svn commit: r1914965 [1/3] - in /tomcat/site/trunk: docs/ xdocs/
Author: markt Date: Thu Dec 28 11:15:41 2023 New Revision: 1914965 URL: http://svn.apache.org/viewvc?rev=1914965&view=rev Log: Add some more ® symbols to pages that don't have them for the first reference in the text Modified: tomcat/site/trunk/docs/bugreport.html tomcat/site/trunk/docs/ci.html tomcat/site/trunk/docs/conference.html tomcat/site/trunk/docs/contact.html tomcat/site/trunk/docs/findhelp.html tomcat/site/trunk/docs/getinvolved.html tomcat/site/trunk/docs/heritage.html tomcat/site/trunk/docs/irc.html tomcat/site/trunk/docs/lists.html tomcat/site/trunk/docs/maven-plugin.html tomcat/site/trunk/docs/migration-10.1.html tomcat/site/trunk/docs/migration-10.html tomcat/site/trunk/docs/migration-11.0.html tomcat/site/trunk/docs/migration-6.html tomcat/site/trunk/docs/migration-7.html tomcat/site/trunk/docs/migration-8.html tomcat/site/trunk/docs/migration-85.html tomcat/site/trunk/docs/migration-9.html tomcat/site/trunk/docs/migration.html tomcat/site/trunk/docs/presentations.html tomcat/site/trunk/docs/resources.html tomcat/site/trunk/docs/security-10.html tomcat/site/trunk/docs/security-11.html tomcat/site/trunk/docs/security-3.html tomcat/site/trunk/docs/security-4.html tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/docs/security-impact.html tomcat/site/trunk/docs/security-jk.html tomcat/site/trunk/docs/security-native.html tomcat/site/trunk/docs/security-taglibs.html tomcat/site/trunk/docs/security.html tomcat/site/trunk/docs/source.html tomcat/site/trunk/docs/tomcat-10.0-eol.html tomcat/site/trunk/docs/tomcat-55-eol.html tomcat/site/trunk/docs/tomcat-60-eol.html tomcat/site/trunk/docs/tomcat-70-eol.html tomcat/site/trunk/docs/tomcat-80-eol.html tomcat/site/trunk/docs/tomcat-85-eol.html tomcat/site/trunk/docs/tools.html tomcat/site/trunk/docs/upgrading.html tomcat/site/trunk/docs/whoweare.html tomcat/site/trunk/xdocs/bugreport.xml tomcat/site/trunk/xdocs/ci.xml tomcat/site/trunk/xdocs/conference.xml tomcat/site/trunk/xdocs/contact.xml tomcat/site/trunk/xdocs/findhelp.xml tomcat/site/trunk/xdocs/getinvolved.xml tomcat/site/trunk/xdocs/heritage.xml tomcat/site/trunk/xdocs/irc.xml tomcat/site/trunk/xdocs/lists.xml tomcat/site/trunk/xdocs/maven-plugin.xml tomcat/site/trunk/xdocs/migration-10.1.xml tomcat/site/trunk/xdocs/migration-10.xml tomcat/site/trunk/xdocs/migration-11.0.xml tomcat/site/trunk/xdocs/migration-6.xml tomcat/site/trunk/xdocs/migration-7.xml tomcat/site/trunk/xdocs/migration-8.xml tomcat/site/trunk/xdocs/migration-85.xml tomcat/site/trunk/xdocs/migration-9.xml tomcat/site/trunk/xdocs/migration.xml tomcat/site/trunk/xdocs/presentations.xml tomcat/site/trunk/xdocs/resources.xml tomcat/site/trunk/xdocs/security-10.xml tomcat/site/trunk/xdocs/security-11.xml tomcat/site/trunk/xdocs/security-3.xml tomcat/site/trunk/xdocs/security-4.xml tomcat/site/trunk/xdocs/security-5.xml tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml tomcat/site/trunk/xdocs/security-impact.xml tomcat/site/trunk/xdocs/security-jk.xml tomcat/site/trunk/xdocs/security-native.xml tomcat/site/trunk/xdocs/security-taglibs.xml tomcat/site/trunk/xdocs/security.xml tomcat/site/trunk/xdocs/source.xml tomcat/site/trunk/xdocs/tomcat-10.0-eol.xml tomcat/site/trunk/xdocs/tomcat-55-eol.xml tomcat/site/trunk/xdocs/tomcat-60-eol.xml tomcat/site/trunk/xdocs/tomcat-70-eol.xml tomcat/site/trunk/xdocs/tomcat-80-eol.xml tomcat/site/trunk/xdocs/tomcat-85-eol.xml tomcat/site/trunk/xdocs/tools.xml tomcat/site/trunk/xdocs/upgrading.xml tomcat/site/trunk/xdocs/whoweare.xml Modified: tomcat/site/trunk/docs/bugreport.