date:20191130

[tomcat] branch master updated (6e25e58 -> afe4085)

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from 6e25e58  Improve Graal doc again
 new 4a8ad6d  Refactor to reduce code volume and to allow for other method 
tests
 new afe4085  Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63939 same 
origin

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 java/org/apache/catalina/filters/CorsFilter.java   |  33 +
 java/org/apache/tomcat/util/http/RequestUtil.java  |  51 +++
 .../apache/tomcat/util/http/TestRequestUtil.java   | 162 -
 .../tomcat/util/http/TestRequestUtilNormalize.java |  77 ++
 .../util/http/TestRequestUtilSameOrigin.java   | 113 ++
 5 files changed, 243 insertions(+), 193 deletions(-)
 delete mode 100644 test/org/apache/tomcat/util/http/TestRequestUtil.java
 create mode 100644 
test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
 create mode 100644 
test/org/apache/tomcat/util/http/TestRequestUtilSameOrigin.java


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 02/02: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63939 same origin

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit afe40851efbdddc44862a7b314a07d86ca04f06d
Author: Mark Thomas 
AuthorDate: Fri Nov 29 23:19:00 2019 +

Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63939 same origin

Refactor isSameOrigin test into utility class (for re-use in
AuthenticatorBase) and fix two bugs:
- comparison should be case-sensitive
- origin may or may not include default port
---
 java/org/apache/catalina/filters/CorsFilter.java   |  33 +-
 java/org/apache/tomcat/util/http/RequestUtil.java  |  51 ++
 .../util/http/TestRequestUtilSameOrigin.java   | 113 +
 3 files changed, 166 insertions(+), 31 deletions(-)

diff --git a/java/org/apache/catalina/filters/CorsFilter.java 
b/java/org/apache/catalina/filters/CorsFilter.java
index ad5a1f4..4213fb4 100644
--- a/java/org/apache/catalina/filters/CorsFilter.java
+++ b/java/org/apache/catalina/filters/CorsFilter.java
@@ -39,6 +39,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.http.RequestUtil;
 import org.apache.tomcat.util.http.ResponseUtil;
 import org.apache.tomcat.util.res.StringManager;
 
@@ -591,7 +592,7 @@ public class CorsFilter extends GenericFilter {
 requestType = CORSRequestType.INVALID_CORS;
 } else if (!isValidOrigin(originHeader)) {
 requestType = CORSRequestType.INVALID_CORS;
-} else if (isLocalOrigin(request, originHeader)) {
+} else if (RequestUtil.isSameOrigin(request, originHeader)) {
 return CORSRequestType.NOT_CORS;
 } else {
 String method = request.getMethod();
@@ -634,36 +635,6 @@ public class CorsFilter extends GenericFilter {
 }
 
 
-private boolean isLocalOrigin(HttpServletRequest request, String origin) {
-
-// Build scheme://host:port from request
-StringBuilder target = new StringBuilder();
-String scheme = request.getScheme();
-if (scheme == null) {
-return false;
-} else {
-scheme = scheme.toLowerCase(Locale.ENGLISH);
-}
-target.append(scheme);
-target.append("://");
-
-String host = request.getServerName();
-if (host == null) {
-return false;
-}
-target.append(host);
-
-int port = request.getServerPort();
-if ("http".equals(scheme) && port != 80 ||
-"https".equals(scheme) && port != 443) {
-target.append(':');
-target.append(port);
-}
-
-return origin.equalsIgnoreCase(target.toString());
-}
-
-
 /**
  * Return the lower case, trimmed value of the media type from the content
  * type.
diff --git a/java/org/apache/tomcat/util/http/RequestUtil.java 
b/java/org/apache/tomcat/util/http/RequestUtil.java
index 28922c4..cfa9c57 100644
--- a/java/org/apache/tomcat/util/http/RequestUtil.java
+++ b/java/org/apache/tomcat/util/http/RequestUtil.java
@@ -16,6 +16,10 @@
  */
 package org.apache.tomcat.util.http;
 
+import java.util.Locale;
+
+import javax.servlet.http.HttpServletRequest;
+
 public class RequestUtil {
 
 private RequestUtil() {
@@ -113,4 +117,51 @@ public class RequestUtil {
 // Return the normalized path that we have completed
 return normalized;
 }
+
+
+public static boolean isSameOrigin(HttpServletRequest request, String 
origin) {
+// Build scheme://host:port from request
+StringBuilder target = new StringBuilder();
+String scheme = request.getScheme();
+if (scheme == null) {
+return false;
+} else {
+scheme = scheme.toLowerCase(Locale.ENGLISH);
+}
+target.append(scheme);
+target.append("://");
+
+String host = request.getServerName();
+if (host == null) {
+return false;
+}
+target.append(host);
+
+int port = request.getServerPort();
+// Origin may or may not include the (default) port.
+// At this point target doesn't include a port.
+if (target.length() == origin.length()) {
+// origin and target can only be equal if both are using default
+// ports. Therefore only append the port to the target if a
+// non-default port is used.
+if (("http".equals(scheme) || "ws".equals(scheme)) && port != 80 ||
+("https".equals(scheme) || "wss".equals(scheme)) && port 
!= 443) {
+target.append(':');
+target.append(port);
+}
+} else {
+// origin and target can only be equal if:
+// a) origin includes an explicit default port
+// b) origin i

[tomcat] 01/02: Refactor to reduce code volume and to allow for other method tests

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 4a8ad6d0769a4f6335886b4175d317fc513b723a
Author: Mark Thomas 
AuthorDate: Fri Nov 29 22:55:15 2019 +

Refactor to reduce code volume and to allow for other method tests
---
 .../apache/tomcat/util/http/TestRequestUtil.java   | 162 -
 .../tomcat/util/http/TestRequestUtilNormalize.java |  77 ++
 2 files changed, 77 insertions(+), 162 deletions(-)

