svn commit: r1711429 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/filters/ test/org/apache/catalina/filters/

[vi...@apache.org]

Author: violetagg
Date: Fri Oct 30 08:40:46 2015
New Revision: 1711429

URL: http://svn.apache.org/viewvc?rev=1711429&view=rev
Log:
Merged revision 1709295 from tomcat/trunk:
There are use cases when a nonce information cannot be provided via header. 
This commit introduces a mechanism to provide it via request parameters.
If there is a X-CSRF-Token header, it will be taken with preference over any parameter with the same name in the request. 
Request parameters cannot be used to fetch new nonce, only header.
Only configured paths can accept such request parameters with nonce information. 

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java
    tomcat/tc7.0.x/trunk/test/org/apache/catalina/filters/TestRestCsrfPreventionFilter.java

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Oct 30 08:40:46 2015
@@ -1,2 +1,2 @@
 /tomcat/tc8.0.x/trunk:1636525,1637336,1637685,1637709,1638726,1640089,1640276,1640349,1640363,1640366,1640642,1640672,1640674,1640689,1640884,1641001,1641065,1641067,1641375,1641638,1641723,1641726,1641729-1641730,1641736,1641988,1642669-1642670,1642698,1642701,1643205,1643215,1643217,1643230,1643232,1643273,1643285,1643329-1643330,1643511,1643513,1643521,1643539,1643571,1643581-1643582,1643635,1643655,1643738,1643964,1644018,1644333,1644954,1644992,1645014,1645360,1645456,1645627,1645642,1645686,1645903-1645904,1645908-1645909,1645913,1645920,1646458,1646460-1646462,1646735,1646738-1646741,1646744,1646746,1646748-1646755,1646757,1646759-1646760,1647043,1648816,1651420-1651422,1651844,1652926,1652939-1652940,1652973,1653798,1653817,1653841,1654042,1654161,1654736,1654767,1654787,1656592,1659907,1662986,1663265,1663278,1663325,1663535,1663567,1663679,1663997,1664175,1664321,1664872,1665061,1665086,1666027,1666395,1666503,1666506,1666560,1666570,1666581,1666759,1666967,1666988,1667553
 -1667555,1667558,1667617,1667633,1667637,1667747,1667767,1667873,1668028,1668137,1668634,1669432,1669801,1669840,1669895-1669896,1670398,1670435,1670592,1670605-1670607,1670609,1670632,1670720,1670725,1670727,1670731,1671114,1672273,1672285,1673759,1674220,1674295,1675469,1675488,1675595,1675831,1676232,1676367-1676369,1676382,1676394,1676483,1676556,1676635,1678178,1679536,1679988,1680256,1681124,1681182,1681730,1681840,1681864,1681869,1682010,1682034,1682047,1682052-1682053,1682062,1682064,1682070,1682312,1682325,1682331,1682386,1684367,1684385,1685759,1685774,1685827,1685892,1687341,1688904,1689358,1689657,1692850,1693093,1693108,1693324,1694060,1694115,1694291,1694427,1694431,1694503,1694549,1694789,1694873,1694881,1695356,1695372,1695823-1695825,1696200,1696281,1696379,1696468,1700608,1700871,1700897,1700978,1701094,1701124,1701608,1701668,1701676,1701766,1701944,1702248,1702252,1702314,1702390,1702723,1702725,1702728,1702730,1702733,1702735,1702737,1702739,1702742,1702744,1702
 748,1702751,1702754,1702758,1702760,1702763,1702766,1708779,1708782,1708806,1709314,1709670,1710347,1710442,1710448,1710490,1710574,1710578
-/tomcat/trunk:1156115-1157160,1157162-1157859,1157862-1157942,1157945-1160347,1160349-1163716,1163718-1166689,1166691-1174340,1174342-1175596,1175598-1175611,1175613-1175932,1175934-1177783,1177785-1177980,1178006-1180720,1180722-1183094,1183096-1187753,1187755,1187775,1187801,1187806,1187809,1187826-1188312,1188314-1188401,1188646-1188840,1188842-1190176,1190178-1195223,1195225-1195953,1195955,1195957-1201238,1201240-1203345,1203347-1206623,1206625-1208046,1208073,1208096,1208114,1208145,1208772,1209194-1212125,1212127-1220291,1220293,1220295-1221321,1221323-1222329,1222332-1222401,1222405-1222795,1222850-1222950,1222969-1225326,1225328-1225463,1225465,1225627,1225629-1226534,1226536-1228908,1228911-1228923,1228927-1229532,1229534-1230766,1230768-1231625,1231627-1233414,1233419-1235207,1235209-1237425,1237427,1237429-1237977,1237981,1237985,1237995,1238070,1238073,1239024-1239048,1239050-1239062,1239135,1239256,1239258-1239485,1239785-1240046,1240101,1240106,1240109,1240112,1240114
 ,1240116,1240118,1240121,1240329,1240474-1240850,1240857,1241087,1241160,1241408-1241822,1241908-1241909,1241912-1242110,1242371-1292130,1292134-1292458,1292464-1292670,1292672-1292776,1292780-1293392,1293397-1297017,1297019-1297963,1297965-1299820,1300108,1300111-1300460,1300520-1300948,1300997,1301006,1301280,1302332,1302348,1302608-1302610,1302649,1302837,1303138,1303163,1303338,1303521,1303587,1303698,1303803,1303852,1304011,1304035,1304037,1304135,1304249,1304253,1304260,1304271,1304275,1304468,1304895,1304930-1304932,1305194,1305943,1305965,1306556,1306579-1306580,1307084,1307310,1307511-1307512,1307579,1307591,1307597,1310636,1310639-1310640,1310642,1310701,1311212,1311995,1327617,1327670,1331766,1333161,1333173,1333827,1334787,1335026,1335257,1335547,1335692,1335711,1335731,1336515,1336813,1336864,1336868,1336884,1337419,1337426,1337546,1337572,1337591-1337595,1337643,1337707,1337719,1337734,1337741,1337745,1338151-1338154,1338178,1342027,1342029,1342315,1342320,1342476,1342
 498,1342503,1342717,1342795,1342805,1343044-1343046,1343335,1343394,1343400,1343629,1343708,1343718,1343895,1344063,1344068,1344250,1344266,1344515,1344528,1344612,1344629,1344725,1344868,1344890,1344893,1344896,1344901,1345020,1345029,1345039,1345287-1345290,1345294,1345309,1345325,1345357,1345367,1345579-1345580,1345582,1345688,1345699,1345704,1345731-1345732,1345737,1345744,1345752,1345754,1345779,1345781,1345846,1346107,1346365,1346376,1346404,1346510,1346514,1346519,1346581,1346635,1346644,1346683,1346794,1346885,1346932,1347034,1347047,1347087,1347108-1347109,1347583,1347737,1348105,1348357,1348398,1348425,1348461-1348495,1348498,1348752,1348762,1348772,1348776,1348859,1348968,1348973,1348989,1349007,1349237,1349298,1349317,1349410,1349473,1349539,1349879,1349887,1349893,1349922,1349984,1350124,1350241,1350243,1350294-1350295,1350299,1350864,1350900,1351010,1351054,1351056,1351068,1351134-1351135,1351148,1351259,1351604,1351636-1351640,1351991,1351993,1352011,1352056,1352059,1
 352661,1352663,1352788,1352799,1353087,1353125,1353240,1353261,1353414,1353468,1353501,1353581,1353708,1354137,1354170,1354197,1354255,1354362,1354375,1354469,1354664,1354685,1354817,1354847,1354856,1355726,1355810,1356006-1356007,1356014,1356045,1356125,1356422,1356505,1356898,1357042,1357401,1357407,1358586,1358590,1358612-1358613,1359102,1359340,1359981,1360059,1360455,1360460,1360838,1360847,1360892,1360942,1361263,1361430,1361754-1361755,1361762,1361769,1361772,1361962,1361982,1361985,1361991,1364141,1364149,1364411-1364412,1364448,1366708,1366720,1366729,1366734,1366910,1366945,1366953,1366959,1367214,1370346,1370364,1370373,1370386,1370473,1370537,1370549,1370553,1370879,1370916,1370958,1370960,1370973,1371017,1371283,1371336,1371620,1371812,1371823,1371896,1371976,1371978,1371995,1371999,1372131,1372152,1372156,1372390,1373003,1373080,1373142,1373488,1373578,1373618,1373622,1373666,1373985,1373987,1373990,1373993,1374000,1374019,1374086,1374823,1376994,1377078,1377292,137731