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/bugreport.html?rev=1914965&r1=1914964&r2=1914965&view=diff == --- tomcat/site/trunk/docs/bugreport.html (original) +++ tomcat/site/trunk/docs/bugreport.html Thu Dec 28 11:15:41 2023 @@ -2,7 +2,7 @@ Apache Tomcat® - Reporting Bugshttps://www.apachecon.com/event-images/snippet.js";>http://tomcat.apache.org/";>Apache Tomcat®https://www.apache.org/foundation/contributing.html"; target="_blank" class="pull-left">https://www.apache.org/images/SupportApache-small.png " class="support-asf" alt="Support Apache">http://www.apache.org/"; target="_blank" class="pull-left">https://www.google.com/search"; method="get">GOApache TomcatHomeTaglibsMaven PluginDownloadWhich version?h
svn commit: r1914965 [2/3] - in /tomcat/site/trunk: docs/ xdocs/
Modified: tomcat/site/trunk/docs/security-4.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=1914965&r1=1914964&r2=1914965&view=diff == --- tomcat/site/trunk/docs/security-4.html (original) +++ tomcat/site/trunk/docs/security-4.html Thu Dec 28 11:15:41 2023 @@ -1,7 +1,7 @@ Apache Tomcat® - Apache Tomcat 4.x vulnerabilitieshttps://www.apachecon.com/event-images/snippet.js";>http://tomcat.apache.org/";>Apache Tomcat®https://www.apache.org/foundation/contributing.html"; target="_blank" class="pull-left">https://www.apache.org/images /SupportApache-small.png" class="support-asf" alt="Support Apache">http://www.apache.org/"; target="_blank" class="pull-left">https://www.google.com/search"; method="get">GOApache TomcatHomeTaglibsMaven PluginDownloadWhich version?https://tomcat. apache.org/download-11.cgi">Tomcat 11 (alpha)https://tomcat.apache.org/download-10.cgi";>Tomcat 10https://tomcat.apache.org/download-90.cgi";>Tomcat 9https://tomcat.apache.org/download-80.cgi";>Tomcat 8https://tomcat.apache.org/download-migration.cgi";>Tomcat Migration Tool for Jakarta EEhttps://tomcat.apache.org/download-connectors.cgi";>Tomcat Connectorshttps://tomcat.apache.org/download-native.cgi";>Tomcat Nativehttps://tomcat.apache.org/download-taglibs.cgi";>Taglibshttps://archive.apache.org/dist/tomcat/";>ArchivesDocumentationTomcat 11.0 (alpha)Tomcat 10.1Tomcat 9.0Tomcat 8.5UpgradingTomcat ConnectorsTomcat Native 2Tomcat Native 1.2https://cwiki.apache.org/confluence/display/TOMCAT";>WikiMigration GuidePresentationshttps://cwiki.apache.org/confluence/x/Bi8lBg";>SpecificationsProblems?Security ReportsFind helphttps://cwiki.apache.org/confluence/display/TOMCAT/FAQ";>FAQMailing ListsBug DatabaseIRCGet InvolvedOverviewSource codeBuildbothttps://cwiki.apache.org/confluence/x/vIPzBQ";>TranslationsToolsMediahttps://twitter.com/theapachetomcat";>Twitterhttps://www.youtube.com/c/ApacheTomcatOfficial";>YouTubehttps://blogs.apache.org/tomcat/";>BlogMiscWho We Arehttps://www.redbubble.com/people/comdev/works/30885254-apache-tomcat";>SwagHeritagehttp://www.apache.org";>Apache HomeResourcesContactLegalhttps://privacy.apache.org/policies/privacy-policy-public.html";>Privacyhttps://www.apache.org/foundation/contributing.html";>Support Apachehttps://www.apache.org/foundation/sponsorship.html";>Sponsorshiphttp://www.apache.org/foundation/thanks.html";>Thankshttp://www.apache.org/licenses/";>LicenseContentApache Tomcat 4.x vulnerabilities This page lists all security vulnerabilities fixed in released versions - of Apache Tomcat 4.x. Each vulnerability is given a + of Apache Tomcat® 4.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw Modified: tomcat/site/trunk/docs/security-5.