diff --git a/test/org/apache/tomcat/util/http/TestRequestUtil.java 
b/test/org/apache/tomcat/util/http/TestRequestUtil.java
deleted file mode 100644
index 02deb5e..000
--- a/test/org/apache/tomcat/util/http/TestRequestUtil.java
+++ /dev/null
@@ -1,162 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.tomcat.util.http;
-
-import org.junit.Assert;
-import org.junit.Test;
-
-public class TestRequestUtil {
-
-@Test
-public void testNormalize01() {
-doTestNormalize("//something", "/something");
-}
-
-@Test
-public void testNormalize02() {
-doTestNormalize("some//thing", "/some/thing");
-}
-
-@Test
-public void testNormalize03() {
-doTestNormalize("something//", "/something/");
-}
-
-@Test
-public void testNormalize04() {
-doTestNormalize("//", "/");
-}
-
-@Test
-public void testNormalize05() {
-doTestNormalize("//", "/");
-}
-
-@Test
-public void testNormalize06() {
-doTestNormalize("///", "/");
-}
-
-@Test
-public void testNormalize07() {
-doTestNormalize("", "/");
-}
-
-@Test
-public void testNormalize08() {
-doTestNormalize("/.", "/");
-}
-
-@Test
-public void testNormalize09() {
-doTestNormalize("/./", "/");
-}
-
-@Test
-public void testNormalize10() {
-doTestNormalize(".", "/");
-}
-
-@Test
-public void testNormalize11() {
-doTestNormalize("/..", null);
-}
-
-@Test
-public void testNormalize12() {
-doTestNormalize("/../", null);
-}
-
-@Test
-public void testNormalize13() {
-doTestNormalize("..", null);
-}
-
-@Test
-public void testNormalize14() {
-doTestNormalize("//..", null);
-}
-
-@Test
-public void testNormalize15() {
-doTestNormalize("//../", null);
-}
-
-@Test
-public void testNormalize16() {
-doTestNormalize("/./..", null);
-}
-
-@Test
-public void testNormalize17() {
-doTestNormalize("/./../", null);
-}
-
-@Test
-public void testNormalize18() {
-doTestNormalize("/a/../..", null);
-}
-
-@Test
-public void testNormalize19() {
-doTestNormalize("/a/../../", null);
-}
-
-@Test
-public void testNormalize20() {
-doTestNormalize("/a/..", "/");
-}
-
-@Test
-public void testNormalize21() {
-doTestNormalize("/a/.", "/a");
-}
-
-@Test
-public void testNormalize22() {
-doTestNormalize("/a/../", "/");
-}
-
-@Test
-public void testNormalize23() {
-doTestNormalize("/a/./", "/a/");
-}
-
-@Test
-public void testNormalize24() {
-doTestNormalize("/a/b/..", "/a");
-}
-
-@Test
-public void testNormalize25() {
-doTestNormalize("/a/b/.", "/a/b");
-}
-
-@Test
-public void testNormalize26() {
-doTestNormalize("/a/b/../", "/a/");
-}
-
-@Test
-public void testNormalize27() {
-doTestNormalize("/a/b/./", "/a/b/");
-}
-
-private void doTestNormalize(String input, String expected) {
-Assert.assertEquals(expected,RequestUtil.normalize(input));
-}
-}
diff --git a/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java 
b/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
new file mode 100644
index 000..b642868
--- /dev/null
+++ b/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  Se

[tomcat] 02/02: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63939 same origin

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit cb70be5a723dbca99ff92a31320afabbdad8794c
Author: Mark Thomas 
AuthorDate: Fri Nov 29 23:19:00 2019 +

Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63939 same origin

Refactor isSameOrigin test into utility class (for re-use in
AuthenticatorBase) and fix two bugs:
- comparison should be case-sensitive
- origin may or may not include default port
---
 java/org/apache/catalina/filters/CorsFilter.java   |  33 +-
 java/org/apache/tomcat/util/http/RequestUtil.java  |  51 ++
 .../util/http/TestRequestUtilSameOrigin.java   | 113 +
 3 files changed, 166 insertions(+), 31 deletions(-)

diff --git a/java/org/apache/catalina/filters/CorsFilter.java 
b/java/org/apache/catalina/filters/CorsFilter.java
index c32bd30..185cfaa 100644
--- a/java/org/apache/catalina/filters/CorsFilter.java
+++ b/java/org/apache/catalina/filters/CorsFilter.java
@@ -38,6 +38,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.http.RequestUtil;
 import org.apache.tomcat.util.http.ResponseUtil;
 import org.apache.tomcat.util.res.StringManager;
 
@@ -618,7 +619,7 @@ public class CorsFilter implements Filter {
 requestType = CORSRequestType.INVALID_CORS;
 } else if (!isValidOrigin(originHeader)) {
 requestType = CORSRequestType.INVALID_CORS;
-} else if (isLocalOrigin(request, originHeader)) {
+} else if (RequestUtil.isSameOrigin(request, originHeader)) {
 return CORSRequestType.NOT_CORS;
 } else {
 String method = request.getMethod();
@@ -661,36 +662,6 @@ public class CorsFilter implements Filter {
 }
 
 
-private boolean isLocalOrigin(HttpServletRequest request, String origin) {
-
-// Build scheme://host:port from request
-StringBuilder target = new StringBuilder();
-String scheme = request.getScheme();
-if (scheme == null) {
-return false;
-} else {
-scheme = scheme.toLowerCase(Locale.ENGLISH);
-}
-target.append(scheme);
-target.append("://");
-
-String host = request.getServerName();
-if (host == null) {
-return false;
-}
-target.append(host);
-
-int port = request.getServerPort();
-if ("http".equals(scheme) && port != 80 ||
-"https".equals(scheme) && port != 443) {
-target.append(':');
-target.append(port);
-}
-
-return origin.equalsIgnoreCase(target.toString());
-}
-
-
 /**
  * Return the lower case, trimmed value of the media type from the content
  * type.
diff --git a/java/org/apache/tomcat/util/http/RequestUtil.java 
b/java/org/apache/tomcat/util/http/RequestUtil.java
index 28922c4..cfa9c57 100644
--- a/java/org/apache/tomcat/util/http/RequestUtil.java
+++ b/java/org/apache/tomcat/util/http/RequestUtil.java
@@ -16,6 +16,10 @@
  */
 package org.apache.tomcat.util.http;
 
+import java.util.Locale;
+
+import javax.servlet.http.HttpServletRequest;
+
 public class RequestUtil {
 
 private RequestUtil() {
@@ -113,4 +117,51 @@ public class RequestUtil {
 // Return the normalized path that we have completed
 return normalized;
 }
+
+
+public static boolean isSameOrigin(HttpServletRequest request, String 
origin) {
+// Build scheme://host:port from request
+StringBuilder target = new StringBuilder();
+String scheme = request.getScheme();
+if (scheme == null) {
+return false;
+} else {
+scheme = scheme.toLowerCase(Locale.ENGLISH);
+}
+target.append(scheme);
+target.append("://");
+
+String host = request.getServerName();
+if (host == null) {
+return false;
+}
+target.append(host);
+
+int port = request.getServerPort();
+// Origin may or may not include the (default) port.
+// At this point target doesn't include a port.
+if (target.length() == origin.length()) {
+// origin and target can only be equal if both are using default
+// ports. Therefore only append the port to the target if a
+// non-default port is used.
+if (("http".equals(scheme) || "ws".equals(scheme)) && port != 80 ||
+("https".equals(scheme) || "wss".equals(scheme)) && port 
!= 443) {
+target.append(':');
+target.append(port);
+}
+} else {
+// origin and target can only be equal if:
+// a) origin includes an explicit default port
+// b) origin is using a

[tomcat] branch 8.5.x updated (ca2be3c -> cb70be5)

