show_bug.cgi?id=63865

markt Thu, 24 Oct 2019 03:24:07 -0700

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/master by this push:
     new ec782a0  Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
ec782a0 is described below

commit ec782a03a91cddeab2406d6e16a953a0dcf982a5
Author: John Kelly <johnkdeve...@gmail.com>
AuthorDate: Thu Oct 24 10:49:45 2019 +0100

    Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
    
    Add unset option to same-site cookies and pass through none value if set by 
user.
---
 .../apache/tomcat/util/http/CookieProcessorBase.java |  2 +-
 .../tomcat/util/http/LegacyCookieProcessor.java      |  2 +-
 .../apache/tomcat/util/http/LocalStrings.properties  |  2 +-
 .../tomcat/util/http/Rfc6265CookieProcessor.java     |  2 +-
 .../org/apache/tomcat/util/http/SameSiteCookies.java |  7 ++++++-
 .../util/http/TestCookieProcessorGeneration.java     | 20 ++++++++++++++++----
 .../apache/tomcat/util/http/TestSameSiteCookies.java | 19 +++++++++++++++++++
 webapps/docs/changelog.xml                           |  5 +++++
 webapps/docs/config/cookie-processor.xml             | 10 ++++++++--
 9 files changed, 58 insertions(+), 11 deletions(-)

diff --git a/java/org/apache/tomcat/util/http/CookieProcessorBase.java 
b/java/org/apache/tomcat/util/http/CookieProcessorBase.java
index 3cb5430..589df47 100644
--- a/java/org/apache/tomcat/util/http/CookieProcessorBase.java
+++ b/java/org/apache/tomcat/util/http/CookieProcessorBase.java
@@ -43,7 +43,7 @@ public abstract class CookieProcessorBase implements 
CookieProcessor {
         ANCIENT_DATE = COOKIE_DATE_FORMAT.get().format(new Date(10000));
     }
 
-    private SameSiteCookies sameSiteCookies = SameSiteCookies.NONE;
+    private SameSiteCookies sameSiteCookies = SameSiteCookies.UNSET;
 
     public SameSiteCookies getSameSiteCookies() {
         return sameSiteCookies;
diff --git a/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java 
b/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
index c686b7c..4f9ea2f 100644
--- a/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
+++ b/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
@@ -326,7 +326,7 @@ public final class LegacyCookieProcessor extends 
CookieProcessorBase {
 
         SameSiteCookies sameSiteCookiesValue = getSameSiteCookies();
 
-        if (!sameSiteCookiesValue.equals(SameSiteCookies.NONE)) {
+        if (!sameSiteCookiesValue.equals(SameSiteCookies.UNSET)) {
             buf.append("; SameSite=");
             buf.append(sameSiteCookiesValue.getValue());
         }
diff --git a/java/org/apache/tomcat/util/http/LocalStrings.properties 
b/java/org/apache/tomcat/util/http/LocalStrings.properties
index 17211a3..f9b8e0d 100644
--- a/java/org/apache/tomcat/util/http/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/http/LocalStrings.properties
@@ -16,7 +16,7 @@
 cookies.fallToDebug=\n\
 \ Note: further occurrences of Cookie errors will be logged at DEBUG level.
 cookies.invalidCookieToken=Cookies: Invalid cookie. Value not a token or 
quoted value
-cookies.invalidSameSiteCookies=Unknown setting [{0}], must be one of: none, 
lax, strict. Default value is none.
+cookies.invalidSameSiteCookies=Unknown setting [{0}], must be one of: unset, 
none, lax, strict. Default value is unset.
 cookies.invalidSpecial=Cookies: Unknown Special Cookie
 cookies.maxCountFail=More than the maximum allowed number of cookies, [{0}], 
were detected.
 
diff --git a/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java 
b/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java
index 0d81a9b..2021f3d 100644
--- a/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java
+++ b/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java
@@ -164,7 +164,7 @@ public class Rfc6265CookieProcessor extends 
CookieProcessorBase {
 
         SameSiteCookies sameSiteCookiesValue = getSameSiteCookies();
 
