Re: [PR] Fix websocket processor leaks when WsSession expires and server sends close message by WsBackgroundThread [tomcat]
chenbiaoit commented on PR #683: URL: https://github.com/apache/tomcat/pull/683#issuecomment-1923029828 > Fixed and back-ported. Will be in the February releases. Hi @markt-asf,What channel can I use to know that this problem has been fixed? Thank you very much. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: February 2024 releases
On 01/02/2024 23:45, Christopher Schultz wrote: All, Friday seems like a good time to roll a release and call for a vote. Does anyone want to fit anything in before this round of releases? Yes. The update to the migration tool. We might want to think about a Tomcat Native release to pick up the latest OpenSSL releases. We don't need to, but it will probably save some false positives from security scanners. I also have some other changes locally that I want to merge. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
February 2024 releases
All, Friday seems like a good time to roll a release and call for a vote. Does anyone want to fit anything in before this round of releases? -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot failure in on tomcat-8.5.x
Build status: BUILD FAILED: failed compile (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/36/builds/728 Blamelist: Christopher Schultz , remm Build Text: failed compile (failure) Status Detected: new failure Build Source Stamp: [branch 8.5.x] 63ced512958556c7b6d7bfc60740648cecd0020d Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 2 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 8.5.x updated: Fix unit tests.
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 41991eccb4 Fix unit tests.
41991eccb4 is described below
commit 41991eccb4191854d3c1ed1da7559e4e58d89086
Author: Christopher Schultz
AuthorDate: Thu Feb 1 13:06:27 2024 -0500
Fix unit tests.
---
java/org/apache/catalina/filters/CsrfPreventionFilter.java | 2 +-
test/org/apache/catalina/filters/TestCsrfPreventionFilter.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 21d0ac735f..d014c0b98b 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -100,7 +100,7 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
*/
private String noNoncePatterns = DEFAULT_NO_NONCE_URL_PATTERNS;
-private interface Predicate {
+public interface Predicate {
boolean test(T t);
}
diff --git a/test/org/apache/catalina/filters/TestCsrfPreventionFilter.java
b/test/org/apache/catalina/filters/TestCsrfPreventionFilter.java
index b9e0c06f3c..5fb8a267a5 100644
--- a/test/org/apache/catalina/filters/TestCsrfPreventionFilter.java
+++ b/test/org/apache/catalina/filters/TestCsrfPreventionFilter.java
@@ -24,7 +24,6 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
-import java.util.function.Predicate;
import javax.servlet.http.HttpServletResponse;
@@ -32,6 +31,7 @@ import org.junit.Assert;
import org.junit.Test;
import org.apache.catalina.filters.CsrfPreventionFilter.LruCache;
+import org.apache.catalina.filters.CsrfPreventionFilter.Predicate;
import org.apache.catalina.startup.TomcatBaseTest;
import org.apache.tomcat.unittest.TesterServletContext;
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Time for a migration tool release
Hi all, There have been some fixes are there are currently no open issues so, unless there are objections, I intend to tag and start the release tomorrow. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 8.5.x updated: Lower log level
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 63ced51295 Lower log level
63ced51295 is described below
commit 63ced512958556c7b6d7bfc60740648cecd0020d
Author: remm
AuthorDate: Thu Feb 1 17:03:52 2024 +0100
Lower log level
The verbosity seems too high for debug level.
