Blame SOURCES/tomcat-7.0.76-CVE-2017-7674.patch

9e6f2c
--- java/org/apache/catalina/filters/CorsFilter.java.orig	2017-10-12 16:48:47.426952298 -0400
9e6f2c
+++ java/org/apache/catalina/filters/CorsFilter.java	2017-10-12 16:48:47.431952269 -0400
9e6f2c
@@ -297,6 +297,10 @@
9e6f2c
                     exposedHeadersString);
9e6f2c
         }
9e6f2c
 
9e6f2c
+        // Indicate the response depends on the origin
9e6f2c
+        response.addHeader(CorsFilter.REQUEST_HEADER_VARY,
9e6f2c
+                CorsFilter.REQUEST_HEADER_ORIGIN);
9e6f2c
+
9e6f2c
         // Forward the request down the filter chain.
9e6f2c
         filterChain.doFilter(request, response);
9e6f2c
     }
9e6f2c
@@ -998,6 +1002,13 @@
9e6f2c
             "Access-Control-Allow-Headers";
9e6f2c
 
9e6f2c
     // -------------------------------------------------- CORS Request Headers
9e6f2c
+
9e6f2c
+    /**
9e6f2c
+     * The Vary header indicates allows disabling proxy caching by indicating
9e6f2c
+     * the the response depends on the origin.
9e6f2c
+     */
9e6f2c
+    public static final String REQUEST_HEADER_VARY = "Vary";
9e6f2c
+
9e6f2c
     /**
9e6f2c
      * The Origin header indicates where the cross-origin request or preflight
9e6f2c
      * request originates from.
9e6f2c
--- webapps/docs/changelog.xml.orig	2017-10-12 16:48:47.428952287 -0400
9e6f2c
+++ webapps/docs/changelog.xml	2017-10-12 16:50:08.718477877 -0400
9e6f2c
@@ -57,6 +57,16 @@
9e6f2c
   They eventually become mixed with the numbered issues. (I.e., numbered
9e6f2c
   issues do not "pop up" wrt. others).
9e6f2c
 -->
9e6f2c
+<section name="Tomcat 7.0.76-3 (csutherl)">
9e6f2c
+  <subsection name="Catalina">
9e6f2c
+    <changelog>
9e6f2c
+      <fix>
9e6f2c
+        <bug>61101</bug>: CORS filter should set Vary header in response.
9e6f2c
+        Submitted by Rick Riemer. (remm)
9e6f2c
+      </fix>
9e6f2c
+    </changelog>
9e6f2c
+  </subsection>
9e6f2c
+</section>
9e6f2c
 <section name="Tomcat 7.0.76-2 (csutherl)">
9e6f2c
   <subsection name="Catalina">
9e6f2c
     <changelog>