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from ca2be3c  Fix case inconsistency
 new 638e606  Refactor to reduce code volume and to allow for other method 
tests
 new cb70be5  Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63939 same 
origin

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 java/org/apache/catalina/filters/CorsFilter.java   |  33 +
 java/org/apache/tomcat/util/http/RequestUtil.java  |  51 +++
 .../apache/tomcat/util/http/TestRequestUtil.java   | 162 -
 .../tomcat/util/http/TestRequestUtilNormalize.java |  77 ++
 .../util/http/TestRequestUtilSameOrigin.java   | 113 ++
 5 files changed, 243 insertions(+), 193 deletions(-)
 delete mode 100644 test/org/apache/tomcat/util/http/TestRequestUtil.java
 create mode 100644 
test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
 create mode 100644 
test/org/apache/tomcat/util/http/TestRequestUtilSameOrigin.java


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 01/02: Refactor to reduce code volume and to allow for other method tests

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 638e606733c83ca468a73cf6d096ac85714f6ab1
Author: Mark Thomas 
AuthorDate: Fri Nov 29 22:55:15 2019 +

Refactor to reduce code volume and to allow for other method tests
---
 .../apache/tomcat/util/http/TestRequestUtil.java   | 162 -
 .../tomcat/util/http/TestRequestUtilNormalize.java |  77 ++
 2 files changed, 77 insertions(+), 162 deletions(-)

diff --git a/test/org/apache/tomcat/util/http/TestRequestUtil.java 
b/test/org/apache/tomcat/util/http/TestRequestUtil.java
deleted file mode 100644
index 02deb5e..000
--- a/test/org/apache/tomcat/util/http/TestRequestUtil.java
+++ /dev/null
@@ -1,162 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.tomcat.util.http;
-
-import org.junit.Assert;
-import org.junit.Test;
-
-public class TestRequestUtil {
-
-@Test
-public void testNormalize01() {
-doTestNormalize("//something", "/something");
-}
-
-@Test
-public void testNormalize02() {
-doTestNormalize("some//thing", "/some/thing");
-}
-
-@Test
-public void testNormalize03() {
-doTestNormalize("something//", "/something/");
-}
-
-@Test
-public void testNormalize04() {
-doTestNormalize("//", "/");
-}
-
-@Test
-public void testNormalize05() {
-doTestNormalize("//", "/");
-}
-
-@Test
-public void testNormalize06() {
-doTestNormalize("///", "/");
-}
-
-@Test
-public void testNormalize07() {
-doTestNormalize("", "/");
-}
-
-@Test
-public void testNormalize08() {
-doTestNormalize("/.", "/");
-}
-
-@Test
-public void testNormalize09() {
-doTestNormalize("/./", "/");
-}
-
-@Test
-public void testNormalize10() {
-doTestNormalize(".", "/");
-}
-
-@Test
-public void testNormalize11() {
-doTestNormalize("/..", null);
-}
-
-@Test
-public void testNormalize12() {
-doTestNormalize("/../", null);
-}
-
-@Test
-public void testNormalize13() {
-doTestNormalize("..", null);
-}
-
-@Test
-public void testNormalize14() {
-doTestNormalize("//..", null);
-}
-
-@Test
-public void testNormalize15() {
-doTestNormalize("//../", null);
-}
-
-@Test
-public void testNormalize16() {
-doTestNormalize("/./..", null);
-}
-
-@Test
-public void testNormalize17() {
-doTestNormalize("/./../", null);
-}
-
-@Test
-public void testNormalize18() {
-doTestNormalize("/a/../..", null);
-}
-
-@Test
-public void testNormalize19() {
-doTestNormalize("/a/../../", null);
-}
-
-@Test
-public void testNormalize20() {
-doTestNormalize("/a/..", "/");
-}
-
-@Test
-public void testNormalize21() {
-doTestNormalize("/a/.", "/a");
-}
-
-@Test
-public void testNormalize22() {
-doTestNormalize("/a/../", "/");
-}
-
-@Test
-public void testNormalize23() {
-doTestNormalize("/a/./", "/a/");
-}
-
-@Test
-public void testNormalize24() {
-doTestNormalize("/a/b/..", "/a");
-}
-
-@Test
-public void testNormalize25() {
-doTestNormalize("/a/b/.", "/a/b");
-}
-
-@Test
-public void testNormalize26() {
-doTestNormalize("/a/b/../", "/a/");
-}
-
-@Test
-public void testNormalize27() {
-doTestNormalize("/a/b/./", "/a/b/");
-}
-
-private void doTestNormalize(String input, String expected) {
-Assert.assertEquals(expected,RequestUtil.normalize(input));
-}
-}
diff --git a/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java 
b/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
new file mode 100644
index 000..b642868
--- /dev/null
+++ b/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See

[tomcat] branch master updated: Update changelog

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
 new 5a17fb7  Update changelog
5a17fb7 is described below

commit 5a17fb70cdad1c329ea203309f69803c930670f1
Author: Mark Thomas 
AuthorDate: Sat Nov 30 11:58:43 2019 +

Update changelog
---
 webapps/docs/changelog.xml | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3d46430..99094ae 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -57,6 +57,12 @@
 changes introduced in 9.0.28. Connections to URLs obtained for JAR
 resources could not be cast to JarURLConnection. (markt)
   
+  
+63939: Correct the same origin check in the CORS filter. An
+origin with an explicit default port is now considered to be the same 
as
+an origin without a deafult port and origins are now compared in a
+case-sensitive manner as required by the CORS specification. (markt)
+  
 
   
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated: Update changelog

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new 60da7b3  Update changelog
60da7b3 is described below

commit 60da7b3a2e626f7a5d58893646c6d8be5e6fddd7
Author: Mark Thomas 
AuthorDate: Sat Nov 30 11:58:43 2019 +

Update changelog
---
 webapps/docs/changelog.xml | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7e4bf2b..119b453 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -67,6 +67,12 @@
 changes introduced in 9.0.28. Connections to URLs obtained for JAR
 resources could not be cast to JarURLConnection. (markt)
   
+  
+63939: Correct the same origin check in the CORS filter. An
+origin with an explicit default port is now considered to be the same 
as
+an origin without a deafult port and origins are now compared in a
+case-sensitive manner as required by the CORS specification. (markt)
+  
 
   
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated: Fix back-port of test

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new eb77b96  Fix back-port of test
eb77b96 is described below

commit eb77b9682a43c8abe23f6f75afca4d56409cdaf8
Author: Mark Thomas 
AuthorDate: Sat Nov 30 12:02:15 2019 +

