Support SameSite cookie attribute in Tomcat
Hi Tomcat Team, I have done a basic research on $Subject. The SameSite [1] [2] is a cookie attribute which is like HttpOnly and Secureflag. The SameSite cookie attribute instructs a browser not to send the cookie with cross-origin third-party requests and only send the cookie when we are using web application directly. The main use case of this attribute is mitigating the CSRF attacks. AFAIK, Tomcat is not supporting for SameSite attribute for cookies yet. Could you please clarify whether you have plans to support this in an upcoming release?. IMHO,If it is not in your roadmap It would be better to include in tomcat also. [1] https://tools.ietf.org/html/draft-west-first-party- cookies-07#section-5.2 [2] https://www.owasp.org/index.php/SameSite Looking forward your prompt reply. Thanks. Regards, Mathuriga. *T. Mathuriga* Undergraduate, Department of Computer Science and Engineering, University of Moratuwa, Sri Lanka. Email: tmathuriga...@cse.mrt.ac.lk
svn commit: r1833107 - /tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
Author: jfclere Date: Thu Jun 7 08:38:26 2018 New Revision: 1833107 URL: http://svn.apache.org/viewvc?rev=1833107&view=rev Log: Add the changelog for 1.2.17 Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1833107&r1=1833106&r2=1833107&view=diff == --- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original) +++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Thu Jun 7 08:38:26 2018 @@ -34,6 +34,24 @@ This is the Changelog for Tomcat Native 1.2. + + + + 62094: Certificate verification using CRL with + Tomcat APR connector does not work. (jfclere) + + + 62122: undefined symbol: SSL_COMP_free_compression_methods. (jfclere) + + + 62221: OCSP response processing uses always the first + entry in the response. (jfclere) + + + Further clean-up in the OCSP extension logic. (jfclere) + + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62437] New: Configurable strict validation on provided host name and port for Host Header
https://bz.apache.org/bugzilla/show_bug.cgi?id=62437 Bug ID: 62437 Summary: Configurable strict validation on provided host name and port for Host Header Product: Tomcat 8 Version: 8.5.31 Hardware: PC OS: Mac OS X 10.1 Status: NEW Severity: enhancement Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: andresgsei...@gmail.com Target Milestone: Since 8.5.31 (dunno about other tomcat versions) the hostname in Host http header is validated strictly. This made the server to reject requests made to servers which dns addresses were using non compliant FQDN in our infrastructure. Like: `my-tomcat-server.non-prod` (the hyphen on the TLD makes the validation fail) Could be a nice addition to have this validation disabled. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62371] Improve logging in AbstractProcessor.parseHost()
https://bz.apache.org/bugzilla/show_bug.cgi?id=62371 Mark Thomas changed: What|Removed |Added CC||andresgsei...@gmail.com --- Comment #29 from Mark Thomas --- *** Bug 62437 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62437] Configurable strict validation on provided host name and port for Host Header
https://bz.apache.org/bugzilla/show_bug.cgi?id=62437 Mark Thomas changed: What|Removed |Added Resolution|--- |DUPLICATE Status|NEW |RESOLVED --- Comment #1 from Mark Thomas --- The quoted FQDN is specification compliant and Tomcat will allow it from 8.5.32 onwards. *** This bug has been marked as a duplicate of bug 62371 *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1833112 - /tomcat/native/trunk/download_deps.sh
Author: jfclere Date: Thu Jun 7 09:07:16 2018 New Revision: 1833112 URL: http://svn.apache.org/viewvc?rev=1833112&view=rev Log: download latest versions. Modified: tomcat/native/trunk/download_deps.sh Modified: tomcat/native/trunk/download_deps.sh URL: http://svn.apache.org/viewvc/tomcat/native/trunk/download_deps.sh?rev=1833112&r1=1833111&r2=1833112&view=diff == --- tomcat/native/trunk/download_deps.sh (original) +++ tomcat/native/trunk/download_deps.sh Thu Jun 7 09:07:16 2018 @@ -3,8 +3,8 @@ # Small script to get a recent openssl, with npn support # Will run configure and build_libs to generate the .s files -SSL=openssl-1.0.2g.tar.gz -APR=apr-1.5.2.tar.gz +SSL=openssl-1.0.2o.tar.gz +APR=apr-1.6.3.tar.gz mkdir -p deps if [ ! -f deps/$SSL ] ; then - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Support SameSite cookie attribute in Tomcat