---
java/org/apache/coyote/http11/Http11InputBuffer.java | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java
b/java/org/apache/coyote/http11/Http11InputBuffer.java
index 60e5027961..03c4c0cd22 100644
--- a/java/org/apache/coyote/http11/Http11InputBuffer.java
+++ b/java/org/apache/coyote/http11/Http11InputBuffer.java
@@ -759,8 +759,8 @@ public class Http11InputBuffer implements InputBuffer,
ApplicationBufferHandler
*/
private boolean fill(boolean block) throws IOException {
-if (log.isDebugEnabled()) {
-log.debug("Before fill(): parsingHeader: [" + parsingHeader + "],
parsingRequestLine: [" +
+if (log.isTraceEnabled()) {
+log.trace("Before fill(): parsingHeader: [" + parsingHeader + "],
parsingRequestLine: [" +
parsingRequestLine + "], parsingRequestLinePhase: [" +
parsingRequestLinePhase +
"], parsingRequestLineStart: [" + parsingRequestLineStart
+ "], byteBuffer.position(): [" +
byteBuffer.position() + "], byteBuffer.limit(): [" +
byteBuffer.limit() + "], end: [" + end + "]");
@@ -806,8 +806,8 @@ public class Http11InputBuffer implements InputBuffer,
ApplicationBufferHandler
}
}
-if (log.isDebugEnabled()) {
-log.debug("Received [" + new String(byteBuffer.array(),
byteBuffer.position(), byteBuffer.remaining(),
+if (log.isTraceEnabled()) {
+log.trace("Received [" + new String(byteBuffer.array(),
byteBuffer.position(), byteBuffer.remaining(),
StandardCharsets.ISO_8859_1) + "]");
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Lower log level
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new e5f9a0c023 Lower log level
e5f9a0c023 is described below
commit e5f9a0c0232ef0a626b7c90815244f15657146c8
Author: remm
AuthorDate: Thu Feb 1 17:03:52 2024 +0100
Lower log level
The verbosity seems too high for debug level.
---
java/org/apache/coyote/http11/Http11InputBuffer.java | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java
b/java/org/apache/coyote/http11/Http11InputBuffer.java
index 3721b1b712..0673bb648a 100644
--- a/java/org/apache/coyote/http11/Http11InputBuffer.java
+++ b/java/org/apache/coyote/http11/Http11InputBuffer.java
@@ -754,8 +754,8 @@ public class Http11InputBuffer implements InputBuffer,
ApplicationBufferHandler
*/
private boolean fill(boolean block) throws IOException {
-if (log.isDebugEnabled()) {
-log.debug("Before fill(): parsingHeader: [" + parsingHeader + "],
parsingRequestLine: [" +
+if (log.isTraceEnabled()) {
+log.trace("Before fill(): parsingHeader: [" + parsingHeader + "],
parsingRequestLine: [" +
parsingRequestLine + "], parsingRequestLinePhase: [" +
parsingRequestLinePhase +
"], parsingRequestLineStart: [" + parsingRequestLineStart
+ "], byteBuffer.position(): [" +
byteBuffer.position() + "], byteBuffer.limit(): [" +
byteBuffer.limit() + "], end: [" + end + "]");
@@ -806,8 +806,8 @@ public class Http11InputBuffer implements InputBuffer,
ApplicationBufferHandler
}
}
-if (log.isDebugEnabled()) {
-log.debug("Received [" + new String(byteBuffer.array(),
byteBuffer.position(), byteBuffer.remaining(),
+if (log.isTraceEnabled()) {
+log.trace("Received [" + new String(byteBuffer.array(),
byteBuffer.position(), byteBuffer.remaining(),
StandardCharsets.ISO_8859_1) + "]");
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Lower log level
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 95df480ac8 Lower log level
95df480ac8 is described below
commit 95df480ac8e2b2fd91f85886a81bf81a0d3129dd
Author: remm
AuthorDate: Thu Feb 1 17:03:52 2024 +0100
Lower log level
The verbosity seems too high for debug level.
---
java/org/apache/coyote/http11/Http11InputBuffer.java | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java
b/java/org/apache/coyote/http11/Http11InputBuffer.java
index 4b01560c37..9390c3b8f1 100644
--- a/java/org/apache/coyote/http11/Http11InputBuffer.java
+++ b/java/org/apache/coyote/http11/Http11InputBuffer.java
@@ -754,8 +754,8 @@ public class Http11InputBuffer implements InputBuffer,
ApplicationBufferHandler
*/
private boolean fill(boolean block) throws IOException {
-if (log.isDebugEnabled()) {
-log.debug("Before fill(): parsingHeader: [" + parsingHeader + "],
parsingRequestLine: [" +
+if (log.isTraceEnabled()) {
+log.trace("Before fill(): parsingHeader: [" + parsingHeader + "],
parsingRequestLine: [" +
parsingRequestLine + "], parsingRequestLinePhase: [" +
parsingRequestLinePhase +
"], parsingRequestLineStart: [" + parsingRequestLineStart
+ "], byteBuffer.position(): [" +
byteBuffer.position() + "], byteBuffer.limit(): [" +
byteBuffer.limit() + "], end: [" + end + "]");
@@ -806,8 +806,8 @@ public class Http11InputBuffer implements InputBuffer,
ApplicationBufferHandler
}
}
-if (log.isDebugEnabled()) {
-log.debug("Received [" + new String(byteBuffer.array(),
byteBuffer.position(), byteBuffer.remaining(),
+if (log.isTraceEnabled()) {
+log.trace("Received [" + new String(byteBuffer.array(),
byteBuffer.position(), byteBuffer.remaining(),
StandardCharsets.ISO_8859_1) + "]");
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Lower log level
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new cdc68e3507 Lower log level
cdc68e3507 is described below
commit cdc68e350759c7ba5e3ff8f75be11b1285e9d1d8
Author: remm
AuthorDate: Thu Feb 1 17:03:52 2024 +0100
Lower log level
The verbosity seems too high for debug level.