Fix back-port of test
---
 test/org/apache/tomcat/util/http/TestRequestUtilSameOrigin.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/org/apache/tomcat/util/http/TestRequestUtilSameOrigin.java 
b/test/org/apache/tomcat/util/http/TestRequestUtilSameOrigin.java
index 5b4c0d0..02ed3d8 100644
--- a/test/org/apache/tomcat/util/http/TestRequestUtilSameOrigin.java
+++ b/test/org/apache/tomcat/util/http/TestRequestUtilSameOrigin.java
@@ -84,7 +84,7 @@ public class TestRequestUtilSameOrigin {
 private final int port;
 
 public TesterRequest(String scheme, String host, int port) {
-super(new Request(null));
+super(new Request());
 this.scheme = scheme;
 this.host = host;
 this.port = port;


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 03/03: Update changelog

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit caf2795d58514faa4dfa01a0f429ae693f453161
Author: Mark Thomas 
AuthorDate: Sat Nov 30 11:58:43 2019 +

Update changelog
---
 webapps/docs/changelog.xml | 20 +++-
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9aa33be..c8e8116 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -67,11 +67,12 @@
 TestAsyncContextStateChanges test that caused it
 to hang indefinitely. (markt)
   
-  
-Add the ability to set and display session attributes in the JSP FORM
-authentication example to demonstrate session persistence across
-restarts for authenticated sessions. (markt)
-  
+  
+63939: Correct the same origin check in the CORS filter. An
+origin with an explicit default port is now considered to be the same 
as
+an origin without a deafult port and origins are now compared in a
+case-sensitive manner as required by the CORS specification. (markt)
+  
 
   
   
@@ -84,6 +85,15 @@
   
 
   
+  
+
+  
+Add the ability to set and display session attributes in the JSP FORM
+authentication example to demonstrate session persistence across
+restarts for authenticated sessions. (markt)
+  
+
+  
   
 
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 7.0.x updated (aad9939 -> caf2795)

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from aad9939  Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63932 ETag 
& gzip
 new 23b7362  Refactor to reduce code volume and to allow for other method 
tests
 new dd818eb  Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63939 same 
origin
 new caf2795  Update changelog

The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 java/org/apache/catalina/filters/CorsFilter.java   |  33 +
 java/org/apache/tomcat/util/http/RequestUtil.java  |  51 +++
 .../apache/tomcat/util/http/TestRequestUtil.java   | 162 -
 .../tomcat/util/http/TestRequestUtilNormalize.java |  77 ++
 .../util/http/TestRequestUtilSameOrigin.java   | 113 ++
 webapps/docs/changelog.xml |  20 ++-
 6 files changed, 258 insertions(+), 198 deletions(-)
 delete mode 100644 test/org/apache/tomcat/util/http/TestRequestUtil.java
 create mode 100644 
test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
 create mode 100644 
test/org/apache/tomcat/util/http/TestRequestUtilSameOrigin.java


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 02/03: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63939 same origin

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit dd818eb9667a9a55eb81374202a690c4568ff9e8
Author: Mark Thomas 
AuthorDate: Fri Nov 29 23:19:00 2019 +

Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63939 same origin

Refactor isSameOrigin test into utility class (for re-use in
AuthenticatorBase) and fix two bugs
---
 java/org/apache/catalina/filters/CorsFilter.java   |  33 +-
 java/org/apache/tomcat/util/http/RequestUtil.java  |  51 ++
 .../tomcat/util/http/TestRequestUtilNormalize.java |   2 +-
 .../util/http/TestRequestUtilSameOrigin.java   | 113 +
 4 files changed, 167 insertions(+), 32 deletions(-)

diff --git a/java/org/apache/catalina/filters/CorsFilter.java 
b/java/org/apache/catalina/filters/CorsFilter.java
index 308c1b4..4f107ce 100644
--- a/java/org/apache/catalina/filters/CorsFilter.java
+++ b/java/org/apache/catalina/filters/CorsFilter.java
@@ -38,6 +38,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.http.RequestUtil;
 import org.apache.tomcat.util.http.ResponseUtil;
 import org.apache.tomcat.util.res.StringManager;
 
@@ -641,7 +642,7 @@ public class CorsFilter implements Filter {
 requestType = CORSRequestType.INVALID_CORS;
 } else if (!isValidOrigin(originHeader)) {
 requestType = CORSRequestType.INVALID_CORS;
-} else if (isLocalOrigin(request, originHeader)) {
+} else if (RequestUtil.isSameOrigin(request, originHeader)) {
 return CORSRequestType.NOT_CORS;
 } else {
 String method = request.getMethod();
@@ -684,36 +685,6 @@ public class CorsFilter implements Filter {
 }
 
 
-private boolean isLocalOrigin(HttpServletRequest request, String origin) {
-
-// Build scheme://host:port from request
-StringBuilder target = new StringBuilder();
-String scheme = request.getScheme();
-if (scheme == null) {
-return false;
-} else {
-scheme = scheme.toLowerCase(Locale.ENGLISH);
-}
-target.append(scheme);
-target.append("://");
-
-String host = request.getServerName();
-if (host == null) {
-return false;
-}
-target.append(host);
-
-int port = request.getServerPort();
-if ("http".equals(scheme) && port != 80 ||
-"https".equals(scheme) && port != 443) {
-target.append(':');
-target.append(port);
-}
-
-return origin.equalsIgnoreCase(target.toString());
-}
-
-
 /*
  * Return the lower case, trimmed value of the media type from the content
  * type.
diff --git a/java/org/apache/tomcat/util/http/RequestUtil.java 
b/java/org/apache/tomcat/util/http/RequestUtil.java
index 28922c4..cfa9c57 100644
--- a/java/org/apache/tomcat/util/http/RequestUtil.java
+++ b/java/org/apache/tomcat/util/http/RequestUtil.java
@@ -16,6 +16,10 @@
  */
 package org.apache.tomcat.util.http;
 
+import java.util.Locale;
+
+import javax.servlet.http.HttpServletRequest;
+
 public class RequestUtil {
 
 private RequestUtil() {
@@ -113,4 +117,51 @@ public class RequestUtil {
 // Return the normalized path that we have completed
 return normalized;
 }
+
+
+public static boolean isSameOrigin(HttpServletRequest request, String 
origin) {
+// Build scheme://host:port from request
+StringBuilder target = new StringBuilder();
+String scheme = request.getScheme();
+if (scheme == null) {
+return false;
+} else {
+scheme = scheme.toLowerCase(Locale.ENGLISH);
+}
+target.append(scheme);
+target.append("://");
+
+String host = request.getServerName();
+if (host == null) {
+return false;
+}
+target.append(host);
+
+int port = request.getServerPort();
+// Origin may or may not include the (default) port.
+// At this point target doesn't include a port.
+if (target.length() == origin.length()) {
+// origin and target can only be equal if both are using default
+// ports. Therefore only append the port to the target if a
+// non-default port is used.
+if (("http".equals(scheme) || "ws".equals(scheme)) && port != 80 ||
+("https".equals(scheme) || "wss".equals(scheme)) && port 
!= 443) {
+target.append(':');
+target.append(port);
+}
+} else {
+// origin and target can only be equal if:
+// a) origin includes an explicit default port
+// b) origin is using a non-default port
+/

