You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/10/24 10:27:26 UTC
[tomcat] branch 8.5.x updated: Fix
https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new c1c2161 Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
c1c2161 is described below
commit c1c2161307f48b433e04974e541db195594f2840
Author: John Kelly <jo...@gmail.com>
AuthorDate: Thu Oct 24 10:49:45 2019 +0100
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63865
Add unset option to same-site cookies and pass through none value if set by user.
---
.../apache/tomcat/util/http/CookieProcessorBase.java | 2 +-
.../tomcat/util/http/LegacyCookieProcessor.java | 2 +-
.../apache/tomcat/util/http/LocalStrings.properties | 2 +-
.../tomcat/util/http/Rfc6265CookieProcessor.java | 2 +-
.../org/apache/tomcat/util/http/SameSiteCookies.java | 7 ++++++-
.../util/http/TestCookieProcessorGeneration.java | 20 ++++++++++++++++----
.../apache/tomcat/util/http/TestSameSiteCookies.java | 19 +++++++++++++++++++
webapps/docs/changelog.xml | 5 +++++
webapps/docs/config/cookie-processor.xml | 10 ++++++++--
9 files changed, 58 insertions(+), 11 deletions(-)
diff --git a/java/org/apache/tomcat/util/http/CookieProcessorBase.java b/java/org/apache/tomcat/util/http/CookieProcessorBase.java
index 3cb5430..589df47 100644
--- a/java/org/apache/tomcat/util/http/CookieProcessorBase.java
+++ b/java/org/apache/tomcat/util/http/CookieProcessorBase.java
@@ -43,7 +43,7 @@ public abstract class CookieProcessorBase implements CookieProcessor {
ANCIENT_DATE = COOKIE_DATE_FORMAT.get().format(new Date(10000));
}
- private SameSiteCookies sameSiteCookies = SameSiteCookies.NONE;
+ private SameSiteCookies sameSiteCookies = SameSiteCookies.UNSET;
public SameSiteCookies getSameSiteCookies() {
return sameSiteCookies;
diff --git a/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java b/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
index e792875..1692ee2 100644
--- a/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
+++ b/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java
@@ -327,7 +327,7 @@ public final class LegacyCookieProcessor extends CookieProcessorBase {
SameSiteCookies sameSiteCookiesValue = getSameSiteCookies();
- if (!sameSiteCookiesValue.equals(SameSiteCookies.NONE)) {
+ if (!sameSiteCookiesValue.equals(SameSiteCookies.UNSET)) {
buf.append("; SameSite=");
buf.append(sameSiteCookiesValue.getValue());
}
diff --git a/java/org/apache/tomcat/util/http/LocalStrings.properties b/java/org/apache/tomcat/util/http/LocalStrings.properties
index 17211a3..f9b8e0d 100644
--- a/java/org/apache/tomcat/util/http/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/http/LocalStrings.properties
@@ -16,7 +16,7 @@
cookies.fallToDebug=\n\
\ Note: further occurrences of Cookie errors will be logged at DEBUG level.
cookies.invalidCookieToken=Cookies: Invalid cookie. Value not a token or quoted value
-cookies.invalidSameSiteCookies=Unknown setting [{0}], must be one of: none, lax, strict. Default value is none.
+cookies.invalidSameSiteCookies=Unknown setting [{0}], must be one of: unset, none, lax, strict. Default value is unset.
cookies.invalidSpecial=Cookies: Unknown Special Cookie
cookies.maxCountFail=More than the maximum allowed number of cookies, [{0}], were detected.