On 07/06/18 08:20, Mathuriga Thavarajah wrote: > Hi Tomcat Team, > > I have done a basic research on $Subject. The SameSite [1] [2] is a cookie > attribute which is like HttpOnly and Secureflag. The SameSite cookie > attribute instructs a browser not to send the cookie with cross-origin > third-party requests and only send the cookie when we are using web > application directly. The main use case of this attribute is mitigating the > CSRF attacks. > > AFAIK, Tomcat is not supporting for SameSite attribute for cookies yet. > Could you please clarify whether you have plans to support this in an > upcoming release?. IMHO,If it is not in your roadmap It would be better to > include in tomcat also. There are currently no plans to implement this. Note that the spec you quote is not the latest. The latest is here: https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-02.txt Interestingly, the draft has expired. It looks like work has stopped. I'd be interested in finding out why. Particularly as Firefox and Edge have added support fairly recently. Section 5.3.7.1 in the latest spec provides a useful overview of where this is, and is not, useful. Personally, I am +0 on adding this. I'd be more in favour if the spec work had not stopped and/or the protection it offered was more complete. I suggest that the best way forward would be to open an enhancement request. Enhancement requests that include patches tend to be looked at sooner. The httpOnly support could be used as a basis for what needs to be added where. The main difference is that the value will need to be an enum (none, lax, strict) or similar rather than a boolean. Mark > > [1] https://tools.ietf.org/html/draft-west-first-party- > cookies-07#section-5.2 > [2] https://www.owasp.org/index.php/SameSite > > Looking forward your prompt reply. > > Thanks. > > Regards, > Mathuriga. > > *T. Mathuriga* > Undergraduate, > Department of Computer Science and Engineering, > University of Moratuwa, > Sri Lanka. > > Email: tmathuriga...@cse.mrt.ac.lk > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1833113 - in /tomcat/native/tags/TOMCAT_NATIVE_1_2_17: ./ build.properties.default native/include/tcn_version.h
Author: jfclere
Date: Thu Jun 7 09:30:12 2018
New Revision: 1833113
URL: http://svn.apache.org/viewvc?rev=1833113&view=rev
Log:
Tag 1.2.17
Added:
tomcat/native/tags/TOMCAT_NATIVE_1_2_17/
- copied from r1833112, tomcat/native/trunk/
Modified:
tomcat/native/tags/TOMCAT_NATIVE_1_2_17/build.properties.default
tomcat/native/tags/TOMCAT_NATIVE_1_2_17/native/include/tcn_version.h
Modified: tomcat/native/tags/TOMCAT_NATIVE_1_2_17/build.properties.default
URL:
http://svn.apache.org/viewvc/tomcat/native/tags/TOMCAT_NATIVE_1_2_17/build.properties.default?rev=1833113&r1=1833112&r2=1833113&view=diff
==
--- tomcat/native/tags/TOMCAT_NATIVE_1_2_17/build.properties.default (original)
+++ tomcat/native/tags/TOMCAT_NATIVE_1_2_17/build.properties.default Thu Jun 7
09:30:12 2018
@@ -20,7 +20,7 @@ version.major=1
version.minor=2
version.build=17
version.patch=0
-version.suffix=-dev
+version.suffix=
# - Default Base Path for Dependent Packages -
# Please note this path must be absolute, not relative,
Modified: tomcat/native/tags/TOMCAT_NATIVE_1_2_17/native/include/tcn_version.h
URL:
http://svn.apache.org/viewvc/tomcat/native/tags/TOMCAT_NATIVE_1_2_17/native/include/tcn_version.h?rev=1833113&r1=1833112&r2=1833113&view=diff
==
--- tomcat/native/tags/TOMCAT_NATIVE_1_2_17/native/include/tcn_version.h
(original)
+++ tomcat/native/tags/TOMCAT_NATIVE_1_2_17/native/include/tcn_version.h Thu
Jun 7 09:30:12 2018
@@ -69,7 +69,7 @@ extern "C" {
* This symbol is defined for internal, "development" copies of TCN. This
* symbol will be #undef'd for releases.