 1,1377342,1377433,1377444,1377516,1377518-1377519,1377532,1377535,1377544,1377689,1377785,1377794,1377811,1377824,1377827,1377831,1377852-1377853,1377887,1377900,1378322,1378361,1378394,1378699,1378715,1378818,1378868,1378918,1379047,1379090,1379178,1379206,1379213,1379418,1379580,1379590,1379639,1379647,1379649,1379665,1379733,1379735,1380066,1380073,1380075,1380376,1380635,1380637,1380838,1381411,1381623,1382314,1382343,1382366,1382515,1382832,1382842,1384051,1384055,1384063,1384068-1384069,1385336,1387937,1388709,1388890,1390882,1392098,1392619,1393071,1393115,1396615,1396723,1397086,1397464,1397466,1397472,1397482,1397484,1397839,1397868,1397944,1397950,1397953,1397957,1397960,1397962,1397964,1397969,1397971-1397974,1397976-1397980,1397985,1397988-1397989,1398089,1398107,1398109-1398110,1398112,1399022,1401472,1401792,1401808,1401814,1402113,1402122,1402345,1402348,1402350,1402428,1402573,1402576,1402600-1402601,1402622,1402643,1402683,1402705,1402837,1402855,1403099,1403468,140
 4374,1404658,1404704,1404773,1404917-1404918,1405133,1405168,1405321,1405353,1405357,1405364,1405397,1405399-1405400,1405415,1405435,1405676,1405681,1406456,1406481,1406526,1407595,1407619,1408043,1408148,1408154,1408156,1408159,1408163-1408165,1408248,1408438,1408504,1408513-1408517,1408562-1408565,1408714,1408721,1408739,1408750,1408774,1408792,1408872-1408876,1408906,1408934,1409007,1409030,1410466,1410545,1410609,1410611,1410632,1410714,1410742,1410763-1410764,1410766,1411585,1411993,1412575,1413552,1413556,1413562,1414053,1414113,1414215,1414889,1415177-1415179,1415186,1416458,1416481,1416501,1416529,1416534-1416535,1416658,1417201,1417224,1417282,1417347-1417348,1417353,1417363,1417365,1417370-1417372,1417463,1417465,1417467,1417469,1417476,1424894,1425502,1425564,1425628,1426662,1427013,1427757,1427784,1427804,1427846,1428010,1428079,1428283,1428355,1428403,1428643,1428869,1428959,1428993,1429123,1429153,1429167,1429173,1429179-1429180,1429182,1429356,1429687,1429745,1429784,
 1429836,1429863,1429946,1429969,1430079,1430147,1430165,1430445,1430448,1430481,1430487,1430508,1430550,1430567,1430771,1430773,1430775,1430791,1430799,1430806,1430809,1430921,1431164,1431171,1431206,1431221,1431293,1431298,1431302,1431308,1431310,1431320,1431661,1431920,1431990,1432517,1432867,1433976,1434403,1434428,1434438,1434447,1434456,1434463,1434500,1434598,1434660,1434685,1434725,1434757,1434882,1435126,1435505,1435509,1435600,1435606,1435636,1435642,1435759-1435760,1435765,1435767,1437317,1437337,1437505,1437637,1437649,1437743,1437891,1437897,1437903,1438411,1438463,1439054,1439334,1439434,1439442,1439445,1439667,1440095,1440622,1440911,1441342,1441348,1441403,1441416,1441428,1441807,1441895,1441916,1441920,1443350,1443405,1443427,1445111,1445125,1445190,1445208,1445212,1445328,1445337,1445520,1446108,1446137,1446357,1446612,1446640,1446650,1447012,1447178,1447791,1447817-1447818,1448117,1448121,1448125,1448679,1448826,1449225,1449406,1450990,1451053,1451061,1451105,14514
 08,1451434,1451769,1451938-1451939,1451947,1451955-1451956,1452295,1452501,1452707,1452719,1452721,1452752,1453105,1453112,1453435,1453439,1453490,1453544,1453549,1453621,1454828,1454832,1454953,1455344,1455854,1455973,1456083,1456440,1456453,1456491,1456494,1456657,1456666,1456678,1456706,1456713,1456716,1456721,1456740,1456762,1456766,1456822,1456844,1456863,1456872,1456882,1456885,1456895,1456899,1456904,1456916,1456920,1456926,1456932,1456959,1456963,1456970,1457299,1457301,1457362,1457382,1457402,1457452,1457748,1457968,1458187,1458192,1458200,1458221,1458562,1458564-1458565,1458694,1458726,1458738-1458739,1459010,1459028,1459031,1459061,1459074-1459075,1459085,1459218,1459223,1459289,1459389,1459523-1459524,1459673,1459681,1459761,1459769,1459933,1460107,1460115,1460234,1460313,1460330,1460342,1460533,1460633,1460679,1460873,1461026,1461110,1461341,1461349,1461849,1464781,1465795,1465807,1466051,1466072,1466106,1467091,1468415,1470400,1470435,1470765,1471371,1471632,1475750,14
 75791,1475900,1475930,1475968,1476761,1476805,1476815,1476972,1477051,1478857,1479175,1479179,1479248,1479482,1479951,1481164,1481835,1482115,1482288,1482309,1482311,1482313,1482321,1482591,1482720,1482723,1482799,1482835,1482854,1483104,1483229,1483288,1483360-1483361,1483390,1483552,1483554,1483679,1483743-1483744,1483786-1483787,1483816-1483817,1483949,1484253,1484592,1484780,1484786,1484861-1484862,1484959,1485114,1485489,1485495,1485611,1485847,1485862,1486062,1486134,1486217,1486294,1486443,1486834,1486861,1486875,1486890,1486939,1487862,1487882,1488151,1488793,1489170,1489195-1489196,1489201,1489385,1489390,1489405,1489437,1489536,1489546,1489610,1489633,1489648,1489738,1489812,1489886,1491485,1491596,1491709,1491841,1491890,1491940,1491942,1492307,1492336,1492343,1492358,1492555,1492570,1493011,1493013-1493014,1493071,1493113,1493740,1493801,1493910,1494044,1494048,1494051,1494056,1494143,1495015,1495043,1495154,1495197,1495880,1495886,1496061,1496732,1496734,1497474,1497538
 ,1497754,1498340,1498363,1498368,1498409,1498475,1498482,1498498,1498669,1498698,1498808,1499371,1499388,1499513,1499953,1500003,1500062,1500371,1500380,1500577,1500590,1500663,1501176,1501266,1501304,1501719,1501738,1501823,1501910,1501927,1501929,1502254,1502349,1503851,1505843,1505929,1506053,1507013,1507052,1507096,1507870,1507872,1508196,1508259,1508346,1509128,1509151,1509156,1509161,1509806,1510246,1510271,1510488,1511212,1511217,1511434,1512034,1513025,1513148-1513149,1513665,1514281,1514291,1514305,1514368,1514470,1514485-1514486,1515841,1515926,1516113,1516295,1516419,1516710,1516953,1517536,1517898,1517941,1517970,1517980,1518189,1518210,1518328,1518381,1518536,1518540,1518578,1518581,1518589,1519611,1519623,1519627,1520273,1520349,1520632,1520655,1521023,1521025,1521027,1521030,1521032,1521034,1521040,1521043,1521049-1521050,1521059-1521061,1521073,1521075,1521271,1521276,1521444,1521687,1521829,1521831,1521834-1521835,1521837,1521839-1521840,1522016,1523555,1523646-1523
 647,1523674,1523781,1523788,1523830,1523955,1523958,1523964,1523982,1524078,1524558,1524652,1524657,1524668,1524683,1524687,1524707,1524719,1524727,1524761,1524978,1524984,1525593,1525696,1526043,1526052,1526730,1527480,1527493,1527727-1527728,1527730-1527733,1528060,1528166,1528169,1528171-1528172,1528248,1528369,1528383,1528407,1528424,1528855,1529149,1529181,1529317,1529546,1529549,1529787,1530057,1530081,1530103,1530213,1530296,1530298,1530325,1530342,1530348,1530353,1530397,1530418,1530421,1530423,1530426,1530445,1530574,1530599,1530632,1530791,1530822,1530866,1530875,1530909,1530989,1531087,1531099,1531130,1531138,1531156,1531161,1531271,1531312,1531600,1532036,1532269,1532286,1532373,1532437,1532445,1532498-1532501,1532506,1532544,1532622,1532627,1532718-1532722,1532765-1532766,1533048-1533049,1533117,1533312,1533347,1533962,1533980,1534165,1534418,1534540,1534543-1534544,1534612,1534616,1534619,1534727,1534744,1534846,1536298,1536337,1536520,1536624,1536632,1536735,1536834,1