diff --git a/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java b/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java
index 0d81a9b..2021f3d 100644
--- a/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java
+++ b/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java
@@ -164,7 +164,7 @@ public class Rfc6265CookieProcessor extends CookieProcessorBase {
SameSiteCookies sameSiteCookiesValue = getSameSiteCookies();
- if (!sameSiteCookiesValue.equals(SameSiteCookies.NONE)) {
+ if (!sameSiteCookiesValue.equals(SameSiteCookies.UNSET)) {
header.append("; SameSite=");
header.append(sameSiteCookiesValue.getValue());
}
diff --git a/java/org/apache/tomcat/util/http/SameSiteCookies.java b/java/org/apache/tomcat/util/http/SameSiteCookies.java
index c79fbc1..dcf4a7d 100644
--- a/java/org/apache/tomcat/util/http/SameSiteCookies.java
+++ b/java/org/apache/tomcat/util/http/SameSiteCookies.java
@@ -21,7 +21,12 @@ import org.apache.tomcat.util.res.StringManager;
public enum SameSiteCookies {
/**
- * Don't set the SameSite cookie attribute. Cookie is always sent
+ * Don't set the SameSite cookie attribute.
+ */
+ UNSET("Unset"),
+
+ /**
+ * Cookie is always sent in cross-site requests.
*/
NONE("None"),
diff --git a/test/org/apache/tomcat/util/http/TestCookieProcessorGeneration.java b/test/org/apache/tomcat/util/http/TestCookieProcessorGeneration.java
index 96bc238..c9d4b65 100644
--- a/test/org/apache/tomcat/util/http/TestCookieProcessorGeneration.java
+++ b/test/org/apache/tomcat/util/http/TestCookieProcessorGeneration.java
@@ -264,12 +264,18 @@ public class TestCookieProcessorGeneration {
Assert.assertEquals("foo=bar", legacy.generateHeader(cookie));
Assert.assertEquals("foo=bar", rfc6265.generateHeader(cookie));
- legacy.setSameSiteCookies("none");
- rfc6265.setSameSiteCookies("none");
+ legacy.setSameSiteCookies("unset");
+ rfc6265.setSameSiteCookies("unset");
Assert.assertEquals("foo=bar", legacy.generateHeader(cookie));
Assert.assertEquals("foo=bar", rfc6265.generateHeader(cookie));
+ legacy.setSameSiteCookies("none");
+ rfc6265.setSameSiteCookies("none");
+
+ Assert.assertEquals("foo=bar; SameSite=None", legacy.generateHeader(cookie));
+ Assert.assertEquals("foo=bar; SameSite=None", rfc6265.generateHeader(cookie));
+
legacy.setSameSiteCookies("lax");
rfc6265.setSameSiteCookies("lax");
@@ -285,12 +291,18 @@ public class TestCookieProcessorGeneration {
cookie.setSecure(true);
cookie.setHttpOnly(true);
- legacy.setSameSiteCookies("none");
- rfc6265.setSameSiteCookies("none");
+ legacy.setSameSiteCookies("unset");
+ rfc6265.setSameSiteCookies("unset");
Assert.assertEquals("foo=bar; Secure; HttpOnly", legacy.generateHeader(cookie));
Assert.assertEquals("foo=bar; Secure; HttpOnly", rfc6265.generateHeader(cookie));
+ legacy.setSameSiteCookies("none");
+ rfc6265.setSameSiteCookies("none");
+
+ Assert.assertEquals("foo=bar; Secure; HttpOnly; SameSite=None", legacy.generateHeader(cookie));
+ Assert.assertEquals("foo=bar; Secure; HttpOnly; SameSite=None", rfc6265.generateHeader(cookie));
+
legacy.setSameSiteCookies("lax");
rfc6265.setSameSiteCookies("lax");
diff --git a/test/org/apache/tomcat/util/http/TestSameSiteCookies.java b/test/org/apache/tomcat/util/http/TestSameSiteCookies.java
index 60cc3a8..e3f8889 100644
--- a/test/org/apache/tomcat/util/http/TestSameSiteCookies.java
+++ b/test/org/apache/tomcat/util/http/TestSameSiteCookies.java
@@ -23,12 +23,25 @@ import org.junit.Test;
public class TestSameSiteCookies {
@Test
+ public void testUnset() {
+ SameSiteCookies attribute = SameSiteCookies.UNSET;
+
+ Assert.assertEquals("Unset", attribute.getValue());
+ Assert.assertEquals(SameSiteCookies.UNSET, attribute);
+
