You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2014/03/17 13:19:28 UTC
Time for 8.0.4
Hi,
It has been a while since 8.0.3 and the change log is looking rather
long. I've a few things left I want to look at but I expect to be in a
position to tag 8.0.4 late today / early tomorrow.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Time for 8.0.4
Posted by Mark Thomas <ma...@apache.org>.
On 17/03/2014 15:08, Mark Thomas wrote:
> On 17/03/2014 14:42, Konstantin Kolinko wrote:
>> 2014-03-17 16:19 GMT+04:00 Mark Thomas <ma...@apache.org>:
>>> Hi,
>>>
>>> It has been a while since 8.0.3 and the change log is looking rather
>>> long. I've a few things left I want to look at but I expect to be in a
>>> position to tag 8.0.4 late today / early tomorrow.
>>>
>>
>> There is
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=56265
>> "Unexpected escaping in the values of dynamic tag attributes
>> containing EL expressions"
>>
>> Regarding my v1 patch attached there, I think there is more to it.
>> That is: in the method changed by that patch, I think the 'false'
>> branch of "if (el.containsEL()) {" needs to have the same xmlEscaping
>> processing as the 'true' branch does for
>> "if (n instanceof Node.UninterpretedTag && n.getRoot().isXmlSyntax()) " nodes.
>>
>> As of now attributes of uninterpreted XML tags that are plain text
>> without EL expressions are either escaped elsewhere (I have not found
>> where, but that would split the escaping logic between two places in
>> the code), or not at all.
>>
>> Looking at Generator.java L1806
>> ( Generator$GenerateVisitor.visit(Node.UninterpretedTag n) ),
>> it does escape double quotes there, but nothing else.
>>
>>
>> I'll work on test cases.
>
> I'll add this to my things to look at before I tag 8.0.4.
This has been fixed with Konstantin's patch.
I'm currently running the unit tests on Windows, Linix and OSX. I plan
to tag 8.0.4 once those tests all pass.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Time for 8.0.4
Posted by Mark Thomas <ma...@apache.org>.
On 17/03/2014 14:42, Konstantin Kolinko wrote:
> 2014-03-17 16:19 GMT+04:00 Mark Thomas <ma...@apache.org>:
>> Hi,
>>
>> It has been a while since 8.0.3 and the change log is looking rather
>> long. I've a few things left I want to look at but I expect to be in a
>> position to tag 8.0.4 late today / early tomorrow.
>>
>
> There is
> https://issues.apache.org/bugzilla/show_bug.cgi?id=56265
> "Unexpected escaping in the values of dynamic tag attributes
> containing EL expressions"
>
> Regarding my v1 patch attached there, I think there is more to it.
> That is: in the method changed by that patch, I think the 'false'
> branch of "if (el.containsEL()) {" needs to have the same xmlEscaping
> processing as the 'true' branch does for
> "if (n instanceof Node.UninterpretedTag && n.getRoot().isXmlSyntax()) " nodes.
>
> As of now attributes of uninterpreted XML tags that are plain text
> without EL expressions are either escaped elsewhere (I have not found
> where, but that would split the escaping logic between two places in
> the code), or not at all.
>
> Looking at Generator.java L1806
> ( Generator$GenerateVisitor.visit(Node.UninterpretedTag n) ),
> it does escape double quotes there, but nothing else.
>
>
> I'll work on test cases.
I'll add this to my things to look at before I tag 8.0.4.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Time for 8.0.4
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-03-17 16:19 GMT+04:00 Mark Thomas <ma...@apache.org>:
> Hi,
>
> It has been a while since 8.0.3 and the change log is looking rather
> long. I've a few things left I want to look at but I expect to be in a
> position to tag 8.0.4 late today / early tomorrow.
>
There is
https://issues.apache.org/bugzilla/show_bug.cgi?id=56265
"Unexpected escaping in the values of dynamic tag attributes
containing EL expressions"
Regarding my v1 patch attached there, I think there is more to it.
That is: in the method changed by that patch, I think the 'false'
branch of "if (el.containsEL()) {" needs to have the same xmlEscaping
processing as the 'true' branch does for
"if (n instanceof Node.UninterpretedTag && n.getRoot().isXmlSyntax()) " nodes.
As of now attributes of uninterpreted XML tags that are plain text
without EL expressions are either escaped elsewhere (I have not found
where, but that would split the escaping logic between two places in
the code), or not at all.
Looking at Generator.java L1806
( Generator$GenerateVisitor.visit(Node.UninterpretedTag n) ),
it does escape double quotes there, but nothing else.
I'll work on test cases.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: Time for 8.0.4
Posted by Robert Sanders <rs...@TrustedCS.com>.
TCN was updated? I still see 1.1.29 (15 October 2013) on the tomcat.apache.org links (both docs and download). or am I missing something (likely).....