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1914965&r1=1914964&r2=1914965&view=diff == --- tomcat/site/trunk/docs/security-5.html (original) +++ tomcat/site/trunk/docs/security-5.html Thu Dec 28 11:15:41 2023 @@ -1,7 +1,7 @@ Apache Tomcat® - Apache Tomcat 5 vulnerabilitieshttps://www.apachecon.com/event-images/snippet.js";>http://tomcat.apache.org/";>Apache Tomcat®https://www.apache.org/foundation/contributing.html"; target="_blank" class="pull-left">https://www.apache.org/images/S upportApache-small.png" class="support-asf" alt="Support Apache">http://www.apache.org/"; target="_blank" class="pull-left">https://www.google.com/search"; method="get">GOApache TomcatHomeTaglibsMaven PluginDownloadWhich version?https://tomcat.ap ache.org/download-11.cgi">Tomcat 11 (alpha)https://tomcat.apache.org/download-10.cgi";>Tomcat 10https://tomcat.apache.org/download-90.cgi";>Tomcat 9https://tomcat.apache.org/download-80.cgi";>Tomcat 8https://tomcat.apache.org/download-migration.cgi";>Tomcat Migration Tool for Jakarta EEhttps://tomcat.apache.org/download-connectors.cgi";>Tomcat Connectorshttps://tomcat.apache.org/download-native.cgi";>Tomcat Nativehttps://tomcat.apache.org/download-taglibs.cgi";>Taglibshttps://archive.apache.org/dist/tomcat/";>ArchivesDocumentationTomcat 11.0 (alpha)Tomcat 10.1Tomcat 9.0Tomcat 8.5Upgradinghref="./connectors-doc/">Tomcat Connectorshref="./native-doc/">Tomcat Native 2href="./native-1.2-doc/">Tomcat Native 1.2href="https://cwiki.apache.org/confluence/display/TOMCAT";>Wikihref="./migration.html">Migration Guidehref="./presentations.html">Presentationshref="https://cwiki.apache.org/confluence/x/Bi8lBg";>SpecificationsProblems? href="./security.html">Security Reportshref="./findhelp.html">Find helphref="https://cwiki.apache.org/confluence/display/TOMCAT/FAQ";>FAQ href="./lists.html">Mailing ListsBug >DatabaseI
svn commit: r1914965 [3/3] - in /tomcat/site/trunk: docs/ xdocs/
Modified: tomcat/site/trunk/docs/tools.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/tools.html?rev=1914965&r1=1914964&r2=1914965&view=diff == --- tomcat/site/trunk/docs/tools.html (original) +++ tomcat/site/trunk/docs/tools.html Thu Dec 28 11:15:41 2023 @@ -2,7 +2,7 @@ Apache Tomcat® - Developer Toolshttps://www.apachecon.com/event-images/snippet.js";>http://tomcat.apache.org/";>Apache Tomcat®https://www.apache.org/foundation/contributing.html"; target="_blank" class="pull-left">https://www.apache.org/images/SupportApache-sma ll.png" class="support-asf" alt="Support Apache">http://www.apache.org/"; target="_blank" class="pull-left">https://www.google.com/search"; method="get">GOApache TomcatHomeTaglibsMaven PluginDownloadWhich version?https://tomcat.apache.org/downloa d-11.cgi">Tomcat 11 (alpha)https://tomcat.apache.org/download-10.cgi";>Tomcat 10https://tomcat.apache.org/download-90.cgi";>Tomcat 9https://tomcat.apache.org/download-80.cgi";>Tomcat 8https://tomcat.apache.org/download-migration.cgi";>Tomcat Migration Tool for Jakarta EEhttps://tomcat.apache.org/download-connectors.cgi";>Tomcat Connectorshttps://tomcat.apache.org/download-native.cgi";>Tomcat Nativehttps://tomcat.apache.org/download-taglibs.cgi";>Taglibshttps://archive.apache.org/dist/tomcat/";>ArchivesDocumentationTomcat 11.0 (alpha)Tomcat 10.1Tomcat 9.0Tomcat 8.5UpgradingTomcat ConnectorsTomcat Native 2Tomcat Native 1.2https://cwiki.apache.org/confluence/display/TOMCAT";>WikiMigration GuidePresentationshttps://cwiki.apache.org/confluence/x/Bi8lBg";>SpecificationsProblems?Security ReportsFind helphttps://cwiki.apache.org/confluence/display/TOMCAT/FAQ";>FAQMailing ListsBug DatabaseIRCGet InvolvedOverviewSource code Buildbothttps://cwiki.apache.org/confluence/x/vIPzBQ";>TranslationsToolsMediahttps://twitter.com/theapachetomcat";>Twitterhttps://www.youtube.com/c/ApacheTomcatOfficial";>YouTubehttps://blogs.apache.org/tomcat/";>BlogMiscWho