-        if (!sameSiteCookiesValue.equals(SameSiteCookies.NONE)) {
+        if (!sameSiteCookiesValue.equals(SameSiteCookies.UNSET)) {
             header.append("; SameSite=");
             header.append(sameSiteCookiesValue.getValue());
         }
diff --git a/java/org/apache/tomcat/util/http/SameSiteCookies.java 
b/java/org/apache/tomcat/util/http/SameSiteCookies.java
index c79fbc1..dcf4a7d 100644
--- a/java/org/apache/tomcat/util/http/SameSiteCookies.java
+++ b/java/org/apache/tomcat/util/http/SameSiteCookies.java
@@ -21,7 +21,12 @@ import org.apache.tomcat.util.res.StringManager;
 public enum SameSiteCookies {
 
     /**
-     * Don't set the SameSite cookie attribute. Cookie is always sent
+     * Don't set the SameSite cookie attribute.
+     */
+    UNSET("Unset"),
+
+    /**
+     * Cookie is always sent in cross-site requests.
      */
     NONE("None"),
 
diff --git 
a/test/org/apache/tomcat/util/http/TestCookieProcessorGeneration.java 
b/test/org/apache/tomcat/util/http/TestCookieProcessorGeneration.java
index 96bc238..c9d4b65 100644
--- a/test/org/apache/tomcat/util/http/TestCookieProcessorGeneration.java
+++ b/test/org/apache/tomcat/util/http/TestCookieProcessorGeneration.java
@@ -264,12 +264,18 @@ public class TestCookieProcessorGeneration {
         Assert.assertEquals("foo=bar", legacy.generateHeader(cookie));
         Assert.assertEquals("foo=bar", rfc6265.generateHeader(cookie));
 
-        legacy.setSameSiteCookies("none");
-        rfc6265.setSameSiteCookies("none");
+        legacy.setSameSiteCookies("unset");
+        rfc6265.setSameSiteCookies("unset");
 
         Assert.assertEquals("foo=bar", legacy.generateHeader(cookie));
         Assert.assertEquals("foo=bar", rfc6265.generateHeader(cookie));
 
+        legacy.setSameSiteCookies("none");
+        rfc6265.setSameSiteCookies("none");
+
+        Assert.assertEquals("foo=bar; SameSite=None", 
legacy.generateHeader(cookie));
+        Assert.assertEquals("foo=bar; SameSite=None", 
rfc6265.generateHeader(cookie));
+
         legacy.setSameSiteCookies("lax");
         rfc6265.setSameSiteCookies("lax");
 
@@ -285,12 +291,18 @@ public class TestCookieProcessorGeneration {
         cookie.setSecure(true);
         cookie.setHttpOnly(true);
 
-        legacy.setSameSiteCookies("none");
-        rfc6265.setSameSiteCookies("none");
+        legacy.setSameSiteCookies("unset");
+        rfc6265.setSameSiteCookies("unset");
 
         Assert.assertEquals("foo=bar; Secure; HttpOnly", 
legacy.generateHeader(cookie));
         Assert.assertEquals("foo=bar; Secure; HttpOnly", 
rfc6265.generateHeader(cookie));
 
+        legacy.setSameSiteCookies("none");
+        rfc6265.setSameSiteCookies("none");
+
+        Assert.assertEquals("foo=bar; Secure; HttpOnly; SameSite=None", 
legacy.generateHeader(cookie));
+        Assert.assertEquals("foo=bar; Secure; HttpOnly; SameSite=None", 
rfc6265.generateHeader(cookie));
+
         legacy.setSameSiteCookies("lax");
         rfc6265.setSameSiteCookies("lax");
 
diff --git a/test/org/apache/tomcat/util/http/TestSameSiteCookies.java 
b/test/org/apache/tomcat/util/http/TestSameSiteCookies.java
index 60cc3a8..e3f8889 100644
--- a/test/org/apache/tomcat/util/http/TestSameSiteCookies.java
+++ b/test/org/apache/tomcat/util/http/TestSameSiteCookies.java
@@ -23,12 +23,25 @@ import org.junit.Test;
 public class TestSameSiteCookies {
 
     @Test
+    public void testUnset() {
+        SameSiteCookies attribute = SameSiteCookies.UNSET;
+
+        Assert.assertEquals("Unset", attribute.getValue());
+        Assert.assertEquals(SameSiteCookies.UNSET, attribute);
+
+        Assert.assertNotEquals(SameSiteCookies.NONE, attribute);
+        Assert.assertNotEquals(SameSiteCookies.LAX, attribute);
+        Assert.assertNotEquals(SameSiteCookies.STRICT, attribute);
+    }
+
+    @Test
     public void testNone() {
         SameSiteCookies attribute = SameSiteCookies.NONE;
 
