Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 51D6D109CB for ; Wed, 7 Aug 2013 22:11:37 +0000 (UTC) Received: (qmail 60292 invoked by uid 500); 7 Aug 2013 22:11:34 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 60161 invoked by uid 500); 7 Aug 2013 22:11:33 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 60152 invoked by uid 99); 7 Aug 2013 22:11:33 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Aug 2013 22:11:33 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE X-Spam-Check-By: apache.org Received-SPF: error (athena.apache.org: local policy) Received: from [76.96.59.212] (HELO qmta14.westchester.pa.mail.comcast.net) (76.96.59.212) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Aug 2013 22:11:28 +0000 Received: from omta19.westchester.pa.mail.comcast.net ([76.96.62.98]) by qmta14.westchester.pa.mail.comcast.net with comcast id 9pkZ1m00627AodY5EyAnph; Wed, 07 Aug 2013 22:10:47 +0000 Received: from Christophers-MacBook-Pro.local ([71.232.232.167]) by omta19.westchester.pa.mail.comcast.net with comcast id 9yAm1m00l3dMwMT3fyAmuA; Wed, 07 Aug 2013 22:10:47 +0000 Message-ID: <5202C5EF.80408@christopherschultz.net> Date: Wed, 07 Aug 2013 18:10:55 -0400 From: Christopher Schultz User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Responses of two different requests concatinated References: <65BE686C590EFD4A94F5EEFE17528D6602E31CAC@exchange.kantega.lan> In-Reply-To: <65BE686C590EFD4A94F5EEFE17528D6602E31CAC@exchange.kantega.lan> X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1375913447; bh=1rSC0eL9V5hmQ5lSLktoJN/aumSOaU2R+YGYEp36r/8=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=m4H67p1JT7fyj3ktkGY83xzeK1qa2vafakqsegDC5z3/rWKYCyNrShy77ycpxwNFG x5+4KeAL7Ek367mmGJalfeeED51Vis089kbMlZU5Ie1dg2ISUJPaDitgua4Z44I5U0 F7yBhlSMifiBA3tVhupSAnogz5168w6SVlgZgio4+65ujsN3CGqB+rGwtatZm6Dal7 8Qix7eUVkFZUE3Hrtt1xKHB0awQ6VKabS2E/9kmUZ3uEVB1HIo8418f4ZwwGEMQdcJ Ba0QK4d2lNO2rewIrPrZ2AnrAypnAZ33vReVK7aj9UhW5GaD94Exj+2UVX1t6TELpp WuRvgIqUDHwlQ== X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Marvin, On 8/7/13 6:23 AM, Marvin Lillehaug wrote: > We recently got an error report from a user of one of the systems > we have developed, showing that the response from a different > request had been appended to the original response. The original > response was the front page of a site, generated with jsp, and the > appended response was a excel file generated a few seconds > earlier. > Our current hypothesis is that some buffer in either httpd(2.2.22) > or Tomcat (7.0.35) has been recycled. Note that the Tomcat documentation uses the word "recycled" with respect to connections and façades to mean "not re-used". You appear to be using the term "recycled" to mean "re-used". I just wanted to be clear because there is a related system property that uses the term "recycle" (see below). > Httpd is connected to Tomcat using http proxypass. First, you should probably upgrade Tomcat to the latest 7.0 version which is 7.0.42. Is that a possibility? Second, you should post your whole configuration from Tomcat (minus any sensitive information of course). If you want a possible quick-fix, you should look at the RECYCLE_FACADES system property documented here: http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security If you set that system property to "on", then potential response-leakages should be significantly reduced at a slight cost in terms of heap and GC activity (but fairly negligible, as request façades shouldn't really be surviving any minor collections... they will just cause minor collections to occur more often). > I have started trying to reproduce the problem, but thought I > should try the mailing lists of both httpd and tomcat before > continuing. While that's okay, we generally prefer not to cross-post. Here, I have replied only to the Tomcat users' mailing list as my reply is Tomcat-specific. > What I have done thus far is: concatenating html and excel to > verify that it is possible to open and looks the way the user > experienced; building a custom version of Tomcat that uses the same > Processor for each request and configured to use only one thread. > > This seems a bit similar to the issue described in > http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.12 > > (CVE-2011-1475) This is not likely to be your problem, but we'll see when you post your configuration. > Some results when googleling suggests that this could happen when > jsp tags are not coded properly, but I have not found any such code > in our applications. Any references? I'm not familiar with any suggestions that JSP tags are leaky in any way. Are you using any JSPs in these transactions that appear to have been mixed-up? I'd be surprised to find a JSP that produces an XLS document. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSAsXsAAoJEBzwKT+lPKRYoBoQALBjqpchPLbwCKpbh2WFcMVY k++Xc4CopqNwe4uF0PDkU3JHzfWJUIsqZzF1mijOGIwt2EgwQKEZigCyJUv86NTZ WG2SAc6DupNYwky0i4NnJE2F+VBcdUvTxeQ4LS0ATzr1sNqrmtQxdCbU/VeyAmyb u5UCmFZiKvVAaepfAEzchTGTUPNqE7Xp57atPfS+EAGwLguE3ARksI9ipEBkOznm ukRVJBTnrDuQ2/uMsAGW+miWyIeFx64WHGFWXBv/21K3GaSAN2Ut83OWCxCIO7Xr vZPBtqzFlsfvcjWX3949Zoz0kvNZMCdMkjZ9G7cQhCQT6hWFToqdnXYkQ6U2aqkD LIryyNiIP5zQFrJOKFKtexyugVNWBcsil4549Wwgi65rmgUeZ8qlEgr1wK4hgvKV GG+O83kzrxMA4cyyMpgItFIset3+MccCoGHVLQg51afNoDlSfn9pAL8uLZJQW2FT Prq9r5vD9qu5XyIFUJsHGXGTwWvkn4OPJhcITZsAeBKJxZyYhDNhqjj19fae+o+a wgmi8XzoDqzCemefOEVXXVidaK0ceuhqUnZF729NavLZV8OUHaPItvS/5jQ4bSBU BD/UnoDXPL8ZFzPw1WTj1ZotxjDZEAkjnZDUsADfHt2zBtWCxNyizdyIao0B0NAA j6W/wT1bhYHVZ1eBJR2a =oSt1 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org