We Arehttps://www.redbubble.com/people/comdev/works/30885254-apache-tomcat";>SwagHeritagehttp://www.apache.org";>Apache HomeResourcesContactLegalhttps://privacy.apache.org/policies/privacy-policy-public.html";>Privacyhttps://www.apache.org/foundation/contributing.html";>Support Apachehttps://www .apache.org/foundation/sponsorship.html">Sponsorshiphttp://www.apache.org/foundation/thanks.html";>Thankshttp://www.apache.org/licenses/";>LicenseContentTable of Contents OverviewApache ToolsOpen Source ToolsCommercial Tools Overview -This page lists the various tools that the Apache Tomcat project uses. Not +This page lists the various tools that the Apache Tomcat® project uses. Not all developers use every tool. There are almost certainly some tools that are missing. If you are a committer, you know how to fix this. If you are not a committer, send a short note to the developer Modified: tomcat/site/trunk/docs/upgrading.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/upgrading.html?rev=1914965&r1=1914964&r2=1914965&view=diff == --- tomcat/site/trunk/docs/upgrading.html (original) +++ tomcat/site/trunk/docs/upgrading.html Thu Dec 28 11:15:41 2023 @@ -1,6 +1,6 @@ Apache Tomcat® - Upgrading Apache Tomcathttps://www.apachecon.com/event-images/snippet.js";>http://tomcat.apache.org/";>Apache Tomcat®https://www.apache.org/foundation/contributi ng.html" target="_blank" class="pull-left">https://www.apache.org/images/SupportApache-small.png"; class="support-asf" alt="Support Apache">http://www.apache.org/"; target="_blank" class="pull-left">https://www.google.com/search"; method="get">GOApache TomcatHomeTaglibsMaven PluginDownloadWhich version?href="https://tomcat.apache.org/download-11.cgi";>Tomcat 11 >(alpha)href="https://tomcat.apache.org/download-10.cgi";>Tomcat 10href="https://tomcat.apache.org/download-90.cgi";>Tomcat 9href="https://tomcat.apache.org/download-80.cgi";>Tomcat 8href="https://tomcat.apache.org/download-migration.cgi";>Tomcat Migration Tool >for Jakarta EEhref="https://tomcat.apache.org/download-connectors.cgi";>Tomcat >Connectorshref="https://tomcat.apache.org/download-native.cgi";>Tomcat >Nativehref="https://tomcat.apache.org/download-taglibs.cgi";>Taglibshref="https://archive.apache.org/dist/tomcat/";>ArchivesDocumentation href="./tomcat-11.0-doc/index.html">Tomcat 11.0 (alpha)href="./tomcat-10.1-doc/index.html">Tomcat 10.1href="./tomcat-9.0-doc/index.h tml">Tomcat 9.0Tomcat 8.5UpgradingTomcat ConnectorsTomcat Native 2Tomcat Native 1.2https://cwiki.apache.org/confluence/display/TOMCAT";>WikiMigration GuidePresentationshttps://cwiki.apache.org/confluence/x/Bi8lBg";>SpecificationsProblems?Security ReportsFind helphttps://cwiki.apache.org/confluence/display/TOMCAT/FAQ";>FAQMailing ListsBug DatabaseIRCGet InvolvedOverviewSource codeBuildbothttps://cwiki.apache.org/confluence/
(tomcat) branch main updated: Remove reference to user comments which was removed some time ago
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 62d5547b6d Remove reference to user comments which was removed some time ago 62d5547b6d is described below commit 62d5547b6d4d9dd6ea71154bdbe811497af997c4 Author: Mark Thomas AuthorDate: Thu Dec 28 11:44:43 2023 + Remove reference to user comments which was removed some time ago --- webapps/docs/project.xml | 1 - 1 file changed, 1 deletion(-) diff --git a/webapps/docs/project.xml b/webapps/docs/project.xml index e3b60532c0..ab04321545 100644 --- a/webapps/docs/project.xml +++ b/webapps/docs/project.xml @@ -30,7 +30,6 @@ https://cwiki.apache.org/confluence/display/TOMCAT/FAQ"; /> - - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Remove reference to user comments which was removed some time ago