 536848,1536850,1536852,1537041,1537057,1537073,1537404,1537835,1538533,1538781,1538798,1538833,1538921,1538923-1538924,1539133,1539157,1539173,1539180,1539445,1539452,1539702,1539716,1539887,1539953,1540374,1540383-1540386,1540396-1540398,1540400-1540413,1540539,1540641,1540647,1540670,1540687,1540765,1540807,1542267,1542339,1542769,1542841,1542845,1542856,1543383,1543753,1543772,1543815-1543817,1543897,1543943,1543948,1544072,1544075,1544082,1544165,1544208,1544210,1544453,1544455,1544460,1544472,1544589,1544593,1544606,1544679,1545075,1545078,1545082,1545213,1545215,1545261,1545284,1545288,1545377,1545416,1545471,1545480,1545558,1545619,1545665,1545750,1545799,1545814,1545832,1545847,1545863,1546172,1546372,1546382,1546631,1546656,1547032,1547760,1548169,1548182-1548183,1548185,1548498,1548695,1548961,1548966,1549522,1549525,1549528,1549909,1550387,1550541,1550743,1550920,1551298,1551300,1551323,1551481-1551482,1551953,1552042,1552071,1552080,1552287,1552804,1553126,1553608,155365
 0,1555163,1556725,1556783,1556788,1556807,1556823,1556836,1556957,1557082,1557747,1557752,1558129,1558355,1558811,1559081,1559113,1559134,1559397,1559419,1559549-1559550,1559561-1559562,1559573,1559662,1559697,1559707,1559798,1560017,1560158,1560177,1560212-1560213,1560784,1560810,1560817,1560838,1560850,1560856,1560922,1560948,1561025,1561054-1561065,1561067-1561070,1561072-1561075,1561083,1561085,1561093-1561094,1561098,1561101,1561104,1561106,1561114-1561116,1561121-1561123,1561126-1561128,1561131-1561133,1561135-1561136,1561138,1561140,1561143-1561146,1561148-1561157,1561160-1561162,1561164-1561176,1561178-1561182,1561185-1561188,1561190-1561192,1561195,1561623,1561635,1561640,1561732,1562411,1562458,1562581,1562597,1562742,1562746,1563206,1563989,1564299,1564309,1564312,1564398,1564414,1564461,1564742-1564746,1565300-1565416,1565451,1565788,1566693,1566699,1567144,1567382,1567404,1567429,1567580,1567634,1567993,1568768,1568779-1568780,1568803,1568828,1568921,1568926,1568936,156
 9398,1569459,1569735,1569755,1570114,1570120,1570176,1570547,1570601,1570629,1570713,1571196,1571725,1572574,1574004,1574479,1574923,1574936,1574943,1575012,1575262,1575545,1575885,1575910,1576104,1576271,1576288,1576628,1576722,1576768,1576810,1576908,1576923,1577182,1577195,1577315,1577324,1577463,1577544,1577557,1577565,1577581,1577714,1577873,1577944,1578309,1578329,1578337,1578610-1578611,1578636,1578810,1578812-1578813,1578817,1579174,1579214-1579215,1579626,1580030,1580080,1580194,1580514,1580598,1580658,1580821,1580849,1580869,1581061,1581529,1582009,1582064,1582453,1584915,1584922,1586644,1586658,1586890,1586894,1586951,1586959,1586961,1587272,1587378-1587379,1587723,1587859,1587865,1587870,1587886,1588102,1588193,1588197,1588269,1588462,1589035,1589039,1589043,1589100,1589102,1589165-1589166,1589170,1589523,1589630,1589633,1589668,1589698,1589726,1589737-1589738,1589763,1589837,1589842,1589967,1589980,1590018,1590060,1590076,1590120,1590128,1590283,1590300,1590302,1590322,
 1590329,1590339,1590345,1590377,1590402,1590422,1590438,1590451,1590461,1590471,1590474,1590479,1590604,1590635,1590638,1590646,1590648,1590801,1590835,1590842,1590911,1593132,1593189,1593200,1593259,1593261,1593284,1593335,1593356,1593387,1593421,1593506,1593621,1593697,1593773,1593800,1593834,1593877,1593940,1593994,1594229,1594393,1594436,1594730,1594924,1595171,1595230,1595285,1595289,1595331,1595365,1595690,1595887,1595898,1596081,1596141,1596189,1596275,1596390,1596971,1597532,1597541,1597572-1597573,1597652,1597753-1597755,1597759,1597855,1598153,1598242,1598248,1598266-1598267,1598304,1598307,1598310-1598311,1598313,1599393,1599395,1599460,1599479,1599500,1599558,1599738-1599739,1600109,1600162,1600408,1600449,1600495,1600501,1600579-1600580,1600743,1600833,1600839,1600862,1600899,1600955,1600963,1600965,1600978,1600984,1601329-1601330,1601332,1601785,1601796,1601850,1601855,1601886,1601977,1602046,1602189,1602198,1602452,1602521,1602583,1602694,1602831,1602842,1602844,16028
 51,1602858,1602865,1602956,1603591,1603621,1603770,1603775,1603779,1603783,1603947,1604024,1604165,1604484-1604496,1604605,1604661,1604768,1604776,1604781,1604788,1604810,1604818,1604822,1605054,1605061,1605066,1605402,1605417,1605454,1605528,1605821,1605823,1605890-1605891,1606072,1606103,1606114,1606653,1607592,1607675,1607740,1607930-1607931,1607934,1608301,1608428,1608443,1608481,1608645,1608963,1609061,1609175,1609334,1609593,1609920,1611506,1614163,1614169,1614179,1614197,1615710,1615724,1615876,1615911,1615947,1616441,1616452,1616458,1617362,1617365,1617383,1617445,1617456,1617461,1617469-1617470,1618112,1618169,1618565,1618688,1618704,1618830,1618832-1618835,1619056,1619106,1619114,1619361-1619362,1619583,1619585,1619738,1619742,1620743,1620915,1620917,1621698,1621725-1621727,1621729,1621731,1621929,1621975,1622163,1622187,1622228,1622233,1622251,1622259,1622263,1622297,1622312,1622342,1622470,1622713,1623236,1623384,1623392,1623685,1623693,1623695,1623779,1624110,1624112,16
 24115-1624116,1624119,1624122,1624124,1624126,1624129-1624130,1624132-1624133,1624135,1624139,1624142-1624143,1624147,1624150,1624152,1624155-1624157,1624162-1624165,1624220,1624233,1624235,1624246-1624247,1624252,1624254,1624396,1624408,1624422,1624476,1624486-1624487,1624497-1624498,1624542,1624563-1624565,1624568-1624569,1624571,1624573,1624580,1624583,1624586,1624588,1624592,1624598,1624605,1624614,1624636,1624642,1624645,1624647-1624648,1624655,1624657,1624679,1624959,1624984,1625501,1625504,1625563,1625599,1625842,1625854,1626579,1626741,1626747-1626748,1626764-1626765,1626779,1626893,1626905,1626991,1627033,1627296,1627323,1627370,1627525,1627531,1627569,1627629,1628517,1628524,1628541,1628984,1629293,1629906,1630065,1630088,1630092,1630094,1630110,1630194,1630199,1630203,1630208-1630210,1630216,1630375,1630407,1631347,1631381,1631568,1631628,1631717,1631730,1631817-1631818,1631839,1631852,1631987,1631992-1631993,1632251,1632290,1632307,1632411,1632423-1632425,1632512,1632523
 ,1632584,1632600-1632601,1632604,1632965,1632975,1632988,1633128,1633342,1633346,1633369,1633447-1633448,1633500,1633688,1633785,1633824-1633825,1633936,1633974,1634229,1634250,1634257-1634258,1634260,1634312,1634326-1634327,1634329,1634690,1635215,1635301,1635308,1635310,1636524,1637331,1637684,1637695,1638720-1638725,1639653,1640083,1640088,1640275,1640322,1640347,1640361,1640365,1640652,1640655-1640658,1640688,1640700-1640883,1641000,1641058,1641064,1641374,1641634,1641656-1641692,1641707-1641718,1641721-1641722,1641735,1641981,1642327,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643121,1643206,1643209-1643210,1643216,1643270,1643283,1643309-1643310,1643536,1643570,1643634,1643654,1643675,1643733,1643761,1643963,1644017,1644321,1644529,1644535,1644989,1645011,1645357-1645358,1645455,1645486,1645488,1645626,1645641,1645685,1645743,1645763,1646098-1646106,1646178,1646304,1646470-1646471,1646476,1646559,1646717-1646723,1647
