GitHub user kdombeck opened a pull request:
https://github.com/apache/tomcat/pull/96
Remove PUT and DELETE methods from an OPTIONS request if readOnly is true
Currently ```DefaultServlet``` is returning all HTTP methods for an OPTIONS
call even when the **readOnly** flag is true.
Example:
```
$ curl -v -X OPTIONS localhost:8080
....
< Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
....
```
It should be the following instead if the **readOnly** flag is **true**.
```
$ curl -v -X OPTIONS localhost:8080
....
< Allow: GET, HEAD, POST, OPTIONS
....
```
As a side note I don't understand the following.
* Why is a POST allowed when **readOnly** is true?
* Why does a POST call GET internally?
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/kdombeck/tomcat remove-options
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/tomcat/pull/96.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #96
----
commit deb05b2c1c4693b1cb5904e9bba8f46bca18ee7d
Author: Ken Dombeck <kdomb...@gmail.com>
Date: 2017-12-13T21:55:59Z
Remove PUT and DELETE methods from an OPTIONS request if readOnly is true
----
---
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
