You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2019/11/19 17:32:20 UTC
[tomcat] branch master updated: Add missing changelog for CSRF
prevention filter changes.
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new decb12b Add missing changelog for CSRF prevention filter changes.
decb12b is described below
commit decb12be68b2fc93284b0b8cc44fb53a16110eb0
Author: Christopher Schultz <ch...@christopherschultz.net>
AuthorDate: Tue Nov 19 12:31:56 2019 -0500
Add missing changelog for CSRF prevention filter changes.
---
webapps/docs/changelog.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index a0915f9..42dbde9 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -51,6 +51,11 @@
Fix the broken re-try link on the error page for the FORM authentication
example in the JSP section of the examples web application. (markt)
</fix>
+ <add>
+ Improvements to CsrfPreventionFilter including additional
+ logging and making the latest nonce available in the request
+ attributes. (schultz)
+ </add>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Add missing changelog for CSRF
prevention filter changes.
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 11/19/19 12:41, Mark Thomas wrote:
>> All,
>>
>> This claims that these changes are being added in 9.0.30 which is
>> only partially correct. Some of these changes were made in 9.0.29
>> which is currently under release-vote.
>>
>> I wasn't sure how everyone felt about me changing the changelog
>> for a release that is already kind of "fixed". I"m happy to do
>> any of the following:
>>
>> a. Ignore the oversight; leave the items in the changelog for
>> 9.0.30 b. Split the items into 9.0.29 and 9.0.30 to reflect
>> reality c. Make a note in 9.0.30 changelog that some items were
>> really done in 9.0.29
>
> I very much prefer b). I don't see the harm in updating a
> changelog after a release to reflect reality. It helps future users
> figure out what fix is in what version.
ACK
I also prefer (b) so I will proceed.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3ULU0ACgkQHPApP6U8
pFiuARAApe7I3Q7FbnXAcYWtv9iWAGyGa4sULVMpDq8dJkpneCvCLqsXkQnx+yZl
dYfTKMwpoYHnXh+JeymWdIII/qfYHMMc8QvJ0xykNPJ7vB7hbE3qYkmn1dXwOjC0
3xxvvlqRxLRLiHPeU4jMpogblxhap/+fPQjRBxKWx+W1n3n65+Sb+G3jGxRspYrZ
dzJ9ifx0VEY8ol41eVu/oZbBtFnC7vk8K80Jt2PNo9tul65tB9twC8cL0olMQT1g
sJKmWUJQclpOgfNNshhy84Jzsk3gcVBtGjRviLXiPP8Rdj6V2PqkyxZGX5u7/ZoT
oYt9rYzaKI/zdDuHfTa2b2DIbju1sthDxWdWrThf1MCjf6kAqSw+3zV1oFvoK4At
4vi5/fmqVbhYb2WCs0f5lUCk6V2QhTtuekb3j16M158hqxYXoqLY4oI+UYxEpz8a
EjAzHW7iyxbmABxGRbY4aVOLXLfm+WEntL4W2ekJ6F93r2BaRqac5+8qMk4PEsEt
P9upNXXFknzo1YxPvJfzvlU2ZRbXOCk8F9aop+eQSgo//YwJueag6gr1oZK+4noQ
XnFv+lDaRKfhJP0/U+MBsSVdIe1o8a2drVBYbfVBE2+lmZpBrVq+0eF1e/mH8w6A
AXqWhMZAThsAcWsbSSI95a4bX3Gn9v05ICituj4BuAVh6qowOps=
=QHUv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Add missing changelog for CSRF
prevention filter changes.
Posted by Mark Thomas <ma...@apache.org>.
> All,
>
> This claims that these changes are being added in 9.0.30 which is only
> partially correct. Some of these changes were made in 9.0.29 which is
> currently under release-vote.
