From users-return-264675-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Fri May 4 09:18:01 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id A6E08180634 for ; Fri, 4 May 2018 09:18:00 +0200 (CEST) Received: (qmail 86857 invoked by uid 500); 4 May 2018 07:17:58 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 86842 invoked by uid 99); 4 May 2018 07:17:58 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 May 2018 07:17:58 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id BF385C1C4F for ; Fri, 4 May 2018 07:17:57 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.419 X-Spam-Level: * X-Spam-Status: No, score=1.419 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id DiC7MrnU9OjS for ; Fri, 4 May 2018 07:17:56 +0000 (UTC) Received: from mail-qt0-f178.google.com (mail-qt0-f178.google.com [209.85.216.178]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 4BE6C5F1B4 for ; Fri, 4 May 2018 07:17:56 +0000 (UTC) Received: by mail-qt0-f178.google.com with SMTP id m9-v6so5412863qtb.5 for ; Fri, 04 May 2018 00:17:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=m2tnTzghoGTttJR+kCbTCGwlcdeOXL+R5wUy4jRXJU8=; b=X+qaO6YdaVD1Q5TrcJnrhH613H9tNgY7Q6qQNo+baYwXr6mIl5f/FwDKDhDf5MMwn3 SGSEUwMAf9fdU7ny0aDXe8wYIZNm3dpbr7zdKBhFsNHSovHs3IipuB19V1+h9iqZNTll YMJ7TYO1LRogQ8FFD8TZGYbcg/5ltI+e+HjcELPzqwU0UwAMoCYWQhU0vXZvhYnINuxa c+XE+7DIspAMDPG8IqCvMDQHUgwrpjMftluNiE0bLXCJkRVTTB6w5RZyNDdHX+tlIALk Xjc8QPMHC/N9WPtMeAGYPJZj197eVoG8Ycky4SqqHlNAiUXWHVmFCWk359EiEzXMqC4S sXcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=m2tnTzghoGTttJR+kCbTCGwlcdeOXL+R5wUy4jRXJU8=; b=PjBs7Dtak4GeVR8uazGLWPYre/qA4WtDtDnj4o76qo38x8fE8aKpLnOJjnTLc5olDY MyW31TlZp9IHbOrKPGNMlpuVC1DYLLEKcOaNYVkrlUKhMTH1n21AuMiCQDBUTz4kcthh sPk96uTFn1HPTvt2WlA/s16KkuWZE9unACJ9A1dlyMOgs2ra4VGmf4znoUlAZYiLswl/ SyKxaZdots9DtiAURnGSawX6zhXlGlTJhq6kFz99xshiyiO/ESfm5TeAX/Pi9AosKDnr BqKpFJUqaovb4KrNCOOWvcJkYfHrHx7ghs6Iot2idwYK/ZhZDFhyeGBloyKXqElAkR2w QTPA== X-Gm-Message-State: ALQs6tCAX4aYRskGL7pds4uF4rNF4DpK9DgagVmVytG4dKlErvDuDpQt lsQsd0EmzXL/3HlKnAi7zk61tGH13zMmmSMVx1s= X-Google-Smtp-Source: AB8JxZoN7pNADRf8mzEMNA6g6lwXghFEoOvLHs9gJ6T02aRdTRyNX9z3Bpmkh5OC29XJO1NubrpMCWmy8IvvgxC8cq4= X-Received: by 2002:ac8:41e:: with SMTP id v30-v6mr23916497qtg.270.1525418275784; Fri, 04 May 2018 00:17:55 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.240.130 with HTTP; Fri, 4 May 2018 00:17:55 -0700 (PDT) In-Reply-To: <2d09fe3c-3e69-7a7b-e457-b1213a428769@apache.org> References: <29ccb554-5011-5e02-00d9-e98674711052@apache.org> <2c92eaf2-e26e-5c4c-651d-742efba35d06@apache.org> <2d09fe3c-3e69-7a7b-e457-b1213a428769@apache.org> From: Dirk Ooms Date: Fri, 4 May 2018 09:17:55 +0200 Message-ID: Subject: Re: tomcat9 j_security_check request.getRequestURI() incorrect after POST To: Tomcat Users List Content-Type: multipart/alternative; boundary="000000000000764d9c056b5c1e9c" --000000000000764d9c056b5c1e9c Content-Type: text/plain; charset="UTF-8" Thanks for fixing this. Happy to help. On 3 May 2018 at 21:31, Mark Thomas wrote: > On 03/05/18 20:17, Mark Thomas wrote: > > On 02/05/18 16:08, Dirk Ooms wrote: > >> Mark, > >> > >> you can reproduce it using the FormAuthentication example in the > >> examples (http://localhost:8080/examples/jsp/security/protected/) > >> > >> edit index.jsp > >> 1. add the line "RequestURI: <%= request.getRequestURI() %>

" in > >> begin of body > >> 2. change the method of the form from GET to POST > >> > >> scenario: > >> 1. go to http://localhost:8080/examples/jsp/security/protected/ > >> 2. log in > >> 3. open second tab/window to same url > >> 4. log out in second tab/window > >> 5. go to initial window and submit form > >> 6. log in again > >> 7. observe the malformed requestURI > > > > Thanks for the reproduction steps. They were a huge help. > > > > This was introduced in 8.5.x with some refactoring that reduced copying > > between I/O buffers during request processing. Essentially, the saved > > request body was over-writing the cached bytes for the URI. > > Correction. It affects 8.0.x and earlier as well. > > I'll back port the fix for 8.0.x and 7.0.x. > > Mark > > > > > > I'll be committing a fix shortly which will be available in 9.0.9 and > > 8.5.32 onwards. > > > > Mark > > > > > >> > >> see also attached screenshots (if they make it to the mailing list). > >> > >> dirk > >> > >> > >> On 1 May 2018 at 16:20, Dirk Ooms >> > wrote: > >> > >> apologies for the incomplete info. it is tomcat 9.0.6 > >> > >> i will try to set up a test case and get back to you. > >> > >> dirk > >> > >> > >> On 1 May 2018 at 16:07, Mark Thomas >> > wrote: > >> > >> On 01/05/18 14:36, Dirk Ooms wrote: > >> > Hello, > >> > > >> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using > j_security_check. > >> > > >> > in tomcat5.5 when a user was not logged in and he/she > requested a url, the > >> > login page was returned and after logging in the user was > given the > >> > requested resource. when i requested request.getRequestURI() > in my code the > >> > returned uri was correct for both GET and POST. > >> > > >> > in tomcat9 this is not the case anymore for POST (for GET > still ok). when i > >> > call request.getRequestURI() after the user is logged in, it > returns > >> > "chString" in my case, which is a part of the name of the > first form field > >> > ("searchString") of the original POST. > >> > > >> > any idea? am i missing something? > >> > >> The exact Tomcat 9 version. > >> > >> A test case that demonstrates the issue. > >> > >> Mark > >> > >> ------------------------------------------------------------ > --------- > >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >> > >> For additional commands, e-mail: users-help@tomcat.apache.org > >> > >> > >> > >> > >> > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >> For additional commands, e-mail: users-help@tomcat.apache.org > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > > For additional commands, e-mail: users-help@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --000000000000764d9c056b5c1e9c--