 042,1648815,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653550,1653574,1653797,1653815-1653816,1653840,1654013,1654123,1654159,1654735,1654766,1654785,1656590,1662736,1662985,1663264,1663277,1663534,1663562,1663676,1663995,1664174,1664301,1664317,1664863-1664864,1664866,1665085,1665292,1665779,1666024,1666386-1666387,1666494,1666496,1666552,1666569,1666579,1666637,1666649,1666757,1666966,1666985,1667292,1667402,1667406,1667546,1667615,1667630,1667636,1667688,1667764,1667871,1668026,1668135,1668193,1668596,1668630,1669353,1669370,1669800,1669838,1669876,1669882,1670394,1670433,1670591,1670598-1670600,1670610,1670631-1670632,1670719,1670724,1670726,1670730,1670940,1672272,1672284,1673754,1674294,1675461,1675486,1675594,1675830,1676231,1676250-1676251,1676364,1676381,1676393,1676479,1676552,1676634,1678174,1678339,1678426-1678427,1678694,1679534,1679708,1679710,1679716,1680246,1681123,1681729,1681770,1681779,1681793,1681807,1681837-1681838,1681854,1681862,1681958,1682028,1
 682033,1682311,1682324,1682330,1684172,1684366,1684383,1685739,1685744,1685772,1685826,1685891,1687242,1687261,1687268,1687340,1688563,1688901,1689346,1689357,1689656,1689825,1690011,1690021,1690054,1690080,1690209,1691134,1691487,1692849,1693088,1693105,1694058,1694111,1694290,1694501,1694548,1694788,1694872,1694878,1695354,1695371,1695706,1695778,1696199,1696280,1696378,1696467,1700607,1700870,1700896,1700977,1701093,1701123,1701607,1701666,1701673,1701760-1701761,1701765,1701940,1702246,1702250,1702313,1702630-1702631,1702633-1702634,1702637-1702638,1702640,1702647,1702662,1702665,1702668,1702672,1702675-1702676,1702680,1702722,1708687,1708745,1708957,1709120,1709663,1710070,1710346,1710441,1710489,1710517,1710523,1710571,1710577,1710632,1710676,1710689,1710753-1710754,1710779,1711006
+/tomcat/trunk:1156115-1157160,1157162-1157859,1157862-1157942,1157945-1160347,1160349-1163716,1163718-1166689,1166691-1174340,1174342-1175596,1175598-1175611,1175613-1175932,1175934-1177783,1177785-1177980,1178006-1180720,1180722-1183094,1183096-1187753,1187755,1187775,1187801,1187806,1187809,1187826-1188312,1188314-1188401,1188646-1188840,1188842-1190176,1190178-1195223,1195225-1195953,1195955,1195957-1201238,1201240-1203345,1203347-1206623,1206625-1208046,1208073,1208096,1208114,1208145,1208772,1209194-1212125,1212127-1220291,1220293,1220295-1221321,1221323-1222329,1222332-1222401,1222405-1222795,1222850-1222950,1222969-1225326,1225328-1225463,1225465,1225627,1225629-1226534,1226536-1228908,1228911-1228923,1228927-1229532,1229534-1230766,1230768-1231625,1231627-1233414,1233419-1235207,1235209-1237425,1237427,1237429-1237977,1237981,1237985,1237995,1238070,1238073,1239024-1239048,1239050-1239062,1239135,1239256,1239258-1239485,1239785-1240046,1240101,1240106,1240109,1240112,1240114
 ,1240116,1240118,1240121,1240329,1240474-1240850,1240857,1241087,1241160,1241408-1241822,1241908-1241909,1241912-1242110,1242371-1292130,1292134-1292458,1292464-1292670,1292672-1292776,1292780-1293392,1293397-1297017,1297019-1297963,1297965-1299820,1300108,1300111-1300460,1300520-1300948,1300997,1301006,1301280,1302332,1302348,1302608-1302610,1302649,1302837,1303138,1303163,1303338,1303521,1303587,1303698,1303803,1303852,1304011,1304035,1304037,1304135,1304249,1304253,1304260,1304271,1304275,1304468,1304895,1304930-1304932,1305194,1305943,1305965,1306556,1306579-1306580,1307084,1307310,1307511-1307512,1307579,1307591,1307597,1310636,1310639-1310640,1310642,1310701,1311212,1311995,1327617,1327670,1331766,1333161,1333173,1333827,1334787,1335026,1335257,1335547,1335692,1335711,1335731,1336515,1336813,1336864,1336868,1336884,1337419,1337426,1337546,1337572,1337591-1337595,1337643,1337707,1337719,1337734,1337741,1337745,1338151-1338154,1338178,1342027,1342029,1342315,1342320,1342476,1342
 498,1342503,1342717,1342795,1342805,1343044-1343046,1343335,1343394,1343400,1343629,1343708,1343718,1343895,1344063,1344068,1344250,1344266,1344515,1344528,1344612,1344629,1344725,1344868,1344890,1344893,1344896,1344901,1345020,1345029,1345039,1345287-1345290,1345294,1345309,1345325,1345357,1345367,1345579-1345580,1345582,1345688,1345699,1345704,1345731-1345732,1345737,1345744,1345752,1345754,1345779,1345781,1345846,1346107,1346365,1346376,1346404,1346510,1346514,1346519,1346581,1346635,1346644,1346683,1346794,1346885,1346932,1347034,1347047,1347087,1347108-1347109,1347583,1347737,1348105,1348357,1348398,1348425,1348461-1348495,1348498,1348752,1348762,1348772,1348776,1348859,1348968,1348973,1348989,1349007,1349237,1349298,1349317,1349410,1349473,1349539,1349879,1349887,1349893,1349922,1349984,1350124,1350241,1350243,1350294-1350295,1350299,1350864,1350900,1351010,1351054,1351056,1351068,1351134-1351135,1351148,1351259,1351604,1351636-1351640,1351991,1351993,1352011,1352056,1352059,1
 352661,1352663,1352788,1352799,1353087,1353125,1353240,1353261,1353414,1353468,1353501,1353581,1353708,1354137,1354170,1354197,1354255,1354362,1354375,1354469,1354664,1354685,1354817,1354847,1354856,1355726,1355810,1356006-1356007,1356014,1356045,1356125,1356422,1356505,1356898,1357042,1357401,1357407,1358586,1358590,1358612-1358613,1359102,1359340,1359981,1360059,1360455,1360460,1360838,1360847,1360892,1360942,1361263,1361430,1361754-1361755,1361762,1361769,1361772,1361962,1361982,1361985,1361991,1364141,1364149,1364411-1364412,1364448,1366708,1366720,1366729,1366734,1366910,1366945,1366953,1366959,1367214,1370346,1370364,1370373,1370386,1370473,1370537,1370549,1370553,1370879,1370916,1370958,1370960,1370973,1371017,1371283,1371336,1371620,1371812,1371823,1371896,1371976,1371978,1371995,1371999,1372131,1372152,1372156,1372390,1373003,1373080,1373142,1373488,1373578,1373618,1373622,1373666,1373985,1373987,1373990,1373993,1374000,1374019,1374086,1374823,1376994,1377078,1377292,137731
 1,1377342,1377433,1377444,1377516,1377518-1377519,1377532,1377535,1377544,1377689,1377785,1377794,1377811,1377824,1377827,1377831,1377852-1377853,1377887,1377900,1378322,1378361,1378394,1378699,1378715,1378818,1378868,1378918,1379047,1379090,1379178,1379206,1379213,1379418,1379580,1379590,1379639,1379647,1379649,1379665,1379733,1379735,1380066,1380073,1380075,1380376,1380635,1380637,1380838,1381411,1381623,1382314,1382343,1382366,1382515,1382832,1382842,1384051,1384055,1384063,1384068-1384069,1385336,1387937,1388709,1388890,1390882,1392098,1392619,1393071,1393115,1396615,1396723,1397086,1397464,1397466,1397472,1397482,1397484,1397839,1397868,1397944,1397950,1397953,1397957,1397960,1397962,1397964,1397969,1397971-1397974,1397976-1397980,1397985,1397988-1397989,1398089,1398107,1398109-1398110,1398112,1399022,1401472,1401792,1401808,1401814,1402113,1402122,1402345,1402348,1402350,1402428,1402573,1402576,1402600-1402601,1402622,1402643,1402683,1402705,1402837,1402855,1403099,1403468,140
 4374,1404658,1404704,1404773,1404917-1404918,1405133,1405168,1405321,1405353,1405357,1405364,1405397,1405399-1405400,1405415,1405435,1405676,1405681,1406456,1406481,1406526,1407595,1407619,1408043,1408148,1408154,1408156,1408159,1408163-1408165,1408248,1408438,1408504,1408513-1408517,1408562-1408565,1408714,1408721,1408739,1408750,1408774,1408792,1408872-1408876,1408906,1408934,1409007,1409030,1410466,1410545,1410609,1410611,1410632,1410714,1410742,1410763-1410764,1410766,1411585,1411993,1412575,1413552,1413556,1413562,1414053,1414113,1414215,1414889,1415177-1415179,1415186,1416458,1416481,1416501,1416529,1416534-1416535,1416658,1417201,1417224,1417282,1417347-1417348,1417353,1417363,1417365,1417370-1417372,1417463,1417465,1417467,1417469,1417476,1424894,1425502,1425564,1425628,1426662,1427013,1427757,1427784,1427804,1427846,1428010,1428079,1428283,1428355,1428403,1428643,1428869,1428959,1428993,1429123,1429153,1429167,1429173,1429179-1429180,1429182,1429356,1429687,1429745,1429784,
