From 4d41375d15a19c1ae5255f8f2361f1d688187bca Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Sun, 22 May 2011 22:54:15 +0000
Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=27122
 Remove a workaround for a very old and since fixed Mozilla bug and change the
 default value of the securePagesWithPragma attribute of the Authenticator
 Valves to false to reduce the likelihood of issues when downloading files
 with IE.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1126273 13f79535-47bb-0310-9956-ffa450edef68
---
 .../org/apache/catalina/authenticator/AuthenticatorBase.java | 12 ++++--------
 webapps/docs/changelog.xml                                   |  6 ++++++
 webapps/docs/config/valve.xml                                | 10 +++++-----
 3 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index baf6e5a11..fa99f81e1 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -143,9 +143,9 @@ public abstract class AuthenticatorBase extends ValveBase
 
     /**
      * Flag to determine if we disable proxy caching with headers incompatible
-     * with IE 
+     * with IE.
      */
-    protected boolean securePagesWithPragma = true;
+    protected boolean securePagesWithPragma = false;
     
     /**
      * The Java class name of the secure random number generator class to be
@@ -466,14 +466,10 @@ public abstract class AuthenticatorBase extends ValveBase
         // Make sure that constrained resources are not cached by web proxies
         // or browsers as caching can provide a security hole
         if (constraints != null && disableProxyCaching && 
-            // FIXME: Disabled for Mozilla FORM support over SSL 
-            // (improper caching issue)
-            //!request.isSecure() &&
+            !request.isSecure() &&
             !"POST".equalsIgnoreCase(request.getMethod())) {
             if (securePagesWithPragma) {
-                // FIXME: These cause problems with downloading office docs
-                // from IE under SSL and may not be needed for newer Mozilla
-                // clients.
+                // Note: These can cause problems with downloading files with IE
                 response.setHeader("Pragma", "No-cache");
                 response.setHeader("Cache-Control", "no-cache");
             } else {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ec89135ba..fd49f6c09 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -46,6 +46,12 @@
   <subsection name="Catalina">
     <changelog>
       <fix>
+        <bug>27122</bug>: Remove a workaround for a very old and since fixed
+        Mozilla bug and change the default value of the securePagesWithPragma
+        attribute of the Authenticator Valves to false. These changes should
+        reduce the likelihood of issues when downloading files with IE. (markt) 
+      </fix>
+      <fix>
         <bug>35054</bug>: Check that a file is not specified for a Host&apos;s
         appBase and log an error if it is. (markt)
       </fix>
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index 06f945dd0..546c3e857 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -462,7 +462,7 @@
         caching issues in some browsers by using
         <code>Cache-Control: private</code> rather than the default of
         <code>Pragma: No-cache</code> and <code>Cache-control: No-cache</code>.
-        If not set, the default value of <code>true</code> will be used.</p>
+        If not set, the default value of <code>false</code> will be used.</p>
       </attribute>
 
       <attribute name="secureRandomAlgorithm" required="false">
@@ -591,7 +591,7 @@
         caching issues in some browsers by using
         <code>Cache-Control: private</code> rather than the default of
         <code>Pragma: No-cache</code> and <code>Cache-control: No-cache</code>.
-        If not set, the default value of <code>true</code> will be used.</p>
+        If not set, the default value of <code>false</code> will be used.</p>
       </attribute>
 
       <attribute name="secureRandomAlgorithm" required="false">
@@ -704,7 +704,7 @@
         caching issues in some browsers by using
         <code>Cache-Control: private</code> rather than the default of
         <code>Pragma: No-cache</code> and <code>Cache-control: No-cache</code>.
-        If not set, the default value of <code>true</code> will be used.</p>
+        If not set, the default value of <code>false</code> will be used.</p>
       </attribute>
 
       <attribute name="secureRandomAlgorithm" required="false">
@@ -796,7 +796,7 @@
         caching issues in some browsers by using
         <code>Cache-Control: private</code> rather than the default of
         <code>Pragma: No-cache</code> and <code>Cache-control: No-cache</code>.
-        If not set, the default value of <code>true</code> will be used.</p>
+        If not set, the default value of <code>false</code> will be used.</p>
       </attribute>
 
       <attribute name="secureRandomAlgorithm" required="false">
@@ -895,7 +895,7 @@
         caching issues in some browsers by using
         <code>Cache-Control: private</code> rather than the default of
         <code>Pragma: No-cache</code> and <code>Cache-control: No-cache</code>.
-        If not set, the default value of <code>true</code> will be used.</p>
+        If not set, the default value of <code>false</code> will be used.</p>
       </attribute>
 
       <attribute name="secureRandomAlgorithm" required="false">
-- 
2.11.0