This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 2193c156b832432dc2b398a1dc37b7aa82707f2c
Merge: 99e36dc 0900048
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon May 20 08:47:16 2019 +0100
Add support for same-site cookie-attribute
Patch provided by John Kelly
.../tomcat/util/http/CookieProcessorBase.java | 10 +++
.../tomcat/util/http/LegacyCookieProcessor.java | 9 +-
.../tomcat/util/http/LocalStrings.properties | 1 +
.../tomcat/util/http/Rfc6265CookieProcessor.java | 7 ++
.../apache/tomcat/util/http/SameSiteCookies.java | 59 +++++++++++++
.../util/http/TestCookieProcessorGeneration.java | 49 +++++++++++
.../tomcat/util/http/TestSameSiteCookies.java | 97 ++++++++++++++++++++++
webapps/docs/changelog.xml | 4 +
webapps/docs/config/cookie-processor.xml | 10 +++
9 files changed, 245 insertions(+), 1 deletion(-)
diff --cc java/org/apache/tomcat/util/http/SameSiteCookies.java
index 0000000,f9eb7a5..c79fbc1
mode 000000,100644..100644
--- a/java/org/apache/tomcat/util/http/SameSiteCookies.java
+++ b/java/org/apache/tomcat/util/http/SameSiteCookies.java
@@@ -1,0 -1,43 +1,59 @@@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
+ package org.apache.tomcat.util.http;
+
+ import org.apache.tomcat.util.res.StringManager;
+
+ public enum SameSiteCookies {
+
+ /**
+ * Don't set the SameSite cookie attribute. Cookie is always sent
+ */
+ NONE("None"),
+
+ /**
+ * Cookie is only sent on same-site requests and cross-site top level
navigation GET requests
+ */
+ LAX("Lax"),
+
+ /**
+ * Prevents the cookie from being sent by the browser in all cross-site
requests
+ */
+ STRICT("Strict");
+
+ private static final StringManager sm =
StringManager.getManager(SameSiteCookies.class);
+
+ private final String value;
+
+ SameSiteCookies(String value) {
+ this.value = value;
+ }
+
+ public String getValue() {
+ return value;
+ }
+
+ public static SameSiteCookies fromString(String value) {
+ for (SameSiteCookies sameSiteCookies : SameSiteCookies.values()) {
+ if (sameSiteCookies.getValue().equalsIgnoreCase(value)) {
+ return sameSiteCookies;
+ }
+ }
+
+ throw new
IllegalStateException(sm.getString("cookies.invalidSameSiteCookies", value));
+ }
+ }
diff --cc test/org/apache/tomcat/util/http/TestSameSiteCookies.java
index 0000000,74842c1..60cc3a8
mode 000000,100644..100644
--- a/test/org/apache/tomcat/util/http/TestSameSiteCookies.java
+++ b/test/org/apache/tomcat/util/http/TestSameSiteCookies.java
@@@ -1,0 -1,81 +1,97 @@@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
+ package org.apache.tomcat.util.http;
+
++import org.junit.Assert;
+ import org.junit.Test;
+
-import org.junit.Assert;
+
+ public class TestSameSiteCookies {
+
+ @Test
+ public void testNone() {
+ SameSiteCookies attribute = SameSiteCookies.NONE;
+
+ Assert.assertEquals("None", attribute.getValue());
+ Assert.assertEquals(SameSiteCookies.NONE, attribute);
+
+ Assert.assertNotEquals(SameSiteCookies.LAX, attribute);
+ Assert.assertNotEquals(SameSiteCookies.STRICT, attribute);
+ }
+
+ @Test
+ public void testLax() {
+ SameSiteCookies attribute = SameSiteCookies.LAX;
+
+ Assert.assertEquals("Lax", attribute.getValue());
+ Assert.assertEquals(SameSiteCookies.LAX, attribute);
+
+ Assert.assertNotEquals(SameSiteCookies.NONE, attribute);
+ Assert.assertNotEquals(SameSiteCookies.STRICT, attribute);
+ }
+
+ @Test
+ public void testStrict() {