[tomcat] 01/03: Refactor to reduce code volume and to allow for other method tests

2019-11-30 Thread markt

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 23b736283b3700881f64e85fd887d8e6fb3b55b9
Author: Mark Thomas 
AuthorDate: Fri Nov 29 22:55:15 2019 +

Refactor to reduce code volume and to allow for other method tests
---
 .../apache/tomcat/util/http/TestRequestUtil.java   | 162 -
 .../tomcat/util/http/TestRequestUtilNormalize.java |  77 ++
 2 files changed, 77 insertions(+), 162 deletions(-)

diff --git a/test/org/apache/tomcat/util/http/TestRequestUtil.java 
b/test/org/apache/tomcat/util/http/TestRequestUtil.java
deleted file mode 100644
index 02deb5e..000
--- a/test/org/apache/tomcat/util/http/TestRequestUtil.java
+++ /dev/null
@@ -1,162 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.tomcat.util.http;
-
-import org.junit.Assert;
-import org.junit.Test;
-
-public class TestRequestUtil {
-
-@Test
-public void testNormalize01() {
-doTestNormalize("//something", "/something");
-}
-
-@Test
-public void testNormalize02() {
-doTestNormalize("some//thing", "/some/thing");
-}
-
-@Test
-public void testNormalize03() {
-doTestNormalize("something//", "/something/");
-}
-
-@Test
-public void testNormalize04() {
-doTestNormalize("//", "/");
-}
-
-@Test
-public void testNormalize05() {
-doTestNormalize("//", "/");
-}
-
-@Test
-public void testNormalize06() {
-doTestNormalize("///", "/");
-}
-
-@Test
-public void testNormalize07() {
-doTestNormalize("", "/");
-}
-
-@Test
-public void testNormalize08() {
-doTestNormalize("/.", "/");
-}
-
-@Test
-public void testNormalize09() {
-doTestNormalize("/./", "/");
-}
-
-@Test
-public void testNormalize10() {
-doTestNormalize(".", "/");
-}
-
-@Test
-public void testNormalize11() {
-doTestNormalize("/..", null);
-}
-
-@Test
-public void testNormalize12() {
-doTestNormalize("/../", null);
-}
-
-@Test
-public void testNormalize13() {
-doTestNormalize("..", null);
-}
-
-@Test
-public void testNormalize14() {
-doTestNormalize("//..", null);
-}
-
-@Test
-public void testNormalize15() {
-doTestNormalize("//../", null);
-}
-
-@Test
-public void testNormalize16() {
-doTestNormalize("/./..", null);
-}
-
-@Test
-public void testNormalize17() {
-doTestNormalize("/./../", null);
-}
-
-@Test
-public void testNormalize18() {
-doTestNormalize("/a/../..", null);
-}
-
-@Test
-public void testNormalize19() {
-doTestNormalize("/a/../../", null);
-}
-
-@Test
-public void testNormalize20() {
-doTestNormalize("/a/..", "/");
-}
-
-@Test
-public void testNormalize21() {
-doTestNormalize("/a/.", "/a");
-}
-
-@Test
-public void testNormalize22() {
-doTestNormalize("/a/../", "/");
-}
-
-@Test
-public void testNormalize23() {
-doTestNormalize("/a/./", "/a/");
-}
-
-@Test
-public void testNormalize24() {
-doTestNormalize("/a/b/..", "/a");
-}
-
-@Test
-public void testNormalize25() {
-doTestNormalize("/a/b/.", "/a/b");
-}
-
-@Test
-public void testNormalize26() {
-doTestNormalize("/a/b/../", "/a/");
-}
-
-@Test
-public void testNormalize27() {
-doTestNormalize("/a/b/./", "/a/b/");
-}
-
-private void doTestNormalize(String input, String expected) {
-Assert.assertEquals(expected,RequestUtil.normalize(input));
-}
-}
diff --git a/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java 
b/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
new file mode 100644
index 000..b642868
--- /dev/null
+++ b/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See

[Bug 63939] CORS filter incorrectly implements same/local origin check

2019-11-30 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=63939

Mark Thomas  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|NEW |RESOLVED

--- Comment #6 from Mark Thomas  ---
Fixed in:
- master for 9.0.30 onwards
- 8.5.x for 8.5.50 onwards
- 7.0.x for 7.0.99 onwards

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

buildbot failure in on tomcat-trunk

2019-11-30 Thread buildbot

The Buildbot has detected a new failure on builder tomcat-trunk while building 
tomcat. Full details are available at:
https://ci.apache.org/builders/tomcat-trunk/builds/4782

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: asf946_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' 
triggered this build
Build Source Stamp: [branch master] 5a17fb70cdad1c329ea203309f69803c930670f1
Blamelist: Mark Thomas 

BUILD FAILED: failed compile_1

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63937] CORS preflight request not possible on authenticated endpoints

2019-11-30 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=63937

--- Comment #6 from Mark Thomas  ---
Drat. The filter chain is populated later in the request processing chain than
I thought it was. I'm looking into alternatives for the "If the CORS filter is
present" option.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Initial set of patches for Jakarta EE 9

2019-11-30 Thread Rémy Maucherat

On Thu, Nov 28, 2019 at 8:46 PM Mark Thomas  wrote:

> Hi all,
>
> I have pushed an initial set of patches for Jakarta EE 9 here:
> https://github.com/markt-asf/tomcat/tree/jakarta
>
> The current status is:
> - All the packages changing in Jakarta EE 9 have been renamed
> - Any associated constants, service loader files etc. have also been
>   renamed
> - It builds
> - The unit tests pass (excluding those that depend on JSTL - more on
>   that below)
> - A basic smoke test passes
>
> Please try and build it, take it for a spin and report back on this
> thread if you find any issues.
>
> Right, JSTL. I don't particularly want us to have to produce a Jakarta
> EE version of JSTL. So, I plan to use this as the first test case for my
> "Java EE to Jakarta EE converter". I've only just started work on this
> so I don't have any real progress to report. I hope to make progress on
> this next week.
>

Works quite well already, I have the following items:
- java/org/apache/tomcat/util/http/RequestUtil.java uses a javax.
- test/org/apache/tomcat/util/http/TestRequestUtilSameOrigin.java uses two
javax.

The testsuite passes without the need for any additional fixes.

So that's excellent, too bad I didn't get to do anything.

