Author: markt
Date: Tue Feb 14 11:01:35 2017
New Revision: 1782947
URL: http://svn.apache.org/viewvc?rev=1782947&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60697
Correct OPTIONS response for custom servlets so TRACE is not included when it
is disabled
Modified:
tomcat/trunk/java/javax/servlet/http/HttpServlet.java
tomcat/trunk/test/org/apache/catalina/connector/TestConnector.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/javax/servlet/http/HttpServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/http/HttpServlet.java?rev=1782947&r1=1782946&r2=1782947&view=diff
==============================================================================
--- tomcat/trunk/java/javax/servlet/http/HttpServlet.java (original)
+++ tomcat/trunk/java/javax/servlet/http/HttpServlet.java Tue Feb 14 11:01:35
2017
@@ -20,6 +20,7 @@ import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
+import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.text.MessageFormat;
import java.util.Enumeration;
@@ -489,6 +490,18 @@ public abstract class HttpServlet extend
boolean ALLOW_TRACE = true;
boolean ALLOW_OPTIONS = true;
+ // Tomcat specific hack to see if TRACE is allowed
+ Class<?> clazz = null;
+ try {
+ clazz =
Class.forName("org.apache.catalina.connector.RequestFacade");
+ Method getAllowTrace = clazz.getMethod("getAllowTrace",
(Class<?>[]) null);
+ ALLOW_TRACE = ((Boolean) getAllowTrace.invoke(req, (Object[])
null)).booleanValue();
+ } catch (ClassNotFoundException | NoSuchMethodException |
SecurityException |
+ IllegalAccessException | IllegalArgumentException |
InvocationTargetException e) {
+ // Ignore. Not running on Tomcat. TRACE is always allowed.
+ }
+ // End of Tomcat specific hack
+
for (int i=0; i<methods.length; i++) {
Method m = methods[i];
Modified: tomcat/trunk/test/org/apache/catalina/connector/TestConnector.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/connector/TestConnector.java?rev=1782947&r1=1782946&r2=1782947&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/connector/TestConnector.java
(original)
+++ tomcat/trunk/test/org/apache/catalina/connector/TestConnector.java Tue Feb
14 11:01:35 2017
@@ -16,16 +16,25 @@
*/
package org.apache.catalina.connector;
+import java.io.File;
import java.net.SocketTimeoutException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.Servlet;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
+import org.junit.Assert;
import org.junit.Test;
import org.apache.catalina.Context;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Wrapper;
+import org.apache.catalina.servlets.DefaultServlet;
+import org.apache.catalina.servlets.WebdavServlet;
import org.apache.catalina.startup.TesterServlet;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.startup.TomcatBaseTest;
@@ -139,4 +148,76 @@ public class TestConnector extends Tomca
c2.start();
}
+
+
+ @Test
+ public void testTraceAllowedDefault() throws Exception {
+ doTestTrace(new DefaultServlet(), true);
+ }
+
+
+ @Test
+ public void testTraceNotAllowedDefault() throws Exception {
+ doTestTrace(new DefaultServlet(), false);
+ }
+
+
+ @Test
+ public void testTraceAllowedWebDav() throws Exception {
+ doTestTrace(new WebdavServlet(), true);
+ }
+
+
+ @Test
+ public void testTraceNotAllowedWebDav() throws Exception {
+ doTestTrace(new WebdavServlet(), false);
+ }
+
+
+ @Test
+ public void testTraceAllowedCustom() throws Exception {
+ doTestTrace(new TesterServlet(), true);
+ }
+
+
+ @Test
+ public void testTraceNotAllowedCustom() throws Exception {
+ doTestTrace(new TesterServlet(), false);
+ }
+
+
+ private void doTestTrace(Servlet servlet, boolean allowTrace) throws
Exception {
+ Tomcat tomcat = getTomcatInstance();
+
+ File appDir = new File("test/webapp");
+ Context root = tomcat.addContext("", appDir.getAbsolutePath());
+ Tomcat.addServlet(root, "default", servlet);
+ root.addServletMappingDecoded("/", "default");
+
+ Connector connector = tomcat.getConnector();
+ connector.setAllowTrace(allowTrace);
+
+ tomcat.start();
+
+ ByteChunk bc = new ByteChunk();
+ Map<String,List<String>> respHeaders = new HashMap<>();
+ int rc = methodUrl("http://localhost:"; + getPort() + "/index.html",
+ bc, 30000, null, respHeaders, "OPTIONS");
+
+ assertEquals(200, rc);
+
+ boolean foundTrace = false;
+ for (String header : respHeaders.get("Allow")) {
+ if (header.contains("TRACE")) {
+ foundTrace = true;
+ break;
+ }
+ }
+
+ if (allowTrace) {
+ Assert.assertTrue(foundTrace);
+ } else {
+ Assert.assertFalse(foundTrace);
+ }
+ }
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1782947&r1=1782946&r2=1782947&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Feb 14 11:01:35 2017
@@ -84,6 +84,11 @@
<code>AuthConfigFactory</code> is available. (markt)
</fix>
<fix>
+ <bug>60697</bug>: When HTTP TRACE requests are disabled on the
+ Connector, ensure that the HTTP OPTIONS response from custom servlets
+ does not include TRACE in the returned Allow header. (markt)
+ </fix>
+ <fix>
<bug>60720</bug>: Replace "WWW-Authenticate" literal with static final
AUTH_HEADER_NAME in SpnegoAuthenticator. Patch provided by Michael
Osipov. (violetagg)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