+ SameSiteCookies attribute = SameSiteCookies.STRICT;
+
+ Assert.assertEquals("Strict", attribute.getValue());
+ Assert.assertEquals(SameSiteCookies.STRICT, attribute);
+
+ Assert.assertNotEquals(SameSiteCookies.NONE, attribute);
+ Assert.assertNotEquals(SameSiteCookies.LAX, attribute);
+ }
+
+ @Test
+ public void testToValidAttribute() {
+ Assert.assertEquals(SameSiteCookies.fromString("none"),
SameSiteCookies.NONE);
+ Assert.assertEquals(SameSiteCookies.fromString("None"),
SameSiteCookies.NONE);
+ Assert.assertEquals(SameSiteCookies.fromString("NONE"),
SameSiteCookies.NONE);
+
+ Assert.assertEquals(SameSiteCookies.fromString("lax"),
SameSiteCookies.LAX);
+ Assert.assertEquals(SameSiteCookies.fromString("Lax"),
SameSiteCookies.LAX);
+ Assert.assertEquals(SameSiteCookies.fromString("LAX"),
SameSiteCookies.LAX);
+
+ Assert.assertEquals(SameSiteCookies.fromString("strict"),
SameSiteCookies.STRICT);
+ Assert.assertEquals(SameSiteCookies.fromString("Strict"),
SameSiteCookies.STRICT);
+ Assert.assertEquals(SameSiteCookies.fromString("STRICT"),
SameSiteCookies.STRICT);
+ }
+
+ @Test(expected = IllegalStateException.class)
+ public void testToInvalidAttribute01() {
+ SameSiteCookies.fromString("");
+ }
+
+ @Test(expected = IllegalStateException.class)
+ public void testToInvalidAttribute02() {
+ SameSiteCookies.fromString(" ");
+ }
+
+ @Test(expected = IllegalStateException.class)
+ public void testToInvalidAttribute03() {
+ SameSiteCookies.fromString("Strict1");
+ }
+
+ @Test(expected = IllegalStateException.class)
+ public void testToInvalidAttribute04() {
+ SameSiteCookies.fromString("foo");
+ }
+
+ @Test(expected = IllegalStateException.class)
+ public void testToInvalidAttribute05() {
+ SameSiteCookies.fromString("Lax ");
+ }
+ }
diff --cc webapps/docs/changelog.xml
index 055239f,a3a79d2..dc552cf
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@@ -48,156 -48,14 +48,160 @@@
<subsection name="Catalina">
<changelog>
<add>
- Add support for same-site cookie attribute. Patch provided by John
Kelly.
- (markt)
+ <bug>57287</bug>: Add file sorting to DefaultServlet (schultz)
+ </add>
+ <fix>
+ Fix <code>--no-jmx</code> flag processing, which was called after
+ registry initialization. (remm)
+ </fix>
+ <fix>
+ Ensure that a default request character encoding set on a
+ <code>ServletContext</code> is used when calling
+ <code>ServletRequest#getReader()</code>. (markt)
+ </fix>
+ <fix>
+ Make a best efforts attempt to clean-up if a request fails during
+ processing due to an <code>OutOfMemoryException</code>. (markt)
+ </fix>
+ <fix>
+ Improve the BoM detection for static files handled by the default
+ servlet for the rarely used UTF-32 encodings. Identified by Coverity
+ Scan. (markt)
+ </fix>
+ <fix>
+ Ensure that the default servlet reads the entire global XSLT file if
+ one is defined. Identified by Coverity Scan. (markt)
+ </fix>
+ <fix>
+ Avoid potential <code>NullPointerException</code> when generating an
+ HTTP <code>Allow</code> header. Identified by Coverity Scan. (markt)
+ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ NIO poller seems to create some unwanted concurrency, causing rare
+ CI test failures. Add sync when processing async operation to avoid
+ this. (remm)
+ </fix>
+ <fix>
+ Fix concurrency issue that lead to incorrect HTTP/2 connection
timeout.