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new ef32467aa8 Remove reference to user comments which was removed some time ago ef32467aa8 is described below commit ef32467aa8415d4160a57cb03c39172b7e24d818 Author: Mark Thomas AuthorDate: Thu Dec 28 11:44:43 2023 + Remove reference to user comments which was removed some time ago --- webapps/docs/project.xml | 1 - 1 file changed, 1 deletion(-) diff --git a/webapps/docs/project.xml b/webapps/docs/project.xml index d50acf4d46..167f7d3072 100644 --- a/webapps/docs/project.xml +++ b/webapps/docs/project.xml @@ -30,7 +30,6 @@ https://cwiki.apache.org/confluence/display/TOMCAT/FAQ"; /> - - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Remove reference to user comments which was removed some time ago
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new e7318f73f8 Remove reference to user comments which was removed some time ago e7318f73f8 is described below commit e7318f73f889e4d888136b2c242436e97d93d542 Author: Mark Thomas AuthorDate: Thu Dec 28 11:44:43 2023 + Remove reference to user comments which was removed some time ago --- webapps/docs/project.xml | 1 - 1 file changed, 1 deletion(-) diff --git a/webapps/docs/project.xml b/webapps/docs/project.xml index a7c638229e..4abc955248 100644 --- a/webapps/docs/project.xml +++ b/webapps/docs/project.xml @@ -30,7 +30,6 @@ https://cwiki.apache.org/confluence/display/TOMCAT/FAQ"; /> - - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 8.5.x updated: Remove reference to user comments which was removed some time ago
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 491654219d Remove reference to user comments which was removed some time ago 491654219d is described below commit 491654219d5df085315ff5af7d1870c594bae023 Author: Mark Thomas AuthorDate: Thu Dec 28 11:44:43 2023 + Remove reference to user comments which was removed some time ago --- webapps/docs/project.xml | 1 - 1 file changed, 1 deletion(-) diff --git a/webapps/docs/project.xml b/webapps/docs/project.xml index c1278137e5..b176f73bcb 100644 --- a/webapps/docs/project.xml +++ b/webapps/docs/project.xml @@ -30,7 +30,6 @@ https://cwiki.apache.org/confluence/display/TOMCAT/FAQ"; /> - - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437896682
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -110,45 +285,70 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
HttpSession session = req.getSession(false);
+String requestedPath = getRequestedPath(req);
boolean skipNonceCheck = skipNonceCheck(req);
NonceCache nonceCache = null;
if (!skipNonceCheck) {
String previousNonce =
req.getParameter(nonceRequestParameterName);
if (previousNonce == null) {
-if (log.isDebugEnabled()) {
-log.debug("Rejecting request for " +
getRequestedPath(req) + ", session " +
-(null == session ? "(none)" : session.getId())
+
-" with no CSRF nonce found in request");
-}
-
-res.sendError(getDenyStatus());
-return;
-}
+if (enforce(req, requestedPath)) {
+if (log.isDebugEnabled()) {
+log.debug("Rejecting request for " +
getRequestedPath(req) + ", session " +
Review Comment:
If you really think it needs it. I don't find the control-flow difficult to
follow, here, with the log messages in there. I think further obfuscating the
log messages will just generate more code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437897171
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
+ * false if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+public boolean getEnforce() {
+return this.enforce;
+}
+
+/**
+ * Sets the list of URL patterns to suppress nonce-addition for.
