This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new afb97995ed Keep pre-flight checks aligned with
CorsFilter.checkRequestType
afb97995ed is described below
commit afb97995ed2f613463f417ceeec24ecd105b694b
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Jun 22 16:44:00 2026 +0100
Keep pre-flight checks aligned with CorsFilter.checkRequestType
Note: "Origin: null" is a legal origin and there are circumstances where an
admin may wish to allow it.
---
java/org/apache/catalina/authenticator/AuthenticatorBase.java | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index 2451b65b50..f42febc29a 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -115,6 +115,7 @@ public abstract class AuthenticatorBase extends ValveBase
implements Authenticat
* Returns the realm name for the given context.
*
* @param context the context
+ *
* @return the realm name
*/
protected static String getRealmName(Context context) {
@@ -661,6 +662,7 @@ public abstract class AuthenticatorBase extends ValveBase
implements Authenticat
* Determines whether a CORS preflight request should bypass
authentication.
*
* @param request the request to check
+ *
* @return {@code true} if the CORS preflight request should bypass
authentication
*/
protected boolean allowCorsPreflightBypass(Request request) {
@@ -671,9 +673,8 @@ public abstract class AuthenticatorBase extends ValveBase
implements Authenticat
// This is a subset of the tests in CorsFilter.checkRequestType
if (Method.OPTIONS.equals(request.getMethod())) {
String originHeader =
request.getHeader(CorsFilter.REQUEST_HEADER_ORIGIN);
- if (originHeader != null && !originHeader.isEmpty()
- && !"null".equals(originHeader) &&
RequestUtil.isValidOrigin(originHeader)
- && !RequestUtil.isSameOrigin(request, originHeader)) {
+ if (originHeader != null && !originHeader.isEmpty() &&
RequestUtil.isValidOrigin(originHeader) &&
+ !RequestUtil.isSameOrigin(request, originHeader)) {
String accessControlRequestMethodHeader =
request.getHeader(CorsFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD);
if (accessControlRequestMethodHeader != null &&
!accessControlRequestMethodHeader.isEmpty()) {
@@ -1235,6 +1236,7 @@ public abstract class AuthenticatorBase extends ValveBase
implements Authenticat
*
* @param request the request being processed
* @param session the session whose ID should be changed
+ *
* @return the new session ID
*/
protected String changeSessionID(Request request, Session session) {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