 1429836,1429863,1429946,1429969,1430079,1430147,1430165,1430445,1430448,1430481,1430487,1430508,1430550,1430567,1430771,1430773,1430775,1430791,1430799,1430806,1430809,1430921,1431164,1431171,1431206,1431221,1431293,1431298,1431302,1431308,1431310,1431320,1431661,1431920,1431990,1432517,1432867,1433976,1434403,1434428,1434438,1434447,1434456,1434463,1434500,1434598,1434660,1434685,1434725,1434757,1434882,1435126,1435505,1435509,1435600,1435606,1435636,1435642,1435759-1435760,1435765,1435767,1437317,1437337,1437505,1437637,1437649,1437743,1437891,1437897,1437903,1438411,1438463,1439054,1439334,1439434,1439442,1439445,1439667,1440095,1440622,1440911,1441342,1441348,1441403,1441416,1441428,1441807,1441895,1441916,1441920,1443350,1443405,1443427,1445111,1445125,1445190,1445208,1445212,1445328,1445337,1445520,1446108,1446137,1446357,1446612,1446640,1446650,1447012,1447178,1447791,1447817-1447818,1448117,1448121,1448125,1448679,1448826,1449225,1449406,1450990,1451053,1451061,1451105,14514
 08,1451434,1451769,1451938-1451939,1451947,1451955-1451956,1452295,1452501,1452707,1452719,1452721,1452752,1453105,1453112,1453435,1453439,1453490,1453544,1453549,1453621,1454828,1454832,1454953,1455344,1455854,1455973,1456083,1456440,1456453,1456491,1456494,1456657,1456666,1456678,1456706,1456713,1456716,1456721,1456740,1456762,1456766,1456822,1456844,1456863,1456872,1456882,1456885,1456895,1456899,1456904,1456916,1456920,1456926,1456932,1456959,1456963,1456970,1457299,1457301,1457362,1457382,1457402,1457452,1457748,1457968,1458187,1458192,1458200,1458221,1458562,1458564-1458565,1458694,1458726,1458738-1458739,1459010,1459028,1459031,1459061,1459074-1459075,1459085,1459218,1459223,1459289,1459389,1459523-1459524,1459673,1459681,1459761,1459769,1459933,1460107,1460115,1460234,1460313,1460330,1460342,1460533,1460633,1460679,1460873,1461026,1461110,1461341,1461349,1461849,1464781,1465795,1465807,1466051,1466072,1466106,1467091,1468415,1470400,1470435,1470765,1471371,1471632,1475750,14
 75791,1475900,1475930,1475968,1476761,1476805,1476815,1476972,1477051,1478857,1479175,1479179,1479248,1479482,1479951,1481164,1481835,1482115,1482288,1482309,1482311,1482313,1482321,1482591,1482720,1482723,1482799,1482835,1482854,1483104,1483229,1483288,1483360-1483361,1483390,1483552,1483554,1483679,1483743-1483744,1483786-1483787,1483816-1483817,1483949,1484253,1484592,1484780,1484786,1484861-1484862,1484959,1485114,1485489,1485495,1485611,1485847,1485862,1486062,1486134,1486217,1486294,1486443,1486834,1486861,1486875,1486890,1486939,1487862,1487882,1488151,1488793,1489170,1489195-1489196,1489201,1489385,1489390,1489405,1489437,1489536,1489546,1489610,1489633,1489648,1489738,1489812,1489886,1491485,1491596,1491709,1491841,1491890,1491940,1491942,1492307,1492336,1492343,1492358,1492555,1492570,1493011,1493013-1493014,1493071,1493113,1493740,1493801,1493910,1494044,1494048,1494051,1494056,1494143,1495015,1495043,1495154,1495197,1495880,1495886,1496061,1496732,1496734,1497474,1497538
 ,1497754,1498340,1498363,1498368,1498409,1498475,1498482,1498498,1498669,1498698,1498808,1499371,1499388,1499513,1499953,1500003,1500062,1500371,1500380,1500577,1500590,1500663,1501176,1501266,1501304,1501719,1501738,1501823,1501910,1501927,1501929,1502254,1502349,1503851,1505843,1505929,1506053,1507013,1507052,1507096,1507870,1507872,1508196,1508259,1508346,1509128,1509151,1509156,1509161,1509806,1510246,1510271,1510488,1511212,1511217,1511434,1512034,1513025,1513148-1513149,1513665,1514281,1514291,1514305,1514368,1514470,1514485-1514486,1515841,1515926,1516113,1516295,1516419,1516710,1516953,1517536,1517898,1517941,1517970,1517980,1518189,1518210,1518328,1518381,1518536,1518540,1518578,1518581,1518589,1519611,1519623,1519627,1520273,1520349,1520632,1520655,1521023,1521025,1521027,1521030,1521032,1521034,1521040,1521043,1521049-1521050,1521059-1521061,1521073,1521075,1521271,1521276,1521444,1521687,1521829,1521831,1521834-1521835,1521837,1521839-1521840,1522016,1523555,1523646-1523
 647,1523674,1523781,1523788,1523830,1523955,1523958,1523964,1523982,1524078,1524558,1524652,1524657,1524668,1524683,1524687,1524707,1524719,1524727,1524761,1524978,1524984,1525593,1525696,1526043,1526052,1526730,1527480,1527493,1527727-1527728,1527730-1527733,1528060,1528166,1528169,1528171-1528172,1528248,1528369,1528383,1528407,1528424,1528855,1529149,1529181,1529317,1529546,1529549,1529787,1530057,1530081,1530103,1530213,1530296,1530298,1530325,1530342,1530348,1530353,1530397,1530418,1530421,1530423,1530426,1530445,1530574,1530599,1530632,1530791,1530822,1530866,1530875,1530909,1530989,1531087,1531099,1531130,1531138,1531156,1531161,1531271,1531312,1531600,1532036,1532269,1532286,1532373,1532437,1532445,1532498-1532501,1532506,1532544,1532622,1532627,1532718-1532722,1532765-1532766,1533048-1533049,1533117,1533312,1533347,1533962,1533980,1534165,1534418,1534540,1534543-1534544,1534612,1534616,1534619,1534727,1534744,1534846,1536298,1536337,1536520,1536624,1536632,1536735,1536834,1
 536848,1536850,1536852,1537041,1537057,1537073,1537404,1537835,1538533,1538781,1538798,1538833,1538921,1538923-1538924,1539133,1539157,1539173,1539180,1539445,1539452,1539702,1539716,1539887,1539953,1540374,1540383-1540386,1540396-1540398,1540400-1540413,1540539,1540641,1540647,1540670,1540687,1540765,1540807,1542267,1542339,1542769,1542841,1542845,1542856,1543383,1543753,1543772,1543815-1543817,1543897,1543943,1543948,1544072,1544075,1544082,1544165,1544208,1544210,1544453,1544455,1544460,1544472,1544589,1544593,1544606,1544679,1545075,1545078,1545082,1545213,1545215,1545261,1545284,1545288,1545377,1545416,1545471,1545480,1545558,1545619,1545665,1545750,1545799,1545814,1545832,1545847,1545863,1546172,1546372,1546382,1546631,1546656,1547032,1547760,1548169,1548182-1548183,1548185,1548498,1548695,1548961,1548966,1549522,1549525,1549528,1549909,1550387,1550541,1550743,1550920,1551298,1551300,1551323,1551481-1551482,1551953,1552042,1552071,1552080,1552287,1552804,1553126,1553608,155365
 0,1555163,1556725,1556783,1556788,1556807,1556823,1556836,1556957,1557082,1557747,1557752,1558129,1558355,1558811,1559081,1559113,1559134,1559397,1559419,1559549-1559550,1559561-1559562,1559573,1559662,1559697,1559707,1559798,1560017,1560158,1560177,1560212-1560213,1560784,1560810,1560817,1560838,1560850,1560856,1560922,1560948,1561025,1561054-1561065,1561067-1561070,1561072-1561075,1561083,1561085,1561093-1561094,1561098,1561101,1561104,1561106,1561114-1561116,1561121-1561123,1561126-1561128,1561131-1561133,1561135-1561136,1561138,1561140,1561143-1561146,1561148-1561157,1561160-1561162,1561164-1561176,1561178-1561182,1561185-1561188,1561190-1561192,1561195,1561623,1561635,1561640,1561732,1562411,1562458,1562581,1562597,1562742,1562746,1563206,1563989,1564299,1564309,1564312,1564398,1564414,1564461,1564742-1564746,1565300-1565416,1565451,1565788,1566693,1566699,1567144,1567382,1567404,1567429,1567580,1567634,1567993,1568768,1568779-1568780,1568803,1568828,1568921,1568926,1568936,156
