File tomcat-8.0.43-CVE-2017-7674.patch of Package tomcat.5927

Index: java/org/apache/catalina/filters/CorsFilter.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/catalina/filters/CorsFilter.java	(revision b14b0e99c528e7c776fdc8ab61d6dda6b47457a2)
+++ java/org/apache/catalina/filters/CorsFilter.java	(revision f52c242d92d4563dd1226dcc993ec37370ba9ce3)
@@ -297,6 +297,10 @@
                     exposedHeadersString);
         }
 
+        // Indicate the response depends on the origin
+        response.addHeader(CorsFilter.REQUEST_HEADER_VARY,
+                CorsFilter.REQUEST_HEADER_ORIGIN);
+
         // Forward the request down the filter chain.
         filterChain.doFilter(request, response);
     }
@@ -998,6 +1002,13 @@
             "Access-Control-Allow-Headers";
 
     // -------------------------------------------------- CORS Request Headers
+
+    /**
+     * The Vary header indicates allows disabling proxy caching by indicating
+     * the the response depends on the origin.
+     */
+    public static final String REQUEST_HEADER_VARY = "Vary";
+
     /**
      * The Origin header indicates where the cross-origin request or preflight
      * request originates from.