+ *
+ * Some URLs do not need nonces added to them such as static resources.
+ * By not adding nonces to those URLs, HTTP caches can be more
+ * effective because the CSRF prevention filter won't generate what
+ * look like unique URLs for those commonly-reused resources.
+ *
+ * @param patterns A comma-separated list of URL patterns that will not
+ *have nonces added to them. Patterns may begin or end with a
+ ** character to denote a suffix-match or
+ *prefix-match. Any matched URL will not have a CSRF nonce
+ *added to it when passed through
+ *{@link HttpServletResponse#encodeURL(String)}.
+ */
+public void setNoNonceURLPatterns(String patterns) {
+this.noNoncePatterns = patterns;
+
+if (null != context) {
+this.noNoncePredicates = createNoNoncePredicates(context,
this.noNoncePatterns);
+}
+}
+
+/**
+ * Creates a collection of matchers from a comma-separated string of
patterns.
+ *
+ * @param patterns A comma-separated string of URL matching patterns.
+ *
+ * @return A collection of predicates representing the URL patterns.
+ */
+protected static Collection>
createNoNoncePredicates(ServletContext context, String patterns) {
+if (null == patterns || 0 == patterns.trim().length()) {
+return null;
Review Comment:
I think this is a matter of taste these days. I usually prefer `null` to
empty collections just because the null-check is far faster than creating an
iterator from an empty collection, then iterating zero times over it. All kinds
of control-flow is skipped with a simple null-check.
It does make the code a little cleaner, though. Does anyone else want to
weigh-in?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437898048
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
+ * false if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+public boolean getEnforce() {
+return this.enforce;
+}
+
+/**
+ * Sets the list of URL patterns to suppress nonce-addition for.
+ *
+ * Some URLs do not need nonces added to them such as static resources.
+ * By not adding nonces to those URLs, HTTP caches can be more
+ * effective because the CSRF prevention filter won't generate what
+ * look like unique URLs for those commonly-reused resources.
+ *
+ * @param patterns A comma-separated list of URL patterns that will not
+ *have nonces added to them. Patterns may begin or end with a
+ ** character to denote a suffix-match or
+ *prefix-match. Any matched URL will not have a CSRF nonce
+ *added to it when passed through
+ *{@link HttpServletResponse#encodeURL(String)}.
+ */
+public void setNoNonceURLPatterns(String patterns) {
+this.noNoncePatterns = patterns;
+
+if (null != context) {
+this.noNoncePredicates = createNoNoncePredicates(context,
this.noNoncePatterns);
+}
+}
+
+/**
+ * Creates a collection of matchers from a comma-separated string of
patterns.
+ *
+ * @param patterns A comma-separated string of URL matching patterns.
+ *
+ * @return A collection of predicates representing the URL patterns.
+ */
+protected static Collection>
createNoNoncePredicates(ServletContext context, String patterns) {
+if (null == patterns || 0 == patterns.trim().length()) {
Review Comment:
@michael-o None of this can be back-ported farther than 10.1.x without
significant changes. The whole `jakarta.*` namespace needs to change,
`Predicate` needs to be defined locally, etc. I'm okay using `String.isBlank`
here if anyone is passionate about it. I generally prefer things to be as close
as possible across the branches, so I would err on the side of using
`null`-check-plus-zero-length-check until we dump Tomcat 8.5.x.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437898144
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
+ * false if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+public boolean getEnforce() {
+return this.enforce;
+}
+
+/**
+ * Sets the list of URL patterns to suppress nonce-addition for.
+ *
+ * Some URLs do not need nonces added to them such as static resources.
+ * By not adding nonces to those URLs, HTTP caches can be more
+ * effective because the CSRF prevention filter won't generate what
+ * look like unique URLs for those commonly-reused resources.