+ Assert.assertNotEquals(SameSiteCookies.NONE, attribute);
+ Assert.assertNotEquals(SameSiteCookies.LAX, attribute);
+ Assert.assertNotEquals(SameSiteCookies.STRICT, attribute);
+ }
+
+ @Test
public void testNone() {
SameSiteCookies attribute = SameSiteCookies.NONE;
Assert.assertEquals("None", attribute.getValue());
Assert.assertEquals(SameSiteCookies.NONE, attribute);
+ Assert.assertNotEquals(SameSiteCookies.UNSET, attribute);
Assert.assertNotEquals(SameSiteCookies.LAX, attribute);
Assert.assertNotEquals(SameSiteCookies.STRICT, attribute);
}
@@ -40,6 +53,7 @@ public class TestSameSiteCookies {
Assert.assertEquals("Lax", attribute.getValue());
Assert.assertEquals(SameSiteCookies.LAX, attribute);
+ Assert.assertNotEquals(SameSiteCookies.UNSET, attribute);
Assert.assertNotEquals(SameSiteCookies.NONE, attribute);
Assert.assertNotEquals(SameSiteCookies.STRICT, attribute);
}
@@ -51,12 +65,17 @@ public class TestSameSiteCookies {
Assert.assertEquals("Strict", attribute.getValue());
Assert.assertEquals(SameSiteCookies.STRICT, attribute);
+ Assert.assertNotEquals(SameSiteCookies.UNSET, attribute);
Assert.assertNotEquals(SameSiteCookies.NONE, attribute);
Assert.assertNotEquals(SameSiteCookies.LAX, attribute);
}
@Test
public void testToValidAttribute() {
+ Assert.assertEquals(SameSiteCookies.fromString("unset"), SameSiteCookies.UNSET);
+ Assert.assertEquals(SameSiteCookies.fromString("Unset"), SameSiteCookies.UNSET);
+ Assert.assertEquals(SameSiteCookies.fromString("UNSET"), SameSiteCookies.UNSET);
+
Assert.assertEquals(SameSiteCookies.fromString("none"), SameSiteCookies.NONE);
Assert.assertEquals(SameSiteCookies.fromString("None"), SameSiteCookies.NONE);
Assert.assertEquals(SameSiteCookies.fromString("NONE"), SameSiteCookies.NONE);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index a96f393..5db3f80 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -79,6 +79,11 @@
Ensure that only a full token is matched and that the match is case
insensitive. (markt)
</fix>
+ <fix>
+ <bug>63865</bug>: Add <code>Unset</code> option to same-site cookies
+ and pass through <code>None</code> value if set by user. Patch provided
+ by John Kelly. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
diff --git a/webapps/docs/config/cookie-processor.xml b/webapps/docs/config/cookie-processor.xml
index f2d2e9c..2d7f674 100644
--- a/webapps/docs/config/cookie-processor.xml
+++ b/webapps/docs/config/cookie-processor.xml
@@ -102,9 +102,12 @@
<attribute name="sameSiteCookies" required="false">
<p>Enables setting same-site cookie attribute.</p>
- <p>If value is <code>none</code> then the same-site cookie attribute
+ <p>If value is <code>unset</code> then the same-site cookie attribute
won't be set. This is the default value.</p>
+ <p>If value is <code>none</code> then the same-site cookie attribute
+ will be set and the cookie will always be sent in cross-site requests.</p>
+
<p>If value is <code>lax</code> then the browser only sends the cookie
in same-site requests and cross-site top level GET requests.</p>
@@ -174,9 +177,12 @@
<attribute name="sameSiteCookies" required="false">
<p>Enables setting same-site cookie attribute.</p>
- <p>If value is <code>none</code> then the same-site cookie attribute
+ <p>If value is <code>unset</code> then the same-site cookie attribute
won't be set. This is the default value.</p>
+ <p>If value is <code>none</code> then the same-site cookie attribute
+ will be set and the cookie will always be sent in cross-site requests.</p>
+
<p>If value is <code>lax</code> then the browser only sends the cookie
in same-site requests and cross-site top level GET requests.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org