>
> I wasn't sure how everyone felt about me changing the changelog for a
> release that is already kind of "fixed". I"m happy to do any of the
> following:
>
> a. Ignore the oversight; leave the items in the changelog for 9.0.30
> b. Split the items into 9.0.29 and 9.0.30 to reflect reality
> c. Make a note in 9.0.30 changelog that some items were really done in
> 9.0.29
I very much prefer b). I don't see the harm in updating a changelog
after a release to reflect reality. It helps future users figure out
what fix is in what version.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch master updated: Add missing changelog for CSRF
prevention filter changes.
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
This claims that these changes are being added in 9.0.30 which is only
partially correct. Some of these changes were made in 9.0.29 which is
currently under release-vote.
I wasn't sure how everyone felt about me changing the changelog for a
release that is already kind of "fixed". I"m happy to do any of the
following:
a. Ignore the oversight; leave the items in the changelog for 9.0.30
b. Split the items into 9.0.29 and 9.0.30 to reflect reality
c. Make a note in 9.0.30 changelog that some items were really done in
9.0.29
The same will be true for the 8.5.x release. I have not yet
back-ported these changes and want to make sure that I do things
"properly".
Thanks,
- -chris
On 11/19/19 12:32, schultz@apache.org wrote:
> This is an automated email from the ASF dual-hosted git
> repository.
>
> schultz pushed a commit to branch master in repository
> https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/master by this
> push: new decb12b Add missing changelog for CSRF prevention filter
> changes. decb12b is described below
>
> commit decb12be68b2fc93284b0b8cc44fb53a16110eb0 Author: Christopher
> Schultz <ch...@christopherschultz.net> AuthorDate: Tue Nov 19
> 12:31:56 2019 -0500
>
> Add missing changelog for CSRF prevention filter changes. ---
> webapps/docs/changelog.xml | 5 +++++ 1 file changed, 5
> insertions(+)
>
> diff --git a/webapps/docs/changelog.xml
> b/webapps/docs/changelog.xml index a0915f9..42dbde9 100644 ---
> a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@
> -51,6 +51,11 @@ Fix the broken re-try link on the error page for
> the FORM authentication example in the JSP section of the examples
> web application. (markt) </fix> + <add> + Improvements
> to CsrfPreventionFilter including additional + logging and
> making the latest nonce available in the request +
> attributes. (schultz) + </add> </changelog> </subsection>
> </section>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3UJ9wACgkQHPApP6U8
pFh4GA/9H/bJjB+bWDYxMtYIpWJ34E3A7Bm4fcUOXCQKdcrkoNSPLKWpvM6CXrlc
UA4j10vkCj9urwQQDCNdoQwhANDb7PRu85iV5usrqC1Eic+8Clp+JZeV1zk4MFEc
5zTXUPE1U2nXyfphwK0oKAXbXZJYtv4H8XMToHoCRegOFjpmPinW/UnzFZZ+rfSI
60/QTuCVe4PQ5sjYTcc2S/V3kRYFgFO80GI3fm38MLUGSOfZQJLS6nFqhKgV0112
vxbBrRQqrYTLOcgCzSNhHhlWbe1i4mwUblGbAKCamg9bHYIiOje798fKfKcRT2zA
jkuKjako7C/A7Cr22iiRZgWwtSS4qn97SVNW5KeKJvzEbVb5MmPG5b782glL/u1F
NCica+XZhCeO/jes3CC3Vs/fPJ/ZwwZgDVUAXGSZjZZ+VYOzoEnva1IbcTIZ0g7a
uMDtzHxG1QxSHLWE6bmAQvBHop2bc5X5y0C88MaLKTiKGYnENpsRm+RXwYXqR6tY
/Wm0yK16cep9JvLhtLpKJa1HvDIpHFBCp2aXSmb9BbGD2JBkscTY1JM9ZaBZSiTB
oYPcQChlmxkzbmc559ufi1GoDDtlPFxxKpg7HYhTjBn/6A3U0DN6US0A3DM2pXMk
emmEFy7PRTq38D8HIc9JfYE77e90KNOn3STBUtboC2EYgQ7sl6M=
=C2Dq
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org