Re: HttpServletRequest.getRemoteAddr() sometimes returns NULL on Tomcat 9.0.30 and HTTP/2 secure requests

We are getting the NPEs in a top-of-the-chain servlet filter which decorates HttpServletRequest.getRemoteAddr() before actual servlet processing. Only on HTTP/2 and in a very small number of cases. Perhaps we should test 9.0.31 and see what happens. When is this new version due for release? *

Re: RewriteValve does not work on HTTPS

What I mean with word 'works' is: the RewriteRule has been executed. That is not the case by HTTPS. The rule has not been executed while the RewriteCond is fulfilled. Olaf Kock 于 2020年2月4日周二 下午9:06写道： > > On 04.02.20 20:31, Hua Zhang wrote: > > Best tomcat team, > > > > Hereby I have a question

Re: RewriteValve does not work on HTTPS

On 04.02.20 20:31, Hua Zhang wrote: > Best tomcat team, > > Hereby I have a question about an issue I found by using RewriteValve > on tomcat 9.30 > > The rewrite.config is very simple: > > /RewriteCond %{HTTP_HOST} =youkoop.com > RewriteRule ^.*$ https://www.youkoop.com [R=30

Re: HttpServletRequest.getRemoteAddr() sometimes returns NULL on Tomcat 9.0.30 and HTTP/2 secure requests

On 04/02/2020 15:37, Manuel Dominguez Sarmiento wrote: > Thanks Mark. I just wanted to clarify that the issue is not only present > when the request arrives at AccessLogValve, but while the request is > being serviced as well. > We noticed this bug because we were getting random NullPointerExceptio

RewriteValve does not work on HTTPS

Best tomcat team, Hereby I have a question about an issue I found by using RewriteValve on tomcat 9.30 The rewrite.config is very simple: *RewriteCond %{HTTP_HOST} =youkoop.com RewriteRule ^.*$ https://www.youkoop.com [R=301,L]* All I want is just

Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context

Thanks for all the responses Mark! Once I realized specifically what was happening, I started working backward to see if I could preempt the necessity for the directory traversal in the first place. I figured out that Struts 2 is building the provided url by combining the 'location' attribute (url

Re: cookie configurations for Tomcat 7

Thanks a lot Chris! I wish I could just get away from Tomcat 7 and upgrade to 8.5, but I can't. Yes, the response wrapping will do. Lazar On Mon, Feb 3, 2020 at 4:30 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Lazar, > > O

Re: HttpServletRequest.getRemoteAddr() sometimes returns NULL on Tomcat 9.0.30 and HTTP/2 secure requests

Thanks Mark. I just wanted to clarify that the issue is not only present when the request arrives at AccessLogValve, but while the request is being serviced as well. We noticed this bug because we were getting random NullPointerExceptions when trying to do anything with the result from HttpServ

Re: 7.0.59 to 7.0.99 upgrade, CVE-2015-5174 fix prevents us from accessing resources outside context

On 03/02/2020 21:34, Alex Pritchard wrote: > I think I've narrowed the change down to this commit: > https://github.com/apache/tomcat/commit/fdd86cf2e0b851aced2f460c765fea5293a30940#diff-8b91a9296e19012bf6be4bdf975fab0d > > > *org.apache.catalina.core.ApplicationContext.java * > *getRequestDispat

Re: HttpServletRequest.getRemoteAddr() sometimes returns NULL on Tomcat 9.0.30 and HTTP/2 secure requests

On 03/02/2020 19:24, Mark Thomas wrote: > I haven't fixed this but I can reproduce it easily with the h2spec test > suite. As I have a reproducible test case I'm hopeful I'll be able to > find a fix fairly quickly. I've just committed a fix. It is in: - master for 10.0.0.0-M1 onwards - 9.0.x fo