*/
-#define TCN_IS_DEV_VERSION 1
+#define TCN_IS_DEV_VERSION 0
/** The formatted string of APU's version */
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r27300 - in /dev/tomcat/tomcat-connectors/native/1.2.17: ./ binaries/ sources/
Author: jfclere Date: Thu Jun 7 11:37:55 2018 New Revision: 27300 Log: Commit the sources for 1.2.17 Added: dev/tomcat/tomcat-connectors/native/1.2.17/ dev/tomcat/tomcat-connectors/native/1.2.17/binaries/ dev/tomcat/tomcat-connectors/native/1.2.17/sources/ dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-src.tar.gz (with props) dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-src.tar.gz.asc (with props) dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-win32-src.zip (with props) dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-win32-src.zip.asc (with props) Added: dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-src.tar.gz == Binary file - no diff available. Propchange: dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-src.tar.gz -- svn:mime-type = application/x-gzip Added: dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-src.tar.gz.asc == Binary file - no diff available. Propchange: dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-src.tar.gz.asc -- svn:mime-type = application/pgp-signature Added: dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-win32-src.zip == Binary file - no diff available. Propchange: dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-win32-src.zip -- svn:mime-type = application/zip Added: dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-win32-src.zip.asc == Binary file - no diff available. Propchange: dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-win32-src.zip.asc -- svn:mime-type = application/pgp-signature - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r27306 - /dev/tomcat/tomcat-connectors/native/1.2.17/binaries/
Author: jfclere Date: Thu Jun 7 15:36:46 2018 New Revision: 27306 Log: Add the binary asc gpg and md5. Added: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-ocsp-win32-bin.zip (with props) dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-ocsp-win32-bin.zip.asc (with props) dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-ocsp-win32-bin.zip.md5 dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-win32-bin.zip (with props) dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-win32-bin.zip.asc (with props) dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-win32-bin.zip.md5 Added: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-ocsp-win32-bin.zip == Binary file - no diff available. Propchange: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-ocsp-win32-bin.zip -- svn:executable = * Propchange: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-ocsp-win32-bin.zip -- svn:mime-type = application/java-archive Added: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-ocsp-win32-bin.zip.asc == Binary file - no diff available. Propchange: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-ocsp-win32-bin.zip.asc -- svn:mime-type = application/pgp-signature Added: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-ocsp-win32-bin.zip.md5 == --- dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-ocsp-win32-bin.zip.md5 (added) +++ dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-ocsp-win32-bin.zip.md5 Thu Jun 7 15:36:46 2018 @@ -0,0 +1 @@ +1b0cf8e1603534807d295b339e32c307 tomcat-native-1.2.17-ocsp-win32-bin.zip Added: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-win32-bin.zip == Binary file - no diff available. Propchange: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-win32-bin.zip -- svn:executable = * Propchange: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-win32-bin.zip -- svn:mime-type = application/java-archive Added: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-win32-bin.zip.asc == Binary file - no diff available. Propchange: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-win32-bin.zip.asc -- svn:mime-type = application/pgp-signature Added: dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-win32-bin.zip.md5 == --- dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-win32-bin.zip.md5 (added) +++ dev/tomcat/tomcat-connectors/native/1.2.17/binaries/tomcat-native-1.2.17-win32-bin.zip.md5 Thu Jun 7 15:36:46 2018 @@ -0,0 +1 @@ +26ad9e668cb5a519bea732c989d2e707 tomcat-native-1.2.17-win32-bin.zip - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r27307 - in /dev/tomcat/tomcat-connectors/native/1.2.17/sources: tomcat-native-1.2.17-src.tar.gz.md5 tomcat-native-1.2.17-win32-src.zip.md5
Author: jfclere Date: Thu Jun 7 15:38:03 2018 New Revision: 27307 Log: add missing md5 files. Added: dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-src.tar.gz.md5 dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-win32-src.zip.md5 Added: dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-src.tar.gz.md5 == --- dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-src.tar.gz.md5 (added) +++ dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-src.tar.gz.md5 Thu Jun 7 15:38:03 2018 @@ -0,0 +1 @@ +7c84d3895d044de34fc258cc68b3fe78 tomcat-native-1.2.17-src.tar.gz Added: dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-win32-src.zip.md5 == --- dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-win32-src.zip.md5 (added) +++ dev/tomcat/tomcat-connectors/native/1.2.17/sources/tomcat-native-1.2.17-win32-src.zip.md5 Thu Jun 7 15:38:03 2018 @@ -0,0 +1 @@ +826e558b6e1359630f82b48c9e31379d tomcat-native-1.2.17-win32-src.zip - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[VOTE] Release Apache Tomcat Native 1.2.17
Version 1.2.17 includes the following changes compared to 1.2.16: - Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3 Various other fixes and improvements. See the changelog for details. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The Apache Tomcat Native 1.2.17 is [ ] Stable, go ahead and release [ ] Broken because of ... Thanks, Jean-Frederic [1] https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/1.2.17/ [2] https://svn.apache.org/repos/asf/tomcat/native/tags/TOMCAT_NATIVE_1_2_17 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.2.17
On 07/06/18 16:50, jean-frederic clere wrote: > Version 1.2.17 includes the following changes compared to 1.2.16: > > - Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3 > > Various other fixes and improvements. See the changelog for details. > > The proposed release artefacts can be found at [1], > and the build was done using tag [2]. > > The Apache Tomcat Native 1.2.17 is > [ ] Stable, go ahead and release > [X] Broken because of ... gpg --verify reports that the signature for tomcat-native-1.2.17-win32-src.zip is bad. Other notes: - We should be providing sha1 and sha512 hashes, not md5. (build scripts may need updating) Checks: - hashes match - signatures match apart from exception noted above - src.tar.gz structure matches tag (with expected differences) - library builds from src.tar.gz on Ubuntu Linux - unit tests pass on Linux with library built from source (apart from expected failures due to the version of OpenSSL being used) - Windows binary layout as expected - Windows binaries of expected size - Windows binaries have no unexpected DLL dependencies - unit tests pass on Windows with library from binaries Given that we have a valid MD5 hash for tomcat-native-1.2.17-win32-src.zip I'd be happy with the following: - upload corrected signature file - add SHA1 and SHA512 hashes for all files - remove MD5 files once vote has passed and before moving to release I am willing to change my vote to +1, stable once the above steps are complete. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