+ *
+ * @param patterns A comma-separated list of URL patterns that will not
+ *have nonces added to them. Patterns may begin or end with a
+ ** character to denote a suffix-match or
+ *prefix-match. Any matched URL will not have a CSRF nonce
+ *added to it when passed through
+ *{@link HttpServletResponse#encodeURL(String)}.
+ */
+public void setNoNonceURLPatterns(String patterns) {
+this.noNoncePatterns = patterns;
+
+if (null != context) {
+this.noNoncePredicates = createNoNoncePredicates(context,
this.noNoncePatterns);
+}
+}
+
+/**
+ * Creates a collection of matchers from a comma-separated string of
patterns.
+ *
+ * @param patterns A comma-separated string of URL matching patterns.
+ *
+ * @return A collection of predicates representing the URL patterns.
+ */
+protected static Collection>
createNoNoncePredicates(ServletContext context, String patterns) {
+if (null == patterns || 0 == patterns.trim().length()) {
Review Comment:
> why is `#isEmpty()`?
I'm not sure I understand this, @michael-o
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437899157
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
+ * false if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+public boolean getEnforce() {
Review Comment:
I think this is a style question. This isn't really expected to be a "java
bean" and doesn't require the `boolean isFoo` and `void setFoo(boolean)`
specifically for boolean members. I'll have a look around to see what's common
and where.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437900565
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
+ * false if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+public boolean getEnforce() {
Review Comment:
There are 308 classes in the Tomcat 11.0.x source tree which contain
`boolean isFoo()` and only 141 which contain `boolean getFoo()`. I didn't
bother checking is any contain both.
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
+ * false if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+public boolean getEnforce() {
Review Comment:
There are 308 classes in the Tomcat 11.0.x source tree which contain
`boolean isFoo()` and only 141 which contain `boolean getFoo()`. I didn't
bother checking if any contain both.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437901624
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
+ * false if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+public boolean getEnforce() {
+return this.enforce;
+}
+
+/**
+ * Sets the list of URL patterns to suppress nonce-addition for.
+ *
+ * Some URLs do not need nonces added to them such as static resources.
+ * By not adding nonces to those URLs, HTTP caches can be more
+ * effective because the CSRF prevention filter won't generate what
+ * look like unique URLs for those commonly-reused resources.
+ *
+ * @param patterns A comma-separated list of URL patterns that will not
+ *have nonces added to them. Patterns may begin or end with a
+ ** character to denote a suffix-match or
+ *prefix-match. Any matched URL will not have a CSRF nonce
+ *added to it when passed through
+ *{@link HttpServletResponse#encodeURL(String)}.
+ */
+public void setNoNonceURLPatterns(String patterns) {
+this.noNoncePatterns = patterns;
+
+if (null != context) {
+this.noNoncePredicates = createNoNoncePredicates(context,
this.noNoncePatterns);
+}
+}
+
+/**
+ * Creates a collection of matchers from a comma-separated string of
patterns.
+ *
+ * @param patterns A comma-separated string of URL matching patterns.
+ *
+ * @return A collection of predicates representing the URL patterns.
+ */
+protected static Collection>
createNoNoncePredicates(ServletContext context, String patterns) {
+if (null == patterns || 0 == patterns.trim().length()) {
+return null;
+}
+
+String values[] = patterns.split(",");
+
+ArrayList> matchers = new ArrayList<>(values.length);
+for (String value : values) {
+Predicate p = createNoNoncePredicate(context,
value.trim());
+
+if (null != p) {
+matchers.add(p);
+}
+}
+
+matchers.trimToSize();
+
+return matchers;
+}
+
+/**
+ * Creates a predicate that can match the specified type of pattern.
+ *
+ * @param pattern The pattern to match e.g. *.foo or
+ */bar/*.
+ *
+ * @return A Predicate which can match the specified pattern, or
+ * >null if the pattern is null or blank.