 9398,1569459,1569735,1569755,1570114,1570120,1570176,1570547,1570601,1570629,1570713,1571196,1571725,1572574,1574004,1574479,1574923,1574936,1574943,1575012,1575262,1575545,1575885,1575910,1576104,1576271,1576288,1576628,1576722,1576768,1576810,1576908,1576923,1577182,1577195,1577315,1577324,1577463,1577544,1577557,1577565,1577581,1577714,1577873,1577944,1578309,1578329,1578337,1578610-1578611,1578636,1578810,1578812-1578813,1578817,1579174,1579214-1579215,1579626,1580030,1580080,1580194,1580514,1580598,1580658,1580821,1580849,1580869,1581061,1581529,1582009,1582064,1582453,1584915,1584922,1586644,1586658,1586890,1586894,1586951,1586959,1586961,1587272,1587378-1587379,1587723,1587859,1587865,1587870,1587886,1588102,1588193,1588197,1588269,1588462,1589035,1589039,1589043,1589100,1589102,1589165-1589166,1589170,1589523,1589630,1589633,1589668,1589698,1589726,1589737-1589738,1589763,1589837,1589842,1589967,1589980,1590018,1590060,1590076,1590120,1590128,1590283,1590300,1590302,1590322,
 1590329,1590339,1590345,1590377,1590402,1590422,1590438,1590451,1590461,1590471,1590474,1590479,1590604,1590635,1590638,1590646,1590648,1590801,1590835,1590842,1590911,1593132,1593189,1593200,1593259,1593261,1593284,1593335,1593356,1593387,1593421,1593506,1593621,1593697,1593773,1593800,1593834,1593877,1593940,1593994,1594229,1594393,1594436,1594730,1594924,1595171,1595230,1595285,1595289,1595331,1595365,1595690,1595887,1595898,1596081,1596141,1596189,1596275,1596390,1596971,1597532,1597541,1597572-1597573,1597652,1597753-1597755,1597759,1597855,1598153,1598242,1598248,1598266-1598267,1598304,1598307,1598310-1598311,1598313,1599393,1599395,1599460,1599479,1599500,1599558,1599738-1599739,1600109,1600162,1600408,1600449,1600495,1600501,1600579-1600580,1600743,1600833,1600839,1600862,1600899,1600955,1600963,1600965,1600978,1600984,1601329-1601330,1601332,1601785,1601796,1601850,1601855,1601886,1601977,1602046,1602189,1602198,1602452,1602521,1602583,1602694,1602831,1602842,1602844,16028
 51,1602858,1602865,1602956,1603591,1603621,1603770,1603775,1603779,1603783,1603947,1604024,1604165,1604484-1604496,1604605,1604661,1604768,1604776,1604781,1604788,1604810,1604818,1604822,1605054,1605061,1605066,1605402,1605417,1605454,1605528,1605821,1605823,1605890-1605891,1606072,1606103,1606114,1606653,1607592,1607675,1607740,1607930-1607931,1607934,1608301,1608428,1608443,1608481,1608645,1608963,1609061,1609175,1609334,1609593,1609920,1611506,1614163,1614169,1614179,1614197,1615710,1615724,1615876,1615911,1615947,1616441,1616452,1616458,1617362,1617365,1617383,1617445,1617456,1617461,1617469-1617470,1618112,1618169,1618565,1618688,1618704,1618830,1618832-1618835,1619056,1619106,1619114,1619361-1619362,1619583,1619585,1619738,1619742,1620743,1620915,1620917,1621698,1621725-1621727,1621729,1621731,1621929,1621975,1622163,1622187,1622228,1622233,1622251,1622259,1622263,1622297,1622312,1622342,1622470,1622713,1623236,1623384,1623392,1623685,1623693,1623695,1623779,1624110,1624112,16
 24115-1624116,1624119,1624122,1624124,1624126,1624129-1624130,1624132-1624133,1624135,1624139,1624142-1624143,1624147,1624150,1624152,1624155-1624157,1624162-1624165,1624220,1624233,1624235,1624246-1624247,1624252,1624254,1624396,1624408,1624422,1624476,1624486-1624487,1624497-1624498,1624542,1624563-1624565,1624568-1624569,1624571,1624573,1624580,1624583,1624586,1624588,1624592,1624598,1624605,1624614,1624636,1624642,1624645,1624647-1624648,1624655,1624657,1624679,1624959,1624984,1625501,1625504,1625563,1625599,1625842,1625854,1626579,1626741,1626747-1626748,1626764-1626765,1626779,1626893,1626905,1626991,1627033,1627296,1627323,1627370,1627525,1627531,1627569,1627629,1628517,1628524,1628541,1628984,1629293,1629906,1630065,1630088,1630092,1630094,1630110,1630194,1630199,1630203,1630208-1630210,1630216,1630375,1630407,1631347,1631381,1631568,1631628,1631717,1631730,1631817-1631818,1631839,1631852,1631987,1631992-1631993,1632251,1632290,1632307,1632411,1632423-1632425,1632512,1632523
 ,1632584,1632600-1632601,1632604,1632965,1632975,1632988,1633128,1633342,1633346,1633369,1633447-1633448,1633500,1633688,1633785,1633824-1633825,1633936,1633974,1634229,1634250,1634257-1634258,1634260,1634312,1634326-1634327,1634329,1634690,1635215,1635301,1635308,1635310,1636524,1637331,1637684,1637695,1638720-1638725,1639653,1640083,1640088,1640275,1640322,1640347,1640361,1640365,1640652,1640655-1640658,1640688,1640700-1640883,1641000,1641058,1641064,1641374,1641634,1641656-1641692,1641707-1641718,1641721-1641722,1641735,1641981,1642327,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643121,1643206,1643209-1643210,1643216,1643270,1643283,1643309-1643310,1643536,1643570,1643634,1643654,1643675,1643733,1643761,1643963,1644017,1644321,1644529,1644535,1644989,1645011,1645357-1645358,1645455,1645486,1645488,1645626,1645641,1645685,1645743,1645763,1646098-1646106,1646178,1646304,1646470-1646471,1646476,1646559,1646717-1646723,1647
 042,1648815,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653550,1653574,1653797,1653815-1653816,1653840,1654013,1654123,1654159,1654735,1654766,1654785,1656590,1662736,1662985,1663264,1663277,1663534,1663562,1663676,1663995,1664174,1664301,1664317,1664863-1664864,1664866,1665085,1665292,1665779,1666024,1666386-1666387,1666494,1666496,1666552,1666569,1666579,1666637,1666649,1666757,1666966,1666985,1667292,1667402,1667406,1667546,1667615,1667630,1667636,1667688,1667764,1667871,1668026,1668135,1668193,1668596,1668630,1669353,1669370,1669800,1669838,1669876,1669882,1670394,1670433,1670591,1670598-1670600,1670610,1670631-1670632,1670719,1670724,1670726,1670730,1670940,1672272,1672284,1673754,1674294,1675461,1675486,1675594,1675830,1676231,1676250-1676251,1676364,1676381,1676393,1676479,1676552,1676634,1678174,1678339,1678426-1678427,1678694,1679534,1679708,1679710,1679716,1680246,1681123,1681729,1681770,1681779,1681793,1681807,1681837-1681838,1681854,1681862,1681958,1682028,1
 682033,1682311,1682324,1682330,1684172,1684366,1684383,1685739,1685744,1685772,1685826,1685891,1687242,1687261,1687268,1687340,1688563,1688901,1689346,1689357,1689656,1689825,1690011,1690021,1690054,1690080,1690209,1691134,1691487,1692849,1693088,1693105,1694058,1694111,1694290,1694501,1694548,1694788,1694872,1694878,1695354,1695371,1695706,1695778,1696199,1696280,1696378,1696467,1700607,1700870,1700896,1700977,1701093,1701123,1701607,1701666,1701673,1701760-1701761,1701765,1701940,1702246,1702250,1702313,1702630-1702631,1702633-1702634,1702637-1702638,1702640,1702647,1702662,1702665,1702668,1702672,1702675-1702676,1702680,1702722,1708687,1708745,1708957,1709120,1709295,1709663,1710070,1710346,1710441,1710489,1710517,1710523,1710571,1710577,1710632,1710676,1710689,1710753-1710754,1710779,1711006