-Rob
________________________________________
From: Christopher Schultz [chris@christopherschultz.net]
Sent: Tuesday, March 18, 2014 3:46 PM
To: Tomcat Developers List
Subject: Re: Time for 8.0.4
Mark,
On 3/17/14, 8:19 AM, Mark Thomas wrote:
> It has been a while since 8.0.3 and the change log is looking rather
> long. I've a few things left I want to look at but I expect to be in a
> position to tag 8.0.4 late today / early tomorrow.
Any objections to adding the fix for
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there
has been a tcnative release?
I needed a tcnative release to include some support code to allow the
APR listener to allow FIPS mode when OpenSSL had already been
initialized in FIPS mode before the APR listener tries to enter it.
(Wow, that sentence is awful. Read the bug for a long-winded explanation).
Thanks,
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Time for 8.0.4
Posted by Mark Thomas <ma...@apache.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 18/03/2014 19:46, Christopher Schultz wrote:
> Mark,
>
> On 3/17/14, 8:19 AM, Mark Thomas wrote:
>> It has been a while since 8.0.3 and the change log is looking
>> rather long. I've a few things left I want to look at but I
>> expect to be in a position to tag 8.0.4 late today / early
>> tomorrow.
>
> Any objections to adding the fix for
> https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that
> there has been a tcnative release?
There hasn't. There was a mod_jk release.
Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTKKb/AAoJEBDAHFovYFnnnpQQAK6lahP7sHVBkxr1mj4f3J9o
VTqWcfx/IgyNfHPiO7mjcelh8c0iq9K22RbT+xFdFrMS1Ncuk1Avy1HNm0fiZPHo
PvP6XWDc/0sFlrE+KOduk2Pt32PVWtmysGYPWUOPejwwqpRGRXPFPnuIXK6/eZh4
TMxFzm4Vm2XgXBWf4OySX4AY2ZeQ+hVvdYZTQj8fBWDWbcEmGhD+c+lTGGK5bY84
G1mzZ5rvRss2/txGF/dE0LakWHrI43+dQoHcVG0//Nm23mYfiEPNJR6/R29bdhSZ
wtJxVFcfdQzoB36/n0qBOfAHpgSF1ocLiyzOt/HNSnhELcG4M7gflygwvL1NsuX3
TS+L/G2O3QPd6XzRYf/I+ZuS1yPMDrgscnIDpn/4Mn6aQ1A1d9rdNDzETsrKcCk0
N+y7OeH/zI0QZ4Rq+u2rNfIDk3DD38CyRKm4AtOkKONU3q4VhuKpptxwMHjXOWVS
9S+2bz80j5LjZbMOI3ZsvdWo7aJwnsKfxIy1Hi5SE7zVn4RavWFva/Zr/0Hs67IG
EELM97XVZ+bzbg116mZZ1VDQ+F0AD/unrhXM8S0A2bsgqV2L1GV0/PlCbzOvsQ8u
hIVQ+6enhUFOEg4Eq9KkaigYKV87YPk9KTJO4a5POCMk5/bTHCPRnX7V7gJMBO0L
F8a31bVN/lijBRG7HOoh
=lEnv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: Time for 8.0.4
Posted by Robert Sanders <rs...@TrustedCS.com>.
Konstantin,
Don't want to be putting words in Chris's mouth, but when I filed 56027 I did some poking around in the underlying openSSL code (at least on my RHEL6 box). Calling the openssl FIPS_mode_set() method twice causes an error. I'd proposed exposing an additional routine to check the current status and quietly skip calling FIPS_mode_set() if we were already in FIPS mode.
-Rob
________________________________________
From: Konstantin Kolinko [knst.kolinko@gmail.com]
Sent: Tuesday, March 18, 2014 4:11 PM
To: Tomcat Developers List
Subject: Re: Time for 8.0.4
2014-03-18 23:46 GMT+04:00 Christopher Schultz <ch...@christopherschultz.net>:
> Mark,
>
> On 3/17/14, 8:19 AM, Mark Thomas wrote:
>> It has been a while since 8.0.3 and the change log is looking rather
>> long. I've a few things left I want to look at but I expect to be in a
>> position to tag 8.0.4 late today / early tomorrow.
>
> Any objections to adding the fix for
> https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there
> has been a tcnative release?
>
> I needed a tcnative release to include some support code to allow the
> APR listener to allow FIPS mode when OpenSSL had already been
> initialized in FIPS mode before the APR listener tries to enter it.
> (Wow, that sentence is awful. Read the bug for a long-winded explanation).
>
According to tc-native changelog, the new function you are calling
there will be in 1.1.30.
The recent release was of mod_jk, not of tc-native. (BTW, no
announcement article on tomcat.a.o). Thus '-1'.