+ (remm/markt)
+ </fix>
+ <fix>
+ Avoid useless exception wrapping in async IO. (remm)
+ </fix>
+ <fix>
+ <bug>63412</bug>: Security manager failure when using the async IO
+ API from a webapp. (remm)
+ </fix>
+ <fix>
+ Remove <code>acceptorThreadCount</code> Connector attribute,
+ one accept thread is sufficient. As documented, value <code>2</code>
+ was the only other sensible value, but without and impact beyond
+ certain microbenchmarks. (remm)
+ </fix>
+ <fix>
+ Avoid possible NPEs on connector stop. (remm)
+ </fix>
+ <update>
+ Remove <code>pollerThreadCount</code> Connector attribute for NIO,
+ one poller thread is sufficient. (remm)
+ </update>
+ <add>
+ Add async IO for APR connector for consistency, but disable it by
+ default due to low performance. (remm)
+ </add>
+ <fix>
+ Avoid blocking write of internal buffer when using async IO. (remm)
+ </fix>
+ <scode>
+ Refactor async IO implementation to the
<code>SocketWrapperBase</code>.
+ (remm)
+ </scode>
+ <update>
+ Refactor <code>SocketWrapperBase</code> close using an atomic boolean
+ and a <code>doClose</code> method that subclasses will implement, with
+ a guarantee that it will be run only once. (remm)
+ </update>
+ <fix>
+ Decouple the socket wrapper, which is not recycled, from the NIOx
+ channel after close, and replace it with a dummy static object. (remm)
+ </fix>
+ <fix>
+ Clear buffers on socket wrapper close. (remm)
+ </fix>
+ <fix>
+ NIO2 failed to properly close sockets on connector stop. (remm)
+ </fix>
+ <update>
+ Reduce the default for <code>maxConcurrentStreams</code> on the
+ <code>Http2Protocol</code> from 200 to 100 to align with typical
+ defaults for HTTP/2 implementations. (markt)
+ </update>
+ <update>
+ Reduce the default HTTP/2 header list size from 4GB to 32kB to align
+ with typical HTTP/2 implementations. (markt)
+ </update>
++ <add>
++ Add support for same-site cookie attribute. Patch provided by John
++ Kelly. (markt)
+ </add>
</changelog>
</subsection>
+ <subsection name="Cluster">
+ <changelog>
+ <fix>
+ <bug>62841</bug>: Refactor the <code>DeltaRequest</code> serialization
+ to reduce the window during which the <code>DeltaSession</code> is
+ locked and to remove a potential cause of deadlocks during
+ serialization. (markt)
+ </fix>
+ <fix>
+ <bug>63441</bug>: Further streamline the processing of session
creation
+ messages in the <code>DeltaManager</code> to reduce the possibility
of a
+ session update message being processed before the session has been
+ created. (markt)
+ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Tribes">
+ <changelog>
+ <fix>
+ Treat <code>NoRouteToHostException</code> the same way as
+ <code>SocketTimeoutException</code> when checking the health of group
+ members. This avoids a SEVERE log message every time the check is
+ performed when the host associated with a group member is not powered
+ on. (markt)
+ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="WebSocket">
+ <changelog>
+ <fix>
+ Fix timeout logic for async non blocking writes. Identified by
+ Coverity Scan. (remm)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Other">
<changelog>
- <update>Switch from FindBugs to SpotBugs. (fschumacher)</update>
+ <update>
+ Switch from FindBugs to SpotBugs. (fschumacher)
+ </update>
+ <update>
+ Start Graal native image compatibility. Support is initially targeted
+ at the tomcat-maven packaging. (remm)
+ </update>
+ <fix>
+ <bug>63403</bug>: Fix TestHttp2InitialConnection test failures when
+ running with a non-English locale. (kkolinko)
+ </fix>
+ <fix>
+ Add Graal JreCompat, and use it to disable JMX and URL stream
handlers.
+ (remm)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