Rémy

Re: Initial set of patches for Jakarta EE 9

2019-11-30 Thread Igal Sapir


Mark,

On 11/28/2019 11:46 AM, Mark Thomas wrote:

Hi all,

I have pushed an initial set of patches for Jakarta EE 9 here:
https://github.com/markt-asf/tomcat/tree/jakarta

The current status is:
- All the packages changing in Jakarta EE 9 have been renamed
- Any associated constants, service loader files etc. have also been
   renamed
- It builds
- The unit tests pass (excluding those that depend on JSTL - more on
   that below)
- A basic smoke test passes

Please try and build it, take it for a spin and report back on this
thread if you find any issues.


First issue I noticed when trying to build on Windows:

compile:
    [javac] Compiling 1727 source files to 
E:\Workspace\test\tomcat-jakarta\output\classes
    [javac] 
E:\Workspace\test\tomcat-jakarta\java\org\apache\tomcat\util\http\RequestUtil.java:21: 
error: package javax.servlet.http does not exist

    [javac] import javax.servlet.http.HttpServletRequest;
    [javac]  ^
    [javac] 
E:\Workspace\test\tomcat-jakarta\java\org\apache\tomcat\util\http\RequestUtil.java:122: 
error: cannot find symbol
    [javac] public static boolean isSameOrigin(HttpServletRequest 
request, String origin) {

    [javac]    ^
    [javac]   symbol:   class HttpServletRequest
    [javac]   location: class RequestUtil
    [javac] Note: Some input files use or override a deprecated API.
    [javac] Note: Recompile with -Xlint:deprecation for details.
    [javac] 2 errors

BUILD FAILED
E:\Workspace\test\tomcat-jakarta\build.xml:706: Compile failed; see the 
compiler error output for details.


Igal



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Bug report for Taglibs [2019/12/01]

2019-11-30 Thread bugzilla

+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
|38193|Ass|Enh|2006-01-09|[RDC] BuiltIn Grammar support for Field   |
|38600|Ass|Enh|2006-02-10|[RDC] Enable RDCs to be used in X+V markup (X+RDC)|
|42413|New|Enh|2007-05-14|[PATCH] Log Taglib enhancements   |
|46052|New|Nor|2008-10-21|SetLocaleSupport is slow to initialize when many l|
|48333|New|Enh|2009-12-02|TLD generator |
|57548|New|Min|2015-02-08|Auto-generate the value for org.apache.taglibs.sta|
|57684|New|Min|2015-03-10|Version info should be taken from project version |
|59359|New|Enh|2016-04-20|(Task) Extend validity period for signing KEY - be|
|59668|New|Nor|2016-06-06|x:forEach retains the incorrect scope when used in|
|61875|New|Nor|2017-12-08|Investigate whether Xalan can be removed  |
+-+---+---+--+--+
| Total   10 bugs   |
+---+

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Bug report for Tomcat 7 [2019/12/01]

2019-11-30 Thread bugzilla

+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
|50944|Ver|Blk|2011-03-18|JSF: java.lang.NullPointerException at com.sun.fac|
|53620|New|Enh|2012-07-30|[juli] delay opening a file until something gets l|
|55104|New|Enh|2013-06-16|Allow passing arguments with spaces to Commons Dae|
|55470|New|Enh|2013-08-23|Help users for ClassNotFoundExceptions during star|
|55477|New|Enh|2013-08-23|Add a solution to map an realm name to a security |
|56148|New|Enh|2014-02-17|support (multiple) ocsp stapling  |
|56181|New|Enh|2014-02-23|RemoteIpValve & RemoteIpFilter: HttpServletRequest|
|56300|New|Enh|2014-03-22|[Tribes] No useful examples, lack of documentation|
|56438|New|Enh|2014-04-21|If jar scan does not find context config or TLD co|
|56614|New|Enh|2014-06-12|Add a switch to ignore annotations detection on ta|
|56787|New|Enh|2014-07-29|Simplified jndi name parsing  |
|57367|New|Enh|2014-12-18|If JAR scan experiences a stack overflow, give the|
|57827|New|Enh|2015-04-17|Enable adding/removing of members via jmx in a sta|
|57872|New|Enh|2015-04-29|Do not auto-switch session cookie to version=1 due|
|57892|New|Enh|2015-05-05|Log once a warning if a symbolic link is ignored (|
|60597|New|Enh|2017-01-17|Add ability to set cipher suites for websocket cli|
|63167|New|Enh|2019-02-12|Network Requirements To Resolve No Members Active |
+-+---+---+--+--+
| Total   17 bugs   |
+---+

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Bug report for Tomcat 8 [2019/12/01]

2019-11-30 Thread bugzilla

+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
|55243|New|Enh|2013-07-11|Add special search string for nested roles|
|55252|New|Enh|2013-07-12|Separate Ant and command-line wrappers for JspC   |
|55383|New|Enh|2013-08-07|Improve markup and design of Tomcat's HTML pages  |
|9|New|Enh|2013-09-14|UserDatabaseRealm enhacement: may use local JNDI  |
|55675|New|Enh|2013-10-18|Checking and handling invalid configuration option|
|55788|New|Enh|2013-11-16|TagPlugins should key on tag QName rather than imp|
|56166|New|Enh|2014-02-20|Suggestions for exception handling (avoid potentia|
|56398|New|Enh|2014-04-11|Support Arquillian-based unit testing |
|56399|New|Enh|2014-04-11|Re-factor request/response recycling so Coyote and|
|56402|New|Enh|2014-04-11|Add support for HTTP Upgrade to AJP components|
|56448|New|Enh|2014-04-23|Implement a robust solution for client initiated S|
|56522|Opn|Enh|2014-05-14|jasper-el 8 does not comply to EL Spec 3.0 regardi|
|56546|New|Enh|2014-05-19|Improve thread trace logging in WebappClassLoader.|
|56713|New|Enh|2014-07-12|Limit time that incoming request waits while webap|
|56890|Inf|Maj|2014-08-26|getRealPath returns null  |
|56966|New|Enh|2014-09-11|AccessLogValve's elapsed time has 15ms precision o|
|57130|New|Enh|2014-10-22|Allow digest.sh to accept password from a file or |
|57421|New|Enh|2015-01-07|Farming default directories   |
|57486|New|Enh|2015-01-23|Improve reuse of ProtectedFunctionMapper instances|
|57701|New|Enh|2015-03-13|Implement "[Redeploy]" button for a web applicatio|
|57830|New|Enh|2015-04-18|Add support for ProxyProtocol |
|58052|Opn|Enh|2015-06-19|RewriteValve: Implement additional RewriteRule dir|
|58072|New|Enh|2015-06-23|ECDH curve selection  |
|58577|New|Enh|2015-11-03|JMX Proxy Servlet can't handle overloaded methods |
|58837|New|Enh|2016-01-12|support "X-Content-Security-Policy" a.k.a as "CSP"|
|58935|Opn|Enh|2016-01-29|Re-deploy from war without deleting context   |
|59232|New|Enh|2016-03-24|Make the context name of an app available via JNDI|
|59423|New|Enh|2016-05-03|amend "No LoginModules configured for ..." with hi|
|59758|New|Enh|2016-06-27|Add http proxy username-password credentials suppo|
|60281|Ver|Nor|2016-10-20|Pathname of uploaded WAR file should not be contai|
|60721|Ver|Nor|2017-02-10|Unable to find key spec if more applications use b|
|60781|New|Nor|2017-02-27|Access Log Valve does not escape the same as mod_l|
|60849|New|Enh|2017-03-13|Tomcat NIO Connector not able to handle SSL renego|
|61668|Ver|Min|2017-10-26|Possible NullPointerException in org.apache.coyote|
|61877|New|Enh|2017-12-08|use web.xml from CATALINA_HOME by default |
|61917|New|Enh|2017-12-19|AddDefaultCharsetFilter only supports text/* respo|
|62150|New|Enh|2018-03-01|Behavior of relative paths with RequestDispatcher |
|62214|New|Enh|2018-03-22|The "userSubtree=true" and "roleSubtree=true" in J|
|62245|New|Enh|2018-04-02|[Documentation] Mention contextXsltFile in Default|
|62912|New|Enh|2018-11-15|Tomcat adds a space character in the Content-Type |
|63080|New|Enh|2019-01-16|Support rfc7239 Forwarded header  |
|63195|Inf|Enh|2019-02-21|Add easy way to test RemoteIpValve works properly |
|63286|New|Enh|2019-03-25|Inconsistencies between AccessLogValve and mod_log|
|63681|New|Enh|2019-08-21|Introduce RealmBase#authenticate(GSSName, GSSCrede|
|63802|Inf|Cri|2019-10-04|epoll spin detection is missing   |
|63815|Inf|Nor|2019-10-08|Expansion of JAVA_OPTS in catalina.sh containing '|
|63966|New|Enh|2019-11-27|Charset of TLS message is hardcoded to ISO-8859-1.|
+-+---+---+--+--+
| Total   47 bugs   |
+---+