         Assert.assertEquals("None", attribute.getValue());
         Assert.assertEquals(SameSiteCookies.NONE, attribute);
 
+        Assert.assertNotEquals(SameSiteCookies.UNSET, attribute);
         Assert.assertNotEquals(SameSiteCookies.LAX, attribute);
         Assert.assertNotEquals(SameSiteCookies.STRICT, attribute);
     }
@@ -40,6 +53,7 @@ public class TestSameSiteCookies {
         Assert.assertEquals("Lax", attribute.getValue());
         Assert.assertEquals(SameSiteCookies.LAX, attribute);
 
+        Assert.assertNotEquals(SameSiteCookies.UNSET, attribute);
         Assert.assertNotEquals(SameSiteCookies.NONE, attribute);
         Assert.assertNotEquals(SameSiteCookies.STRICT, attribute);
     }
@@ -51,12 +65,17 @@ public class TestSameSiteCookies {
         Assert.assertEquals("Strict", attribute.getValue());
         Assert.assertEquals(SameSiteCookies.STRICT, attribute);
 
+        Assert.assertNotEquals(SameSiteCookies.UNSET, attribute);
         Assert.assertNotEquals(SameSiteCookies.NONE, attribute);
         Assert.assertNotEquals(SameSiteCookies.LAX, attribute);
     }
 
     @Test
     public void testToValidAttribute() {
+        Assert.assertEquals(SameSiteCookies.fromString("unset"), 
SameSiteCookies.UNSET);
+        Assert.assertEquals(SameSiteCookies.fromString("Unset"), 
SameSiteCookies.UNSET);
+        Assert.assertEquals(SameSiteCookies.fromString("UNSET"), 
SameSiteCookies.UNSET);
+
         Assert.assertEquals(SameSiteCookies.fromString("none"), 
SameSiteCookies.NONE);
         Assert.assertEquals(SameSiteCookies.fromString("None"), 
SameSiteCookies.NONE);
         Assert.assertEquals(SameSiteCookies.fromString("NONE"), 
SameSiteCookies.NONE);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e0c6146..49e2d01 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -83,6 +83,11 @@
         Ensure that only a full token is matched and that the match is case
         insensitive. (markt)
       </fix>
+      <fix>
+        <bug>63865</bug>: Add <code>Unset</code> option to same-site cookies
+        and pass through <code>None</code> value if set by user. Patch provided
+        by John Kelly. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">
diff --git a/webapps/docs/config/cookie-processor.xml 
b/webapps/docs/config/cookie-processor.xml
index f2d2e9c..2d7f674 100644
--- a/webapps/docs/config/cookie-processor.xml
+++ b/webapps/docs/config/cookie-processor.xml
@@ -102,9 +102,12 @@
       <attribute name="sameSiteCookies" required="false">
         <p>Enables setting same-site cookie attribute.</p>
 
-        <p>If value is <code>none</code> then the same-site cookie attribute
+        <p>If value is <code>unset</code> then the same-site cookie attribute
         won't be set. This is the default value.</p>
 
+        <p>If value is <code>none</code> then the same-site cookie attribute
+        will be set and the cookie will always be sent in cross-site 
requests.</p>
+
         <p>If value is <code>lax</code> then the browser only sends the cookie
         in same-site requests and cross-site top level GET requests.</p>
 
@@ -174,9 +177,12 @@
       <attribute name="sameSiteCookies" required="false">
         <p>Enables setting same-site cookie attribute.</p>
 
-        <p>If value is <code>none</code> then the same-site cookie attribute
+        <p>If value is <code>unset</code> then the same-site cookie attribute
         won't be set. This is the default value.</p>
 
+        <p>If value is <code>none</code> then the same-site cookie attribute
+        will be set and the cookie will always be sent in cross-site 
requests.</p>
+
         <p>If value is <code>lax</code> then the browser only sends the cookie
         in same-site requests and cross-site top level GET requests.</p>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch master updated: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63865

Reply via email to