---
java/org/apache/coyote/http11/Http11InputBuffer.java | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java
b/java/org/apache/coyote/http11/Http11InputBuffer.java
index 1ae9eba04b..fea3b2fe46 100644
--- a/java/org/apache/coyote/http11/Http11InputBuffer.java
+++ b/java/org/apache/coyote/http11/Http11InputBuffer.java
@@ -750,8 +750,8 @@ public class Http11InputBuffer implements InputBuffer,
ApplicationBufferHandler
*/
private boolean fill(boolean block) throws IOException {
-if (log.isDebugEnabled()) {
-log.debug("Before fill(): parsingHeader: [" + parsingHeader + "],
parsingRequestLine: [" +
+if (log.isTraceEnabled()) {
+log.trace("Before fill(): parsingHeader: [" + parsingHeader + "],
parsingRequestLine: [" +
parsingRequestLine + "], parsingRequestLinePhase: [" +
parsingRequestLinePhase +
"], parsingRequestLineStart: [" + parsingRequestLineStart
+ "], byteBuffer.position(): [" +
byteBuffer.position() + "], byteBuffer.limit(): [" +
byteBuffer.limit() + "], end: [" + end + "]");
@@ -802,8 +802,8 @@ public class Http11InputBuffer implements InputBuffer,
ApplicationBufferHandler
}
}
-if (log.isDebugEnabled()) {
-log.debug("Received [" + new String(byteBuffer.array(),
byteBuffer.position(), byteBuffer.remaining(),
+if (log.isTraceEnabled()) {
+log.trace("Received [" + new String(byteBuffer.array(),
byteBuffer.position(), byteBuffer.remaining(),
StandardCharsets.ISO_8859_1) + "]");
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 8.5.x updated (d4a3db1a4a -> e4bfae8e7e)
This is an automated email from the ASF dual-hosted git repository. schultz pushed a change to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from d4a3db1a4a Generate optimal size and types for JSP imports maps new 7fb4beb75d Csrf filter improvements (#681) new e4bfae8e7e Checkstyle The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../catalina/filters/CsrfPreventionFilter.java | 397 +++-- .../catalina/filters/TestCsrfPreventionFilter.java | 110 +- webapps/docs/changelog.xml | 4 + webapps/docs/config/filter.xml | 42 +++ 4 files changed, 513 insertions(+), 40 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 02/02: Checkstyle
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit e4bfae8e7e0381fbb3d194c9a4ee4beb4efdba16
Author: remm
AuthorDate: Thu Feb 1 16:17:06 2024 +0100
Checkstyle
---
java/org/apache/catalina/filters/CsrfPreventionFilter.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index a0d0369532..21d0ac735f 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -190,6 +190,7 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
/**
* Creates a collection of matchers from a comma-separated string of
patterns.
*
+ * @param context the Servlet context
* @param patterns A comma-separated string of URL matching patterns.
*
* @return A collection of predicates representing the URL patterns.
@@ -223,6 +224,7 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
/**
* Creates a predicate that can match the specified type of pattern.
*
+ * @param context the Servlet context
* @param pattern The pattern to match e.g. *.foo or
*/bar/*.
