svn commit: r1757353 - in /tomcat/trunk: java/org/apache/catalina/filters/CorsFilter.java webapps/docs/changelog.xml

Tue, 23 Aug 2016 03:54:55 -0700 

Author: markt
Date: Tue Aug 23 10:54:28 2016
New Revision: 1757353

URL: http://svn.apache.org/viewvc?rev=1757353&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60008
When processing CORs requests, treat any origin with a URI scheme of file as a 
valid origin.

Modified:
    tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java?rev=1757353&r1=1757352&r2=1757353&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java Tue Aug 23 
10:54:28 2016
@@ -826,8 +826,14 @@ public final class CorsFilter extends Ge
             return true;
         }
 
-        URI originURI;
+        // RFC6454, section 4. "If uri-scheme is file, the implementation MAY
+        // return an implementation-defined value.". No limits are okaced on
+        // that value so treat all file URIs as valid origins.
+        if (origin.startsWith("file://")) {
+            return true;
+        }
 
+        URI originURI;
         try {
             originURI = new URI(origin);
         } catch (URISyntaxException e) {

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1757353&r1=1757352&r2=1757353&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Aug 23 10:54:28 2016
@@ -191,6 +191,10 @@
         Ensure that <code>Semaphore.release</code> is called in all cases. Even
         when there is an exception. (violetagg)
       </fix>
+      <fix>
+        <bug>60008</bug>: When processing CORs requests, treat any origin with 
a
+        URI scheme of <code>file</code> as a valid origin. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to