Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability

2004-01-10 Thread Bill Barker
- Original Message - From: "Bill Barker" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Saturday, January 10, 2004 6:28 PM Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability > > - Original Message - > From: "Remy Maucherat" <[EMA

Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java

2004-01-10 Thread Bill Barker
- Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, January 10, 2004 9:23 AM Subject: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java > remm2004/01/10 09:23:39 > > Modified:catalina/src/shar

Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability

2004-01-10 Thread Bill Barker
- Original Message - From: "Remy Maucherat" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Saturday, January 10, 2004 5:24 AM Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability > Remy Maucherat wrote: > > Bill Barker wrote: > > > >> I jus

Re: Jk2 object model

2004-01-10 Thread Costin Manolache
Mladen Turk wrote: From: Henri Gomez As many I feel that jk (and maybe also jk2) are now pretty stable, and I don't see the need for a new just web/tomcat connector. Finally someone :-). That's why I did try to use the revolutionary approach. Jet another connector wouldn't make a much dif

cvs commit: jakarta-tomcat-catalina/catalina/src/conf web.xml

2004-01-10 Thread remm
remm2004/01/10 12:40:26 Modified:catalina/src/conf web.xml Log: - Remove security constraint. Revision ChangesPath 1.30 +0 -12 jakarta-tomcat-catalina/catalina/src/conf/web.xml Index: web.xml

cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5 CoyoteAdapter.java CoyoteConnector.java mbeans-descriptors.xml

2004-01-10 Thread remm
remm2004/01/10 12:39:50 Modified:catalina/src/share/org/apache/coyote/tomcat5 CoyoteAdapter.java CoyoteConnector.java mbeans-descriptors.xml Log: - Add an "allowTrace" flag on the connector. Trace is disabled by default. Revisi

About Book How Tomcat Works

2004-01-10 Thread Chris Wahl
I found the following message in tomcat mail-archive , but we can't access the book's link for several months, anyone one know what happened to the great book? or are there any article or book similar to this one, I need some material to help me to start reading Tomcat's code. Any infomation

DO NOT REPLY [Bug 25596] - Application briefly unavailable when using manager to reload

2004-01-10 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bu

cvs commit: jakarta-tomcat-catalina/catalina/src/conf web.xml

2004-01-10 Thread remm
remm2004/01/10 09:24:31 Modified:catalina/src/conf web.xml Log: - Disable trace by default. Revision ChangesPath 1.29 +12 -0 jakarta-tomcat-catalina/catalina/src/conf/web.xml Index: web.xml ==

cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java

2004-01-10 Thread remm
remm2004/01/10 09:23:39 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: - findMethod wasn't called on the right collection. - The algorithm ignored extension mapped constraints as long as a widcard or exact mapped constraint was found. This doesn't

Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability

2004-01-10 Thread Remy Maucherat
Remy Maucherat wrote: Remy Maucherat wrote: Bill Barker wrote: I just tried this with the CVS HEAD of Tomcat 5 (after putting in a security-constraint in the ROOT web.xml) and Tomcat happily returned a 403 response. I don't care about this lame XSS bug. However, what you describe doesn't wor

DO NOT REPLY [Bug 25596] - Application briefly unavailable when using manager to reload

2004-01-10 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 26039] - spanish translations

2004-01-10 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 26039] New: - spanish translations

2004-01-10 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bu

Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability

2004-01-10 Thread Remy Maucherat
Remy Maucherat wrote: Bill Barker wrote: I just tried this with the CVS HEAD of Tomcat 5 (after putting in a security-constraint in the ROOT web.xml) and Tomcat happily returned a 403 response. I don't care about this lame XSS bug. However, what you describe doesn't work for me. There are two is

DO NOT REPLY [Bug 22290] - HttpServlet should use Wrapper class for doHead

2004-01-10 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 10555] - doHEAD breaks spec SRV 8.2

2004-01-10 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 22290] - HttpServlet should use Wrapper class for doHead

2004-01-10 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bu

DO NOT REPLY [Bug 26034] - Statefull session bean load failure

2004-01-10 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bu