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1711429&r1=1711428&r2=1711429&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Fri Oct 30 08:40:46 2015
@@ -92,15 +92,9 @@ public class CsrfPreventionFilter extend
 
             boolean skipNonceCheck = false;
 
-            if (Constants.METHOD_GET.equals(req.getMethod())) {
-                String path = req.getServletPath();
-                if (req.getPathInfo() != null) {
-                    path = path + req.getPathInfo();
-                }
-
-                if (entryPoints.contains(path)) {
-                    skipNonceCheck = true;
-                }
+            if (Constants.METHOD_GET.equals(req.getMethod())
+                    && entryPoints.contains(getRequestedPath(req))) {
+                skipNonceCheck = true;
             }
 
             HttpSession session = req.getSession(false);

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java?rev=1711429&r1=1711428&r2=1711429&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java Fri Oct 30 08:40:46 2015
@@ -21,6 +21,7 @@ import java.util.Random;
 
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.juli.logging.Log;
@@ -129,4 +130,11 @@ public abstract class CsrfPreventionFilt
         return buffer.toString();
     }
 
+    protected String getRequestedPath(HttpServletRequest request) {
+        String path = request.getServletPath();
+        if (request.getPathInfo() != null) {
+            path = path + request.getPathInfo();
+        }
+        return path;
+    }
 }

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java?rev=1711429&r1=1711428&r2=1711429&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/RestCsrfPreventionFilter.java Fri Oct 30 08:40:46 2015
@@ -17,6 +17,8 @@
 package org.apache.catalina.filters;
 
 import java.io.IOException;
+import java.util.HashSet;
+import java.util.Set;
 import java.util.regex.Pattern;
 
 import javax.servlet.FilterChain;
@@ -28,12 +30,9 @@ import javax.servlet.http.HttpServletRes
 import javax.servlet.http.HttpSession;
 
 /**
- * Provides basic CSRF protection for REST APIs.
- * The filter assumes that:
- * <ul>
- * <li>The filter is mapped to /*</li>
- * <li>The clients have adapted the transfer of the nonce through the 'X-CSRF-Token' header.</li>
- * </ul>
+ * Provides basic CSRF protection for REST APIs. The filter assumes that the
+ * clients have adapted the transfer of the nonce through the 'X-CSRF-Token'
+ * header.
  *
  * <pre>
  * Positive scenario:
@@ -81,6 +80,10 @@ public class RestCsrfPreventionFilter ex
     private static final Pattern NON_MODIFYING_METHODS_PATTERN = Pattern
             .compile("GET|HEAD|OPTIONS");
 
+    private Set<String> pathsAcceptingParams = new HashSet<String>();
+
+    private String pathsDelimiter = ",";
+
     @Override
     public void doFilter(ServletRequest request, ServletResponse response,
             FilterChain chain) throws IOException, ServletException {
@@ -117,11 +120,16 @@ public class RestCsrfPreventionFilter ex
         abstract boolean apply(HttpServletRequest request,
                 HttpServletResponse response) throws IOException;
 
-        protected String extractNonceFromRequest(HttpServletRequest request,
-                String key) {
+        protected String extractNonceFromRequestHeader(
+                HttpServletRequest request, String key) {
             return request.getHeader(key);
         }
 
+        protected String[] extractNonceFromRequestParams(
+                HttpServletRequest request, String key) {
+            return request.getParameterValues(key);
+        }
+
         protected void storeNonceToResponse(HttpServletResponse response,
                 String key, String value) {
             response.setHeader(key, value);
@@ -143,8 +151,7 @@ public class RestCsrfPreventionFilter ex
         public boolean apply(HttpServletRequest request,
                 HttpServletResponse response) throws IOException {
             if (isValidStateChangingRequest(
-                    extractNonceFromRequest(request,
-                            Constants.CSRF_REST_NONCE_HEADER_NAME),
+                    extractNonceFromRequest(request),
                     extractNonceFromSession(request.getSession(false),
                             Constants.CSRF_REST_NONCE_SESSION_ATTR_NAME))) {
                 return true;
@@ -163,6 +170,33 @@ public class RestCsrfPreventionFilter ex
             return reqNonce != null && sessionNonce != null
                     && reqNonce.equals(sessionNonce);
         }
+
+        private String extractNonceFromRequest(HttpServletRequest request) {
+            String nonceFromRequest = extractNonceFromRequestHeader(request,
+                    Constants.CSRF_REST_NONCE_HEADER_NAME);
+            if ((nonceFromRequest == null || "".equals(nonceFromRequest))
+                    && !getPathsAcceptingParams().isEmpty()
+                    && getPathsAcceptingParams().contains(
+                            getRequestedPath(request))) {
+                nonceFromRequest = extractNonceFromRequestParams(request);
+            }
+            return nonceFromRequest;
+        }
+
+        private String extractNonceFromRequestParams(HttpServletRequest request) {
+            String[] params = extractNonceFromRequestParams(request,
+                    Constants.CSRF_REST_NONCE_HEADER_NAME);
+            if (params != null && params.length > 0) {
+                String nonce = params[0];
+                for (String param : params) {
+                    if (!param.equals(nonce)) {
+                        return null;
+                    }
+                }
+                return nonce;
+            }
+            return null;
+        }
     }
 
     private class FetchRequest extends RestCsrfPreventionStrategy {
@@ -171,7 +205,7 @@ public class RestCsrfPreventionFilter ex
         public boolean apply(HttpServletRequest request,
                 HttpServletResponse response) {
             if (Constants.CSRF_REST_NONCE_HEADER_FETCH_VALUE
-                    .equalsIgnoreCase(extractNonceFromRequest(request,
+                    .equalsIgnoreCase(extractNonceFromRequestHeader(request,
                             Constants.CSRF_REST_NONCE_HEADER_NAME))) {
                 String nonceFromSessionStr = extractNonceFromSession(
                         request.getSession(false),
@@ -190,4 +224,29 @@ public class RestCsrfPreventionFilter ex
         }
 
     }
+
+    /**
+     * Paths accepting request parameters with nonce information are URLs that
+     * can supply nonces via request parameter 'X-CSRF-Token'. For use cases
+     * when a nonce information cannot be provided via header, one can provide
+     * it via request parameters. If there is a X-CSRF-Token header, it will be
+     * taken with preference over any parameter with the same name in the
+     * request. Request parameters cannot be used to fetch new nonce, only
+     * header.
+     *
+     * @param pathsList
+     *            Comma separated list of URLs to be configured as paths
+     *            accepting request parameters with nonce information.
+     */
+    public void setPathsAcceptingParams(String pathsList) {
+        if (pathsList != null) {
+            for (String element : pathsList.split(pathsDelimiter)) {
+                pathsAcceptingParams.add(element.trim());
+            }
+        }
+    }
+
+    public Set<String> getPathsAcceptingParams() {
+        return pathsAcceptingParams;
+    }
 }

Modified: tomcat/tc7.0.x/trunk/test/org/apache/catalina/filters/TestRestCsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/catalina/filters/TestRestCsrfPreventionFilter.java?rev=1711429&r1=1711428&r2=1711429&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/test/org/apache/catalina/filters/TestRestCsrfPreventionFilter.java (original)
+++ tomcat/tc7.0.x/trunk/test/org/apache/catalina/filters/TestRestCsrfPreventionFilter.java Fri Oct 30 08:40:46 2015
@@ -30,6 +30,7 @@ import javax.servlet.http.HttpServletRes
 import javax.servlet.http.HttpSession;
 import javax.servlet.http.HttpSessionContext;
 
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 import org.junit.Before;
@@ -45,6 +46,12 @@ public class TestRestCsrfPreventionFilte
 
     private static final String POST_METHOD = "POST";
 
+    public static final String ACCEPTED_PATH1 = "/accepted/index1.jsp";
+
+    public static final String ACCEPTED_PATH2 = "/accepted/index2.jsp";
+
+    public static final String ACCEPTED_PATHS = ACCEPTED_PATH1 + "," + ACCEPTED_PATH2;
+
     private RestCsrfPreventionFilter filter;
 
     private TesterRequest request;
@@ -86,32 +93,25 @@ public class TestRestCsrfPreventionFilte
     @Test
     public void testPostRequestSessionNoNonce1() throws Exception {
         setRequestExpectations(POST_METHOD, session, null);
-        filter.doFilter(request, response, filterChain);
-        verifyDenyResponse(HttpServletResponse.SC_FORBIDDEN);
+        testPostRequestHeaderScenarios(null, true);
     }
 
     @Test
     public void testPostRequestSessionNoNonce2() throws Exception {
         setRequestExpectations(POST_METHOD, session, null);
-        session.setAttribute(Constants.CSRF_REST_NONCE_SESSION_ATTR_NAME, NONCE);
-        filter.doFilter(request, response, filterChain);
-        verifyDenyResponse(HttpServletResponse.SC_FORBIDDEN);
+        testPostRequestHeaderScenarios(NONCE, true);
     }
 
     @Test
     public void testPostRequestSessionInvalidNonce() throws Exception {
         setRequestExpectations(POST_METHOD, session, INVALID_NONCE);
-        session.setAttribute(Constants.CSRF_REST_NONCE_SESSION_ATTR_NAME, NONCE);
-        filter.doFilter(request, response, filterChain);
-        verifyDenyResponse(HttpServletResponse.SC_FORBIDDEN);
+        testPostRequestHeaderScenarios(NONCE, true);
     }
 
