tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hernan Ochoa" <ochoa_her...@hotmail.com>
Subject Recycling of request objects
Date Tue, 14 May 2002 23:55:27 GMT
Hi!

I've been taking a look at Tomcat's source code, and following some
advice I found in some security doc at the tomcat web site about
recycling of Request objects, I tried the 'attack' described and I could 
efectivelly 'steal' request from other servlets/users.

I made these tests using Tomcat 3.2.4 and using the JK connector.
I downloaded Tomcat 4.0.2 and I think it also recycles
request objects, I found this on the tomcat's connectors source code:

file /jk/java/org/apache/jk/server/tomcat40/Worker40.java:

public int invoke( Msg msg, MsgContext ep )
        throws IOException
    {
        d("Incoming request " );

        BaseRequest req=ep.getRequest();
        Channel ch=ep.getChannel();
        JkRequest40 treq=(JkRequest40)req.getNote( reqNote );
        JkResponse40  tres;
        if( treq==null ) {
            treq=new JkRequest40();
            req.setNote( reqNote, treq );
            tres=new JkResponse40(wEnv);
            treq.setResponse( tres );
            tres.setRequest( treq );
        }
        tres=(JkResponse40)treq.getResponse();
        treq.setEndpoint( ch, ep );
        treq.setBaseRequest( req );
        tres.setEndpoint( ch, ep );

        try {
            container.invoke( treq, tres );
        } catch(Throwable ex ) {
            ex.printStackTrace();
        }
        d("Finishing response");
        tres.finishResponse();
        treq.finishRequest();

        treq.recycle();
        tres.recycle();
        return OK;
    }

so, If i'm not mistaken, this is recycling request and response
objects. From the code here I guess there is no way to configure tomcat
not to recycle request objects without modifying the source code.

so my questions would be:

-Is there a way in Tomcat 3.2.4 to configure it not to recycle request 
objects? (I couldn't find one)
-Is there a way in Tomcat 4.0 to do the same thing?
-I guess Tomcat 4.0 still has the problem version 3.2.4 had where a
'malicious servlet' can still information from other servlets/requests, am I
correct?

I'll keep investigating this issues by myself but I thought it would be very 
nice to get feedback from the people actually writing the code
that knows the most about the product inner workings.

Thanks a lot for your time!.
bye!




_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message