*
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 01/02: Csrf filter improvements (#681)
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 7fb4beb75dfbcd7b667548e12068e2a649c487f3
Author: Christopher Schultz
AuthorDate: Thu Feb 1 10:02:27 2024 -0500
Csrf filter improvements (#681)
* Add an enforce() method and support for non-enforcement of CSRF
This allows subclasses to decide whether to enforce CSRF under whatever
conditions they choose.
* Add an "enforce" flag for CSRF prevention.
This allows developers to put the CSRF prevention filter into a monitoring
mode.
* Add no-nonce-URL patterns to suppress nonces for certain URLs
This improves cache performance for resources that need no protection.
* Whitespace police
* Add SVG to default list of no-nonce patterns.
* URLs that will not have nonces added to them should also be skipped for
enforcement.
* Re-organize constant members and re-factor a utility method.
* Simplify default no-nonce URL pattern definition.
* Add additional default no-nonce file extensions.
* Delay building of no-nonce predicates until after initialization
Capture servet context and make it available to predicate-construction.
* Introduce a MIME-type match for no-nonce URLs
* Add .jms file extension to default no-nonce list.
Align documentation with the actual default no-nonce list.
* Fix logic error.
* Optimize and fix logic error.
* Clarify documentation
* Consistency
* Use javabean semantics for boolean accessor
* Fix copy/paste logic error.
* Align documentation with javadoc.
* Make regular-expresson no-nonce patterns singletons.
There is no particular need to have multiple regular expressions, here.
* Fix broken unit test
* Fix obvious matching error with prefix and suffix predicates.
Restore regexp matching capability when parsing a single expression. This
allows regular expressions with MIME matching.
* Add unit tests.
* Add javadoc.
* Add changelog
* Use locally-defined Predicate interface for Java 7-based builds.
---
.../catalina/filters/CsrfPreventionFilter.java | 395 +++--
.../catalina/filters/TestCsrfPreventionFilter.java | 110 +-
webapps/docs/changelog.xml | 4 +
webapps/docs/config/filter.xml | 42 +++
4 files changed, 511 insertions(+), 40 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 2464ebc59c..a0d0369532 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -18,13 +18,18 @@ package org.apache.catalina.filters;
import java.io.IOException;
import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
+import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
@@ -43,8 +48,38 @@ import org.apache.juli.logging.LogFactory;
* {@link HttpServletResponse#encodeRedirectURL(String)} and {@link
HttpServletResponse#encodeURL(String)} are used
* to encode all URLs returned to the client
*
+ *
+ *
+ * CSRF protection is enabled by generating random nonce values which are
+ * stored in the client's HTTP session. Each URL encoded using
+ * {@link HttpServletResponse#encodeURL(String)} has a URL parameter added
+ * which, when sent to the server in a future request, will be checked
+ * against this stored set of nonces for validity.
+ *
+ *
+ *
+ * Some URLs should be accessible even without a valid nonce parameter value.
+ * These URLs are known as "entry points" because clients should be able to
+ * "enter" the application without first establishing any valid tokens. These
+ * are configured with the entryPoints filter
+ * init-param.
+ *
+ *
+ *
+ * Some URLs should not have nonce parameters added to them at all
*/
public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
+/**
+ * The default set of URL patterns for which nonces will not be appended.
+ */
+private static final String DEFAULT_NO_NONCE_URL_PATTERNS
+= "*.css, *.js, *.gif, *.png, *.jpg, *.svg, *.ico, *.jpeg, *.mjs";
+
+/**
+ * The servlet context in which this Filter is operating.
+ */
+private ServletContext context;
+
private final Log log =
(tomcat) branch 9.0.x updated: Checkstyle
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new b51f547ff2 Checkstyle
b51f547ff2 is described below
commit b51f547ff2ef15604fd80e34e163f5e1bf8521a7
Author: remm
AuthorDate: Thu Feb 1 16:20:27 2024 +0100
Checkstyle
---
java/org/apache/catalina/filters/CsrfPreventionFilter.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index b6b78dc7e3..9872c74c07 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -33,7 +33,6 @@ import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
-import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -188,6 +187,7 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
/**
* Creates a collection of matchers from a comma-separated string of
patterns.
*
+ * @param context the Servlet context
* @param patterns A comma-separated string of URL matching patterns.
*
* @return A collection of predicates representing the URL patterns.
@@ -220,6 +220,7 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
/**
* Creates a predicate that can match the specified type of pattern.
