[Bug 62455] New: CORS filter cors.allowed.origins does not default to "*" anymore

2018-06-14 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62455

Bug ID: 62455
   Summary: CORS filter cors.allowed.origins does not default to
"*" anymore
   Product: Tomcat 8
   Version: 8.0.32
  Hardware: Other
OS: other
Status: NEW
  Severity: normal
  Priority: P2
 Component: Documentation
  Assignee: dev@tomcat.apache.org
  Reporter: crist...@ghezzi.net
  Target Milestone: 

I used to be able to make a cross-origin GET just by using the following
configuration:


   CorsFilter
   org.apache.catalina.filters.CorsFilter
 
 
   CorsFilter
   /myPath
 

Recenlty this stopped working. Now I have to specify an init parameter that the
docs state has that value by default ("Any origin is allowed to access the
resource"):

   
cors.allowed.origins
*
  

I see that some work has been recently done to increase security
(https://bz.apache.org/bugzilla/show_bug.cgi?id=62343) so maybe the docs
haven't been updated yet? Or maybe this is an unintended side-effect which is
breaking all sites using the old default behaviour.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62455] CORS filter cors.allowed.origins does not default to "*" anymore

2018-06-14 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62455

--- Comment #1 from Konstantin Kolinko  ---
Looking at your version number (8.0.32), it is likely that you are using not
the official version of Tomcat from tomcat.apache.org, but a repackaged version
from a Linux vendor.

As the security issue with bug 62343 (CVE-2018-8014) was reported publicly
(instead of proper responsible disclosure route) and as it can be solved by a
simple configuration change and does not need recompilation, it was decided to
announce it earlier than usual without waiting for an official release of a
patched version.  It might be that your Linux vendor have already applied the
security patch and thus your defaults have already changed.

The online copy of documentation will be updated when 8.0.53 (or later) is
officially released. Documentation for current development version is published
by CI server (buildbot) and can be found by following the links here:
http://tomcat.apache.org/ci.html#Documentation_snapshots


See also
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53

EOL announcement for Tomcat 8.0
http://tomcat.apache.org/tomcat-80-eol.html

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload bypass

2018-06-14 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542

--- Comment #12 from Castro B  ---
Hello Mark, does this issue fixed already? Or any source? Thanks

Castro B.
http://buywebtrafficexperts.com/";

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org