+ */
+protected static Predicate createNoNoncePredicate(ServletContext
context, String pattern) {
+if (null == pattern || 0 == pattern.trim().length()) {
+return null;
+}
+if (pattern.startsWith("mime:")) {
+return new MimePredicate(context, createNoNoncePredicate(context,
pattern.substring(5)));
+} else if (pattern.startsWith("*")) {
+return new SuffixPredicate(pattern.substring(1));
+} else if (pattern.endsWith("*")) {
+return new PrefixPredicate(pattern.substring(0, pattern.length() -
1));
+} else if (pattern.startsWith("/") && pattern.endsWith("/")) {
+return new PatternPredicate(pattern.substring(1, pattern.length()
- 1));
+} else {
+throw new IllegalArgumentException("Unsupported pattern: " +
pattern);
+}
+}
+
+protected static class MimePredicate implements Predicate {
+private final ServletContext context;
+private final Predicate predicate;
+
+public MimePredicate(ServletContext context, Predicate
predicate) {
+this.context = context;
+this.predicate = predicate;
+}
+
+@Override
+public boolean test(String t) {
+String mimeType = context.getMimeType(t);
+
+return predicate.test(mimeType);
Review Comment:
Is it often that the application will invoke
`HttpServletResponse.encodeURL(null)`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.a
Re: [PR] Csrf filter improvements [tomcat]
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437903976
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
+ * false if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+public boolean getEnforce() {
+return this.enforce;
+}
+
+/**
+ * Sets the list of URL patterns to suppress nonce-addition for.
+ *
+ * Some URLs do not need nonces added to them such as static resources.
+ * By not adding nonces to those URLs, HTTP caches can be more
+ * effective because the CSRF prevention filter won't generate what
+ * look like unique URLs for those commonly-reused resources.
+ *
+ * @param patterns A comma-separated list of URL patterns that will not
+ *have nonces added to them. Patterns may begin or end with a
+ ** character to denote a suffix-match or
+ *prefix-match. Any matched URL will not have a CSRF nonce
+ *added to it when passed through
+ *{@link HttpServletResponse#encodeURL(String)}.
+ */
+public void setNoNonceURLPatterns(String patterns) {
+this.noNoncePatterns = patterns;
+
+if (null != context) {
+this.noNoncePredicates = createNoNoncePredicates(context,
this.noNoncePatterns);
+}
+}
+
+/**
+ * Creates a collection of matchers from a comma-separated string of
patterns.
+ *
+ * @param patterns A comma-separated string of URL matching patterns.
+ *
+ * @return A collection of predicates representing the URL patterns.
+ */
+protected static Collection>
createNoNoncePredicates(ServletContext context, String patterns) {
+if (null == patterns || 0 == patterns.trim().length()) {
Review Comment:
Passionate is a strong word, so I can't say that I'm "passionate" about
using String.isBlank(), but OTOH I do like seeing modern Java in the source
code where applicable, so I'm a +1 on that one.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437905241
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -110,45 +285,70 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
HttpSession session = req.getSession(false);
+String requestedPath = getRequestedPath(req);
boolean skipNonceCheck = skipNonceCheck(req);
NonceCache nonceCache = null;
if (!skipNonceCheck) {
String previousNonce =
req.getParameter(nonceRequestParameterName);
if (previousNonce == null) {
-if (log.isDebugEnabled()) {
-log.debug("Rejecting request for " +
getRequestedPath(req) + ", session " +
-(null == session ? "(none)" : session.getId())
+
-" with no CSRF nonce found in request");
-}
-
-res.sendError(getDenyStatus());
-return;
-}
+if (enforce(req, requestedPath)) {
+if (log.isDebugEnabled()) {
+log.debug("Rejecting request for " +
getRequestedPath(req) + ", session " +
Review Comment:
I personally think that the code is cleaner and easier to maintain when
repetitive blocks are encapsulated in a function, but do I "really think it
needs it"? Nahh - your code, your decision :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437906912
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private String nonceRequestParameterName =
Constants.CSRF_NONCE_REQUEST_PARAM;
+private boolean enforce = true;
+
+private Collection> noNoncePatterns =
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+private static final Collection>
DEFAULT_NO_NONCE_URL_PATTERNS;
+
+static {
+ArrayList> defaultNoNonceURLPatterns = new
ArrayList<>();
+
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".css"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".js"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".gif"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".png"));
+defaultNoNonceURLPatterns.add(new SuffixPredicate(".jpg"));
Review Comment:
"I never type `.jpeg` because I can get the same money for `.jpg`" - Mark
Twain
But sure, it doesn't hurt to add it as others do like the longhand (is that
a word? opposite of shorthand) form
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