*
+ * @param context the Servlet context
* @param pattern The pattern to match e.g. *.foo or
*/bar/*.
*
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Checkstyle
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 46cc90953e Checkstyle
46cc90953e is described below
commit 46cc90953e5c2543b07fae1438e8d753e1034617
Author: remm
AuthorDate: Thu Feb 1 16:17:06 2024 +0100
Checkstyle
---
java/org/apache/catalina/filters/CsrfPreventionFilter.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 82dd06917c..4150ab0d92 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -187,6 +187,7 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
/**
* Creates a collection of matchers from a comma-separated string of
patterns.
*
+ * @param context the Servlet context
* @param patterns A comma-separated string of URL matching patterns.
*
* @return A collection of predicates representing the URL patterns.
@@ -219,6 +220,7 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
/**
* Creates a predicate that can match the specified type of pattern.
*
+ * @param context the Servlet context
* @param pattern The pattern to match e.g. *.foo or
*/bar/*.
*
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Checkstyle
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 12e40f6b78 Checkstyle
12e40f6b78 is described below
commit 12e40f6b78be4518833a68bb9f4b3a7c72473a5c
Author: remm
AuthorDate: Thu Feb 1 16:17:06 2024 +0100
Checkstyle
---
java/org/apache/catalina/filters/CsrfPreventionFilter.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 82dd06917c..4150ab0d92 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -187,6 +187,7 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
/**
* Creates a collection of matchers from a comma-separated string of
patterns.
*
+ * @param context the Servlet context
* @param patterns A comma-separated string of URL matching patterns.
*
* @return A collection of predicates representing the URL patterns.
@@ -219,6 +220,7 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
/**
* Creates a predicate that can match the specified type of pattern.
*
+ * @param context the Servlet context
* @param pattern The pattern to match e.g. *.foo or
*/bar/*.
*
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Csrf filter improvements (#681)
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 8a9f1be554 Csrf filter improvements (#681)
8a9f1be554 is described below
commit 8a9f1be5541e538fd120c243bd8f115b75516737
Author: Christopher Schultz
AuthorDate: Thu Feb 1 10:02:27 2024 -0500
Csrf filter improvements (#681)
* Add an enforce() method and support for non-enforcement of CSRF
This allows subclasses to decide whether to enforce CSRF under whatever
conditions they choose.
* Add an "enforce" flag for CSRF prevention.
This allows developers to put the CSRF prevention filter into a monitoring
mode.
* Add no-nonce-URL patterns to suppress nonces for certain URLs
This improves cache performance for resources that need no protection.
* Whitespace police
* Add SVG to default list of no-nonce patterns.
* URLs that will not have nonces added to them should also be skipped for
enforcement.
* Re-organize constant members and re-factor a utility method.
* Simplify default no-nonce URL pattern definition.
* Add additional default no-nonce file extensions.
* Delay building of no-nonce predicates until after initialization
Capture servet context and make it available to predicate-construction.
* Introduce a MIME-type match for no-nonce URLs
* Add .jms file extension to default no-nonce list.
Align documentation with the actual default no-nonce list.
* Fix logic error.
* Optimize and fix logic error.
* Clarify documentation
* Consistency
* Use javabean semantics for boolean accessor
* Fix copy/paste logic error.
* Align documentation with javadoc.
* Make regular-expresson no-nonce patterns singletons.
There is no particular need to have multiple regular expressions, here.
* Fix broken unit test
* Fix obvious matching error with prefix and suffix predicates.
Restore regexp matching capability when parsing a single expression. This
allows regular expressions with MIME matching.
* Add unit tests.
* Add javadoc.
* Add changelog
---
.../catalina/filters/CsrfPreventionFilter.java | 392 +++--
.../catalina/filters/TestCsrfPreventionFilter.java | 110 +-
webapps/docs/changelog.xml | 4 +
webapps/docs/config/filter.xml | 42 +++
4 files changed, 508 insertions(+), 40 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 2464ebc59c..b6b78dc7e3 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -18,15 +18,22 @@ package org.apache.catalina.filters;
import java.io.IOException;
import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
+import java.util.function.Predicate;
+import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
+import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -43,8 +50,38 @@ import org.apache.juli.logging.LogFactory;
* {@link HttpServletResponse#encodeRedirectURL(String)} and {@link
HttpServletResponse#encodeURL(String)} are used
* to encode all URLs returned to the client
*
+ *
+ *
+ * CSRF protection is enabled by generating random nonce values which are
+ * stored in the client's HTTP session. Each URL encoded using
+ * {@link HttpServletResponse#encodeURL(String)} has a URL parameter added
+ * which, when sent to the server in a future request, will be checked
+ * against this stored set of nonces for validity.