-
To unsubscribe

Bug report for Tomcat Native [2019/12/01]

2019-11-30 Thread bugzilla

+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
|53940|New|Enh|2012-09-27|Added support for new CRL loading after expiration|
|62626|New|Nor|2018-08-15|Tomcat 9.0.10 APR/Native crashes  |
|62911|New|Enh|2018-11-15|Add support for proxying ocsp  requests via ProxyH|
|63199|Inf|Nor|2019-02-22|sslsocket handshake JVM crash |
|63405|New|Nor|2019-05-06|Tomcat 7.0.91.0 EXCEPTION_ACCESS_VIOLATION - Probl|
|63671|New|Nor|2019-08-19|libtcnative does not compile with OpenSSL < 1.1.0 |
|63701|Inf|Maj|2019-08-27|SSL initialize hangs with OpenSSL 1.1.1   |
+-+---+---+--+--+
| Total7 bugs   |
+---+

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Bug report for Tomcat 9 [2019/12/01]

2019-11-30 Thread bugzilla

+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
|57505|New|Enh|2015-01-27|Add integration tests for JspC|
|57661|New|Enh|2015-03-04|Delay sending of 100 continue response until appli|
|58242|New|Enh|2015-08-13|Scanning jars in classpath to get annotations in p|
|58530|New|Enh|2015-10-23|Proposal for new Manager HTML GUI |
|58548|New|Enh|2015-10-26|support certifcate transparency   |
|58859|New|Enh|2016-01-14|Allow to limit charsets / encodings supported by T|
|59203|New|Enh|2016-03-21|Try to call Thread.interrupt before calling Thread|
|59344|Ver|Enh|2016-04-18|PEM file support for JSSE |
|59750|New|Enh|2016-06-24|Amend "authenticate" method with context by means |
|60997|New|Enh|2017-04-17|Enhance SemaphoreValve to support denied status an|
|61971|New|Enh|2018-01-06|documentation for using tomcat with systemd   |
|62048|New|Enh|2018-01-25|Missing logout function in Manager and Host-Manage|
|62072|New|Enh|2018-02-01|Add support for request compression   |
|62312|New|Enh|2018-04-18|Add Proxy Authentication support to websocket clie|
|62405|New|Enh|2018-05-23|Add Rereadable Request Filter |
|62488|New|Enh|2018-06-25|Obtain dependencies from Maven Central where possi|
|62611|New|Enh|2018-08-09|Compress log files after rotation |
|62695|Inf|Nor|2018-09-07|Provide sha512 checksums for Tomcat releases publi|
|62723|New|Enh|2018-09-14|Clarify "channelSendOptions" value in cluster docu|
|62773|New|Enh|2018-09-28|Change DeltaManager to handle session deserializat|
|62814|New|Enh|2018-10-10|Use readable names for cluster channel/map options|
|62843|New|Enh|2018-10-22|Tomcat Russian localization   |
|62920|New|Enh|2018-11-17|Maven Plugin For Tomcat 9.0.x |
|62964|Inf|Enh|2018-11-29|Add RFC7807 conformant Problem Details for HTTP st|
|63023|New|Enh|2018-12-20|Provide a way to load SecurityProviders into the s|
|63049|New|Enh|2018-12-31|Add support in system properties override from com|
|63237|New|Enh|2019-03-06|Consider processing mbeans-descriptors.xml at comp|
|63362|New|Enh|2019-04-18|GlobalRequestProcessor statistics in MBean does no|
|63389|New|Enh|2019-04-27|Enable Servlet Warmup for Containerization|
|63493|New|Enh|2019-06-10|enhancement - add JMX counters to monitor authenti|
|63505|New|Enh|2019-06-14|enhancement - support of stored procedures for Dat|
|63545|New|Enh|2019-07-06|enhancement - add a new pattern attribute for logg|
|63691|New|Enh|2019-08-24|Add a no-op JarScanner|
|63859|Inf|Reg|2019-10-17|AJP cping/cpong mode failing on Tomcat 9.x|
|63931|New|Maj|2019-11-18|The remote endpoint was in state [TEXT_FULL_WRITIN|
|63937|New|Nor|2019-11-19|CORS preflight request not possible on authenticat|
|63943|Opn|Enh|2019-11-20|Add possibility to overwrite remote port with info|
|63969|New|Reg|2019-11-27|Stackoverflow in JSF  |
+-+---+---+--+--+
| Total   38 bugs   |
+---+

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Bug report for Tomcat Connectors [2019/12/01]