     @Test
     public void testPostRequestSessionValidNonce() throws Exception {
         setRequestExpectations(POST_METHOD, session, NONCE);
-        session.setAttribute(Constants.CSRF_REST_NONCE_SESSION_ATTR_NAME, NONCE);
-        filter.doFilter(request, response, filterChain);
-        verifyContinueChain();
+        testPostRequestHeaderScenarios(NONCE, false);
     }
 
     @Test
@@ -124,8 +124,7 @@ public class TestRestCsrfPreventionFilte
     @Test
     public void testPostFetchRequestSessionNoNonce() throws Exception {
         setRequestExpectations(POST_METHOD, session, Constants.CSRF_REST_NONCE_HEADER_FETCH_VALUE);
-        filter.doFilter(request, response, filterChain);
-        verifyDenyResponse(HttpServletResponse.SC_FORBIDDEN);
+        testPostRequestHeaderScenarios(null, true);
     }
 
     @Test
@@ -139,9 +138,7 @@ public class TestRestCsrfPreventionFilte
     @Test
     public void testPostFetchRequestSessionNonce() throws Exception {
         setRequestExpectations(POST_METHOD, session, Constants.CSRF_REST_NONCE_HEADER_FETCH_VALUE);
-        session.setAttribute(Constants.CSRF_REST_NONCE_SESSION_ATTR_NAME, NONCE);
-        filter.doFilter(request, response, filterChain);
-        verifyDenyResponse(HttpServletResponse.SC_FORBIDDEN);
+        testPostRequestHeaderScenarios(NONCE, true);
     }
 
     @Test
@@ -152,10 +149,117 @@ public class TestRestCsrfPreventionFilte
         verifyDenyResponse(HttpServletResponse.SC_BAD_REQUEST);
     }
 
+    @Test
+    public void testPostRequestValidNonceAsParameterValidPath1() throws Exception {
+        setRequestExpectations(POST_METHOD, session, null, new String[] { NONCE }, ACCEPTED_PATH1);
+        testPostRequestParamsScenarios(NONCE, false, true);
+    }
+
+    @Test
+    public void testPostRequestValidNonceAsParameterValidPath2() throws Exception {
+        setRequestExpectations(POST_METHOD, session, null, new String[] { NONCE }, ACCEPTED_PATH2);
+        testPostRequestParamsScenarios(NONCE, false, true);
+    }
+
+    @Test
+    public void testPostRequestInvalidNonceAsParameterValidPath() throws Exception {
+        setRequestExpectations(POST_METHOD, session, null, new String[] { INVALID_NONCE },
+                ACCEPTED_PATH1);
+        testPostRequestParamsScenarios(NONCE, true, true);
+    }
+
+    @Test
+    public void testPostRequestValidNonceAsParameterInvalidPath() throws Exception {
+        setRequestExpectations(POST_METHOD, session, null, new String[] { NONCE }, ACCEPTED_PATH1
+                + "blah");
+        testPostRequestParamsScenarios(NONCE, true, true);
+    }
+
+    @Test
+    public void testPostRequestValidNonceAsParameterNoPath() throws Exception {
+        setRequestExpectations(POST_METHOD, session, null, new String[] { NONCE }, ACCEPTED_PATH1);
+        testPostRequestParamsScenarios(NONCE, true, false);
+    }
+
+    @Test
+    public void testPostRequestValidNonceAsParameterNoNonceInSession() throws Exception {
+        setRequestExpectations(POST_METHOD, session, null, new String[] { NONCE }, ACCEPTED_PATH1);
+        testPostRequestParamsScenarios(null, true, true);
+    }
+
+    @Test
+    public void testPostRequestValidNonceAsParameterInvalidNonceAsHeader() throws Exception {
+        setRequestExpectations(POST_METHOD, session, INVALID_NONCE, new String[] { NONCE },
+                ACCEPTED_PATH1);
+        testPostRequestParamsScenarios(NONCE, true, true);
+    }
+
+    @Test
+    public void testPostRequestNoNonceAsParameterAndHeaderValidPath() throws Exception {
+        setRequestExpectations(POST_METHOD, session, null, null, ACCEPTED_PATH1);
+        testPostRequestParamsScenarios(NONCE, true, true);
+    }
+
+    @Test
+    public void testPostRequestMultipleValidNoncesAsParameterValidPath() throws Exception {
+        setRequestExpectations(POST_METHOD, session, null, new String[] { NONCE, NONCE },
+                ACCEPTED_PATH1);
+        testPostRequestParamsScenarios(NONCE, false, true);
+    }
+
+    @Test
+    public void testPostRequestMultipleNoncesAsParameterValidPath() throws Exception {
+        setRequestExpectations(POST_METHOD, session, null, new String[] { NONCE, INVALID_NONCE },
+                ACCEPTED_PATH1);
+        testPostRequestParamsScenarios(NONCE, true, true);
+    }
+
+    @Test
+    public void testPostRequestMultipleInvalidNoncesAsParameterValidPath() throws Exception {
+        setRequestExpectations(POST_METHOD, session, null, new String[] { INVALID_NONCE,
+                INVALID_NONCE }, ACCEPTED_PATH1);
+        testPostRequestParamsScenarios(NONCE, true, true);
+    }
+
+    @Test
+    public void testGETRequestFetchNonceAsParameter() throws Exception {
+        setRequestExpectations(GET_METHOD, null, null,
+                new String[] { Constants.CSRF_REST_NONCE_HEADER_FETCH_VALUE }, ACCEPTED_PATH1);
+        filter.setPathsAcceptingParams(ACCEPTED_PATHS);
+        filter.doFilter(request, response, filterChain);
+        verifyContinueChainNonceNotAvailable();
+    }
+
+    private void testPostRequestHeaderScenarios(String sessionAttr, boolean denyResponse)
+            throws Exception {
+        testPostRequestParamsScenarios(sessionAttr, denyResponse, false);
+    }
+
+    private void testPostRequestParamsScenarios(String sessionAttr, boolean denyResponse,
+            boolean configurePaths) throws Exception {
+        session.setAttribute(Constants.CSRF_REST_NONCE_SESSION_ATTR_NAME, sessionAttr);
+        if (configurePaths) {
+            filter.setPathsAcceptingParams(ACCEPTED_PATHS);
+        }
+        filter.doFilter(request, response, filterChain);
+        if (denyResponse) {
+            verifyDenyResponse(HttpServletResponse.SC_FORBIDDEN);
+        } else {
+            verifyContinueChain();
+        }
+    }
+
     private void setRequestExpectations(String method, HttpSession session, String headerValue) {
+        setRequestExpectations(method, session, headerValue, null, null);
+    }
+
+    private void setRequestExpectations(String method, HttpSession session, String headerValue,
+            String[] paramValues, String servletPath) {
         request.setMethod(method);
         request.setSession(session);
         request.setHeader(Constants.CSRF_REST_NONCE_HEADER_NAME, headerValue);
+        request.setParameterValues(paramValues);
+        request.setServletPath(servletPath);
     }
 
     private void verifyContinueChain() {
@@ -167,6 +271,11 @@ public class TestRestCsrfPreventionFilte
         verifyContinueChain();
     }
 
+    private void verifyContinueChainNonceNotAvailable() {
+        assertNull(response.getHeader(Constants.CSRF_REST_NONCE_HEADER_NAME));
+        verifyContinueChain();
+    }
+
     private void verifyDenyResponse(int statusCode) {
         assertTrue(Constants.CSRF_REST_NONCE_HEADER_REQUIRED_VALUE.equals(response
                 .getHeader(Constants.CSRF_REST_NONCE_HEADER_NAME)));
@@ -190,6 +299,8 @@ public class TestRestCsrfPreventionFilte
 
     private static class TesterRequest extends TesterHttpServletRequest {
         private HttpSession session;
+        private String[] paramValues;
+        private String servletPath;
 
         void setSession(HttpSession session) {
             this.session = session;
@@ -199,6 +310,29 @@ public class TestRestCsrfPreventionFilte
         public HttpSession getSession(boolean create) {
             return session;
         }
+
+        void setParameterValues(String[] paramValues) {
+            this.paramValues = paramValues;
+        }
+
+        @Override
+        public String[] getParameterValues(String name) {
+            return paramValues;
+        }
+
+        void setServletPath(String servletPath) {
+            this.servletPath = servletPath;
+        }
+
+        @Override
+        public String getServletPath() {
+            return servletPath;
+        }
+
+        @Override
+        public String getPathInfo() {
+            return "";
+        }
     }
 
     private static class TesterResponse extends TesterHttpServletResponse {



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org