Regarding the patch:
1) Why in the "on" case you are calling "SSL.fipsModeGet()"? If you
hadn't done that, I think it would work with older library versions.
2) In documentation part: update required version of tc-native in
description of this feature.
3) Update "recommended"/"required" versions in APRLifecycleListener?
4) Code style: position of opening '{'.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Time for 8.0.4
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Konstantin,
On 3/18/14, 4:11 PM, Konstantin Kolinko wrote:
> 2014-03-18 23:46 GMT+04:00 Christopher Schultz <ch...@christopherschultz.net>:
>> Mark,
>>
>> On 3/17/14, 8:19 AM, Mark Thomas wrote:
>>> It has been a while since 8.0.3 and the change log is looking rather
>>> long. I've a few things left I want to look at but I expect to be in a
>>> position to tag 8.0.4 late today / early tomorrow.
>>
>> Any objections to adding the fix for
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there
>> has been a tcnative release?
>>
>> I needed a tcnative release to include some support code to allow the
>> APR listener to allow FIPS mode when OpenSSL had already been
>> initialized in FIPS mode before the APR listener tries to enter it.
>> (Wow, that sentence is awful. Read the bug for a long-winded explanation).
>>
>
> According to tc-native changelog, the new function you are calling
> there will be in 1.1.30.
>
> The recent release was of mod_jk, not of tc-native.
As soon as I realized my mistake re: mod_jk vc tcnative, I tried to post
a recant. For some reason, it was either not sent or not received.
Weird. Anyway, apologies for the confusion. I *am* aware that no
tcnative version has shipped, and therefore this patch is not yet
appropriate.
> (BTW, no announcement article on tomcat.a.o). Thus '-1'.
-1 for what specifically?
> Regarding the patch:
> 1) Why in the "on" case you are calling "SSL.fipsModeGet()"? If you
> hadn't done that, I think it would work with older library versions.
The idea is to avoid attempting to enter FIPS mode if the library is
already in FIPS mode. I didn't know this was possible, but evidently the
whole OS can be put into FIPS mode such that any time OpenSSL is loaded
into a running program, it's already in FIPS mode.
Attempting to enter FIPS mode when already in FIPS mode causes an error
which, if you can't call FIPS_mode() (get), is indistinguishable from
failing to enable FIPS mode.
Thus, I've added a few options regarding what to do given the current
state of FIPS mode versus what the user intends. Please see comment #3
from the bug to see what the general intent is.
> 2) In documentation part: update required version of tc-native in
> description of this feature.
I will add that, but not until I know what version will be required. It
will most likely be 1.1.30 but it may be i.e. 1.1.31 if 1.1.30 never ships.
> 3) Update "recommended"/"required" versions in APRLifecycleListener?
Ditto.
> 4) Code style: position of opening '{'.
Ok.
Thanks,
-chris
Re: Time for 8.0.4
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-03-18 23:46 GMT+04:00 Christopher Schultz <ch...@christopherschultz.net>:
> Mark,
>
> On 3/17/14, 8:19 AM, Mark Thomas wrote:
>> It has been a while since 8.0.3 and the change log is looking rather
>> long. I've a few things left I want to look at but I expect to be in a
>> position to tag 8.0.4 late today / early tomorrow.
>
> Any objections to adding the fix for
> https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there
> has been a tcnative release?
>
> I needed a tcnative release to include some support code to allow the
> APR listener to allow FIPS mode when OpenSSL had already been
> initialized in FIPS mode before the APR listener tries to enter it.
> (Wow, that sentence is awful. Read the bug for a long-winded explanation).
>
According to tc-native changelog, the new function you are calling
there will be in 1.1.30.
The recent release was of mod_jk, not of tc-native. (BTW, no
announcement article on tomcat.a.o). Thus '-1'.
Regarding the patch:
1) Why in the "on" case you are calling "SSL.fipsModeGet()"? If you
hadn't done that, I think it would work with older library versions.
2) In documentation part: update required version of tc-native in
description of this feature.
3) Update "recommended"/"required" versions in APRLifecycleListener?
4) Code style: position of opening '{'.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Time for 8.0.4
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 3/17/14, 8:19 AM, Mark Thomas wrote:
> It has been a while since 8.0.3 and the change log is looking rather
> long. I've a few things left I want to look at but I expect to be in a
> position to tag 8.0.4 late today / early tomorrow.
Any objections to adding the fix for
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027, now that there
has been a tcnative release?
I needed a tcnative release to include some support code to allow the
APR listener to allow FIPS mode when OpenSSL had already been
initialized in FIPS mode before the APR listener tries to enter it.
(Wow, that sentence is awful. Read the bug for a long-winded explanation).
Thanks,
-chris