+ *
+ *
+ *
+ * Some URLs should be accessible even without a valid nonce parameter value.
+ * These URLs are known as "entry points" because clients should be able to
+ * "enter" the application without first establishing any valid tokens. These
+ * are configured with the entryPoints filter
+ * init-param.
+ *
+ *
+ *
+ * Some URLs should not have nonce parameters added to them at all
*/
public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
+/**
+ * The default set of URL patterns for which nonces will not be appended.
+ */
+private static final String
(tomcat) branch 10.1.x updated: Csrf filter improvements (#681)
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new cf002c1cd6 Csrf filter improvements (#681)
cf002c1cd6 is described below
commit cf002c1cd6144a821b3be46db6c7bef2b198b75e
Author: Christopher Schultz
AuthorDate: Thu Feb 1 10:02:27 2024 -0500
Csrf filter improvements (#681)
* Add an enforce() method and support for non-enforcement of CSRF
This allows subclasses to decide whether to enforce CSRF under whatever
conditions they choose.
* Add an "enforce" flag for CSRF prevention.
This allows developers to put the CSRF prevention filter into a monitoring
mode.
* Add no-nonce-URL patterns to suppress nonces for certain URLs
This improves cache performance for resources that need no protection.
* Whitespace police
* Add SVG to default list of no-nonce patterns.
* URLs that will not have nonces added to them should also be skipped for
enforcement.
* Re-organize constant members and re-factor a utility method.
* Simplify default no-nonce URL pattern definition.
* Add additional default no-nonce file extensions.
* Delay building of no-nonce predicates until after initialization
Capture servet context and make it available to predicate-construction.
* Introduce a MIME-type match for no-nonce URLs
* Add .jms file extension to default no-nonce list.
Align documentation with the actual default no-nonce list.
* Fix logic error.
* Optimize and fix logic error.
* Clarify documentation
* Consistency
* Use javabean semantics for boolean accessor
* Fix copy/paste logic error.
* Align documentation with javadoc.
* Make regular-expresson no-nonce patterns singletons.
There is no particular need to have multiple regular expressions, here.
* Fix broken unit test
* Fix obvious matching error with prefix and suffix predicates.
Restore regexp matching capability when parsing a single expression. This
allows regular expressions with MIME matching.
* Add unit tests.
* Add javadoc.
* Add changelog
---
.../catalina/filters/CsrfPreventionFilter.java | 391 +++--
.../catalina/filters/TestCsrfPreventionFilter.java | 110 +-
webapps/docs/changelog.xml | 4 +
webapps/docs/config/filter.xml | 42 +++
4 files changed, 507 insertions(+), 40 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index f1c653e9b1..82dd06917c 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -18,13 +18,19 @@ package org.apache.catalina.filters;
import java.io.IOException;
import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
+import java.util.function.Predicate;
+import java.util.regex.Pattern;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
+import jakarta.servlet.ServletContext;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
@@ -43,8 +49,38 @@ import org.apache.juli.logging.LogFactory;
* {@link HttpServletResponse#encodeRedirectURL(String)} and {@link
HttpServletResponse#encodeURL(String)} are used
* to encode all URLs returned to the client
*
+ *
+ *
+ * CSRF protection is enabled by generating random nonce values which are
+ * stored in the client's HTTP session. Each URL encoded using
+ * {@link HttpServletResponse#encodeURL(String)} has a URL parameter added
+ * which, when sent to the server in a future request, will be checked
+ * against this stored set of nonces for validity.
+ *
+ *
+ *
+ * Some URLs should be accessible even without a valid nonce parameter value.
+ * These URLs are known as "entry points" because clients should be able to
+ * "enter" the application without first establishing any valid tokens. These
+ * are configured with the entryPoints filter
+ * init-param.
