From users-return-243101-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org Wed Aug 7 15:25:40 2013 Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6198410888 for ; Wed, 7 Aug 2013 15:25:40 +0000 (UTC) Received: (qmail 320 invoked by uid 500); 7 Aug 2013 15:25:36 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 118 invoked by uid 500); 7 Aug 2013 15:25:36 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 108 invoked by uid 99); 7 Aug 2013 15:25:35 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Aug 2013 15:25:35 +0000 X-ASF-Spam-Status: No, hits=2.7 required=5.0 tests=FSL_HELO_BARE_IP_2,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [195.18.161.200] (HELO pat.kantega.no) (195.18.161.200) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Aug 2013 15:25:29 +0000 Received: from 172.16.1.54 ([172.16.1.54]) by pat.kantega.no (8.13.8/8.13.8) with ESMTP id r77FP5UH002040 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 7 Aug 2013 17:25:05 +0200 Received: from EXCHANGE.kantega.lan ([fe80::10a4:54b:f1f2:40f5]) by exchange.kantega.lan ([fe80::10a4:54b:f1f2:40f5%18]) with mapi; Wed, 7 Aug 2013 17:25:05 +0200 From: Marvin Lillehaug To: "'Tomcat Users List'" Date: Wed, 7 Aug 2013 17:25:04 +0200 Subject: RE: Responses of two different requests concatinated Thread-Topic: Responses of two different requests concatinated Thread-Index: Ac6TWegWDpnLkje3SUq74WBijRa6LgAJx1wg Message-ID: <65BE686C590EFD4A94F5EEFE17528D6602E31CAE@exchange.kantega.lan> References: <65BE686C590EFD4A94F5EEFE17528D6602E31CAC@exchange.kantega.lan> In-Reply-To: Accept-Language: en-US Content-Language: nb-NO X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (pat.kantega.no [195.18.161.200]); Wed, 07 Aug 2013 17:25:05 +0200 (CEST) X-yoursite-MailScanner-Information: Please contact the ISP for more information X-yoursite-MailScanner-ID: r77FP5UH002040 X-yoursite-MailScanner: Found to be clean X-yoursite-MailScanner-From: marvin.lillehaug@kantega.no X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No Thank you both for your replies :) I only have a screenshot of how it looked to the user, so I don't know whet= her the headers was included.=20 I have given up trying to investigate further, so I guess the only thing to= do is to activate RECYCLE_FACADES and hope for the best. -----Original Message----- From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]=20 Sent: Wednesday, August 07, 2013 12:35 PM To: Tomcat Users List Cc: users@httpd.apache.org Subject: Re: Responses of two different requests concatinated 2013/8/7 Marvin Lillehaug : > Hi! > We recently got an error report from a user of one of the systems we have= developed, showing that the response from a different request had been app= ended to the original response. > The original response was the front page of a site, generated with jsp, a= nd the appended response was a excel file generated a few seconds earlier. > Our current hypothesis is that some buffer in either httpd(2.2.22) or Tom= cat (7.0.35) has been recycled. > Httpd is connected to Tomcat using http proxypass. > > I have started trying to reproduce the problem, but thought I should try = the mailing lists of both httpd and tomcat before continuing. > What I have done thus far is: concatenating html and excel to verify that= it is possible to open and looks the way the user experienced; building a = custom version of Tomcat that uses the same Processor for each request and = configured to use only one thread. > > This seems a bit similar to the issue described in=20 > http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.12 (C= VE-2011-1475) Some results when googleling suggests that this could happen = when jsp tags are not coded properly, but I have not found any such code in= our applications. > > Does anyone have any ideas or suggestions? > Usual culprit is a bug in web application that uses request/response object= s outside of their life cycle. The first step that I'd recommend is to set org.apache.catalina.connector.R= ECYCLE_FACADES=3Dtrue for better security and to ease detection of such misuse. See http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#System_Properti= es http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html There is also exists a known issue in Java ImageIO API, https://wiki.apache= .org/tomcat/FAQ/KnownIssues#ImageIOIssues There also exists CVE-2013-2071 (fixed in 7.0.40). Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org