dhis2-users team mailing list archive

[Bob Jolliffe <bobjolliffe@xxxxxxxxx>]

Hi Lars and all

I can see this is going to cause quite a bit of chaos with large country
installations where they are not able to be too agile with upgrading.

Do you have more precise info on the exact tomcat version numbers?  We just
saw in Zim (DHIS 2.22) that the package manager automatically upgraded to
7.0.52 and they started seeing these problems.  So maybe it is that version?

They will have to try and come up with a process of downgrading tomcat and
holding that version via the package manager as a short term measure while
they plan any dhis2 upgrade process.

So getting the exact tomcat versions where the URL checking was introduced
will be helpful if you have them.

On 7 January 2017 at 12:56, Lars Helge Øverland <lars@xxxxxxxxx> wrote:

> Hi all,
>
> the latest builds of tomcat (the servlet container mostly used with DHIS
> 2) has tightened up validation of characters in URLs, so that only
> characters defined as safe per RFC 1738
> <https://www.ietf.org/rfc/rfc1738.txt> are allowed. Our apps had some
> cases of un-escaped use of the pipe character which was causing tomcat to
> occasionally return 400 bad request.
>
> We have patched this now in 2.24, 2.25 and master.
>
> Bottom line: If you plan to upgrade to very latest Tomcat 7, 8 or 8.5
> builds on your server, make sure to upgrade to latest 2.24 or 2.25 of DHIS
> 2.
>
>
> regards,
>
> Lars
>
>
>
>
>
>
> --
> Lars Helge Øverland
> Lead developer, DHIS 2
> University of Oslo
> Skype: larshelgeoverland
> lars@xxxxxxxxx
> http://www.dhis2.org <https://www.dhis2.org/>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>