+ *
+ *
+ *
+ * Some URLs should not have nonce parameters added to them at all
*/
public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
+/**
+ * The default set of URL patterns for which nonces will not be appended.
+ */
+private static final String DEFAULT_NO_NONCE_URL_PATTERNS
+= "*.css, *.js, *.gif, *.png, *.jpg, *.svg, *.ico, *.jpeg, *.mjs";
+
+/**
+ * The servlet context in
(tomcat) branch main updated: Csrf filter improvements (#681)
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 9eb9dfd8da Csrf filter improvements (#681)
9eb9dfd8da is described below
commit 9eb9dfd8da38f8cc750b22e4d676b0d03aa8dfe1
Author: Christopher Schultz
AuthorDate: Thu Feb 1 10:02:27 2024 -0500
Csrf filter improvements (#681)
* Add an enforce() method and support for non-enforcement of CSRF
This allows subclasses to decide whether to enforce CSRF under whatever
conditions they choose.
* Add an "enforce" flag for CSRF prevention.
This allows developers to put the CSRF prevention filter into a monitoring
mode.
* Add no-nonce-URL patterns to suppress nonces for certain URLs
This improves cache performance for resources that need no protection.
* Whitespace police
* Add SVG to default list of no-nonce patterns.
* URLs that will not have nonces added to them should also be skipped for
enforcement.
* Re-organize constant members and re-factor a utility method.
* Simplify default no-nonce URL pattern definition.
* Add additional default no-nonce file extensions.
* Delay building of no-nonce predicates until after initialization
Capture servet context and make it available to predicate-construction.
* Introduce a MIME-type match for no-nonce URLs
* Add .jms file extension to default no-nonce list.
Align documentation with the actual default no-nonce list.
* Fix logic error.
* Optimize and fix logic error.
* Clarify documentation
* Consistency
* Use javabean semantics for boolean accessor
* Fix copy/paste logic error.
* Align documentation with javadoc.
* Make regular-expresson no-nonce patterns singletons.
There is no particular need to have multiple regular expressions, here.
* Fix broken unit test
* Fix obvious matching error with prefix and suffix predicates.
Restore regexp matching capability when parsing a single expression. This
allows regular expressions with MIME matching.
* Add unit tests.
* Add javadoc.
* Add changelog
---
.../catalina/filters/CsrfPreventionFilter.java | 391 +++--
.../catalina/filters/TestCsrfPreventionFilter.java | 110 +-
webapps/docs/changelog.xml | 4 +
webapps/docs/config/filter.xml | 42 +++
4 files changed, 507 insertions(+), 40 deletions(-)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index f1c653e9b1..82dd06917c 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -18,13 +18,19 @@ package org.apache.catalina.filters;
import java.io.IOException;
import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
+import java.util.function.Predicate;
+import java.util.regex.Pattern;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
+import jakarta.servlet.ServletContext;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
@@ -43,8 +49,38 @@ import org.apache.juli.logging.LogFactory;
* {@link HttpServletResponse#encodeRedirectURL(String)} and {@link
HttpServletResponse#encodeURL(String)} are used
* to encode all URLs returned to the client
*
+ *
+ *
+ * CSRF protection is enabled by generating random nonce values which are
+ * stored in the client's HTTP session. Each URL encoded using
+ * {@link HttpServletResponse#encodeURL(String)} has a URL parameter added
+ * which, when sent to the server in a future request, will be checked
+ * against this stored set of nonces for validity.
+ *
+ *
+ *
+ * Some URLs should be accessible even without a valid nonce parameter value.
+ * These URLs are known as "entry points" because clients should be able to
+ * "enter" the application without first establishing any valid tokens. These
+ * are configured with the entryPoints filter
+ * init-param.
+ *
+ *
+ *
+ * Some URLs should not have nonce parameters added to them at all
*/
public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
+/**
+ * The default set of URL patterns for which nonces will not be appended.
+ */
+private static final String DEFAULT_NO_NONCE_URL_PATTERNS
+= "*.css, *.js, *.gif, *.png, *.jpg, *.svg, *.ico, *.jpeg, *.mjs";
+
+/**
+ * The servlet context in
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz merged PR #681: URL: https://github.com/apache/tomcat/pull/681 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
