Third-Party Update: Tomcat

Tomcat has been updated to version 9.0.41 to avoid a security vulnerability of the previous version (CVE-2020-17527).

(CMS-18753)

Ignore actuator paths for CSRF prevention

The actuator paths (with pattern /actuator/\*\* ) are now ignored for CSRF prevention to allow write operations on actuators (like setting log levels).

(CMS-18711)

CodeResourceHandler now respects 'cae.single-node' for single Resources

com.coremedia.blueprint.cae.handlers.CodeResourceHandler#contentResource did not set the Cache-Control header correctly. A Blueprint CAE node configured with cae.single-node=false which is unable to serve the requested version of a resource now sends Cache-Control: no-store along with the outdated version of the resource.

(CMS-18636)

Fixed Dataview Initialization for Autowired Dependencies

Dataviews did not receive autowired dependencies of the origin class if the original content bean was replaced with an extended content bean class. Only customizations of the Blueprint which both extended CMQueryListImpl and replaced the original "contentBeanFactory:CMQueryList" content bean were affected by this bug.

(CMS-18615)

Fixed asset collection download

Added missing CsrfToken in the download portal for downloading the asset collection as zip file.

(CMS-18477)

TransformedBlobHandler sends uncacheable response if blob hash does not match

TransformedBlobHandler sends uncacheable response if blob hash does not match. The TransformedBlobHandler uses HandlerBase#isSingleNode and the external configuration option cae.single-node to control this behavior.

(CMS-18048)