tomcat 8.5.15 with HTTP/2: URL path parameters lost
           Product: Tomcat 8
           Version: 8.5.15
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: markus.doerschmidt@gmx.de
  Target Milestone: ----

When using Tomcat 8.5.15 with HTTP/2 all URL path parameters gets lost.

In some cases, session tracking is done via URL (yes, I know, doing that is bad
;)). Using the HTTP/2 protocol, the URL contains the "jsessionid" parameter,
but Tomcat creates a new session. It seems, the session ID never reaches the
session manager.

I configured a connector using NIO2 in combination with Http2Protocol:


<Connector
  port="8444"
  protocol="org.apache.coyote.http11.Http11Nio2Protocol"
 
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
  SSLEnabled="true"
  scheme="https"
  secure="true"
  sslProtocol="TLS"
  [...]>
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>


Using the same connector without <UpgradeProtocol> everything is okay.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61120] Tomcat 8.5.15 with HTTP/2: URL path parameters lost

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61120

--- Comment #2 from Mark Thomas <ma...@apache.org> ---
This is CVE-2017-7675.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61120] Tomcat 8.5.15 with HTTP/2: URL path parameters lost

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61120

Markus Dörschmidt <ma...@gmx.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |markus.doerschmidt@gmx.de

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61120] Tomcat 8.5.15 with HTTP/2: URL path parameters lost

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61120

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Thanks for the report.

This has been fixed in:
- 9.0.x for 9.0.0.M22
- 8.5.x for 8.5.16

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61120] Tomcat 8.5.15 with HTTP/2: URL path parameters lost

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61120

--- Comment #3 from sam zain <om...@gmail.com> ---
This is CVE-2017-7675.


http://www.winmilliongame.com
http://www.gtagame100.com
http://www.subway-game.com
http://www.zumagame100.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [Bug 61120] Tomcat 8.5.15 with HTTP/2: URL path parameters lost

Posted by Mark Thomas <ma...@apache.org>.

On 28/04/2020 16:18, bugzilla@apache.org wrote:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61120
> 
> --- Comment #3 from Chuan Hing <la...@gmail.com> ---

I have locked this idiot's account and deleted the comment.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61120] Tomcat 8.5.15 with HTTP/2: URL path parameters lost

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61120

--- Comment #3 from Chuan Hing <la...@gmail.com> ---
Our labeling equipment manufacturer features horizontal and vertical
adjustments for allowing reliable and quick label replacement. The operates on
nearly every type of packaging. However, our labelers are ideal for
pharmaceutical, retail food, beverage, and confectionery industries. For more
visit: https://www.labelrex.com/product/sticker-labeling-machine/

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org