2019-11-30 Thread bugzilla

+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
|46767|New|Enh|2009-02-25|mod_jk to send DECLINED in case no fail-over tomca|
|47327|New|Enh|2009-06-07|Return tomcat authenticated user back to mod_jk (A|
|47750|New|Maj|2009-08-27|ISAPI: Loss of worker settings when changing via j|
|48830|New|Nor|2010-03-01|IIS shutdown blocked in endpoint service when serv|
|49822|New|Enh|2010-08-25|Add hash lb worker method |
|49903|New|Enh|2010-09-09|Make workers file reloadable  |
|52483|New|Enh|2012-01-18|Print JkOptions's options in log file and jkstatus|
|54621|New|Enh|2013-02-28|[PATCH] custom mod_jk availability checks |
|56489|New|Enh|2014-05-05|Include a directory for configuration files   |
|56576|New|Enh|2014-05-29|Websocket support |
|57402|New|Enh|2014-12-30|Provide correlation ID between mod_jk log and acce|
|57403|New|Enh|2014-12-30|Persist configuration changes made via status work|
|57407|New|Enh|2014-12-31|Make session_cookie, session_path and session_cook|
|57790|New|Enh|2015-04-03|Check worker names for typos  |
|61476|New|Enh|2017-09-01|Allow reset of an individual worker stat value|
|61621|New|Enh|2017-10-15|Content-Type is forced to lowercase when it goes t|
|62093|New|Enh|2018-02-09|Allow use_server_errors to apply to specific statu|
|63214|New|Nor|2019-02-27|Using JkAutoAlias, Filenames with Spaces Cannot be|
|63808|Opn|Enh|2019-10-05|the fact that JkMount makes other directives ineff|
+-+---+---+--+--+
| Total   19 bugs   |
+---+

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Bug report for Tomcat Modules [2019/12/01]

2019-11-30 Thread bugzilla

+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
|50571|Inf|Nor|2011-01-11|Tomcat 7 JDBC connection pool exception enhancemen|
|51595|Inf|Nor|2011-08-01|org.apache.tomcat.jdbc.pool.jmx.ConnectionPool sho|
|51879|Inf|Enh|2011-09-22|Improve access to Native Connection Methods   |
|52024|Inf|Enh|2011-10-13|Custom interceptor to support automatic failover o|
|53199|Inf|Enh|2012-05-07|Refactor ConnectionPool to use ScheduledExecutorSe|
|54437|New|Enh|2013-01-16|Update PoolProperties javadoc for ConnectState int|
|54929|Inf|Nor|2013-05-05|jdbc-pool cannot be used with Java 1.5, "java.lang|
|55078|New|Nor|2013-06-07|Configuring a DataSource Resource with dataSourceJ|
|55662|New|Enh|2013-10-17|Add a way to set an instance of java.sql.Driver di|
|56046|New|Enh|2014-01-21|org.apache.tomcat.jdbc.pool.XADataSource InitSQL p|
|56088|New|Maj|2014-01-29|AbstractQueryReport$StatementProxy throws exceptio|
|56310|Inf|Maj|2014-03-25|PooledConnection and XAConnection not handled corr|
|56586|New|Nor|2014-06-02|initSQL should be committed if defaultAutoCommit =|
|56775|New|Nor|2014-07-28|PoolCleanerTime schedule issue|
|56779|New|Nor|2014-07-28|Allow multiple connection initialization statement|
|56790|New|Nor|2014-07-29|Resizing pool.maxActive to a higher value at runti|
|56798|New|Nor|2014-07-31|Idle eviction strategy could perform better (and i|
|56804|New|Nor|2014-08-02|Use a default validationQueryTimeout other than "f|
|56805|New|Nor|2014-08-02|datasource.getConnection() may be unnecessarily bl|
|56837|New|Nor|2014-08-11|if validationQuery have error with timeBetweenEvic|
|56970|New|Nor|2014-09-11|MaxActive vs. MaxTotal for commons-dbcp and tomcat|
|57460|New|Nor|2015-01-19|[DB2]Connection broken after few hours but not rem|
|57729|New|Enh|2015-03-20|Add QueryExecutionReportInterceptor to log query e|
|58489|Opn|Maj|2015-10-08|QueryStatsComparator throws IllegalArgumentExcepti|
|59077|New|Nor|2016-02-26|DataSourceFactory creates a neutered data source  |
|59569|New|Nor|2016-05-18|isWrapperFor/unwrap implementations incorrect |
|59879|New|Nor|2016-07-18|StatementCache interceptor returns ResultSet objec|
|60195|New|Nor|2016-10-02|No javadoc in Maven Central   |
|60522|New|Nor|2016-12-27|An option for setting if the transaction should be|
|60524|Inf|Nor|2016-12-28|NPE in SlowQueryReport in tomcat-jdbc-7.0.68  |
|60645|New|Nor|2017-01-25|StatementFinalizer is not thread-safe |
|61032|New|Nor|2017-04-24|min pool size is not being respected  |
|61103|New|Nor|2017-05-18|StatementCache potentially caching non-functional |
|61302|New|Enh|2017-07-15|Refactoring of DataSourceProxy|
|61303|New|Enh|2017-07-15|Refactoring of ConnectionPool |
|62432|New|Nor|2018-06-06|Memory Leak in Statement Finalizer?   |
|62598|New|Enh|2018-08-04|support pool with multiple JDBC data sources  |
|62910|Inf|Nor|2018-11-15|tomcat-jdbc global pool transaction problem   |
|63612|Inf|Cri|2019-07-26|PooledConnection#connectUsingDriver, Thread.curren|
|63705|New|Nor|2019-08-29|The tomcat pool doesn't register all connection th|
+-+---+---+--+--+
| Total   40 bugs   |
+---+

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch master updated (6e25e58 -> afe4085)

[tomcat] 02/02: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63939 same origin

[tomcat] 01/02: Refactor to reduce code volume and to allow for other method tests

[tomcat] 02/02: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63939 same origin

[tomcat] branch 8.5.x updated (ca2be3c -> cb70be5)

[tomcat] 01/02: Refactor to reduce code volume and to allow for other method tests

[tomcat] branch master updated: Update changelog

[tomcat] branch 8.5.x updated: Update changelog

[tomcat] branch 8.5.x updated: Fix back-port of test

[tomcat] 03/03: Update changelog

[tomcat] branch 7.0.x updated (aad9939 -> caf2795)

[tomcat] 02/03: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63939 same origin

[tomcat] 01/03: Refactor to reduce code volume and to allow for other method tests

[Bug 63939] CORS filter incorrectly implements same/local origin check

buildbot failure in on tomcat-trunk

[Bug 63937] CORS preflight request not possible on authenticated endpoints

Re: Initial set of patches for Jakarta EE 9

Re: Initial set of patches for Jakarta EE 9

Bug report for Taglibs [2019/12/01]

Bug report for Tomcat 7 [2019/12/01]

Bug report for Tomcat 8 [2019/12/01]

Bug report for Tomcat Native [2019/12/01]

Bug report for Tomcat 9 [2019/12/01]

Bug report for Tomcat Connectors [2019/12/01]

Bug report for Tomcat Modules [2019/12/01]

25 matches

Site Navigation

Mail list logo

Footer information