[tomcat] branch 8.5.x updated: Improve handling of HTTP TRACE requests

Mon, 01 Aug 2022 09:17:16 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new 7524b3142e Improve handling of HTTP TRACE requests
7524b3142e is described below

commit 7524b3142e61b769de75fa4812f8aa1d7087612f
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Aug 1 17:15:08 2022 +0100

    Improve handling of HTTP TRACE requests
---
 java/javax/servlet/http/HttpServlet.java     | 17 ++++-----
 test/javax/servlet/http/TestHttpServlet.java | 52 ++++++++++++++++++++++++++++
 webapps/docs/changelog.xml                   |  8 +++++
 3 files changed, 69 insertions(+), 8 deletions(-)

diff --git a/java/javax/servlet/http/HttpServlet.java 
b/java/javax/servlet/http/HttpServlet.java
index 2289b70cb2..99906002b6 100644
--- a/java/javax/servlet/http/HttpServlet.java
+++ b/java/javax/servlet/http/HttpServlet.java
@@ -587,9 +587,7 @@ public abstract class HttpServlet extends GenericServlet {
      * @exception ServletException  if the request for the
      *                                  TRACE cannot be handled
      */
-    protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
-        throws ServletException, IOException
-    {
+    protected void doTrace(HttpServletRequest req, HttpServletResponse resp) 
throws ServletException, IOException {
 
         int responseLength;
 
@@ -597,12 +595,15 @@ public abstract class HttpServlet extends GenericServlet {
         StringBuilder buffer =
                 new StringBuilder("TRACE 
").append(req.getRequestURI()).append(" ").append(req.getProtocol());
 
-        Enumeration<String> reqHeaderEnum = req.getHeaderNames();
+        Enumeration<String> reqHeaderNames = req.getHeaderNames();
 
-        while( reqHeaderEnum.hasMoreElements() ) {
-            String headerName = reqHeaderEnum.nextElement();
-            buffer.append(CRLF).append(headerName).append(": ")
-                .append(req.getHeader(headerName));
+        while (reqHeaderNames.hasMoreElements()) {
+            String headerName = reqHeaderNames.nextElement();
+            Enumeration<String> headerValues = req.getHeaders(headerName);
+            while (headerValues.hasMoreElements()) {
+                String headerValue = headerValues.nextElement();
+                buffer.append(CRLF).append(headerName).append(": 
").append(headerValue);
+            }
         }
 
         buffer.append(CRLF);
diff --git a/test/javax/servlet/http/TestHttpServlet.java 
b/test/javax/servlet/http/TestHttpServlet.java
index fbea9e643f..39f3707800 100644
--- a/test/javax/servlet/http/TestHttpServlet.java
+++ b/test/javax/servlet/http/TestHttpServlet.java
@@ -40,6 +40,7 @@ import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
 import org.apache.tomcat.util.buf.ByteChunk;
 import org.apache.tomcat.util.collections.CaseInsensitiveKeyMap;
+import org.apache.tomcat.util.net.TesterSupport.SimpleServlet;
 
 public class TestHttpServlet extends TomcatBaseTest {
 
@@ -293,6 +294,57 @@ public class TestHttpServlet extends TomcatBaseTest {
     }
 
 
+    @Test
+    public void testTrace() throws Exception {
+        Tomcat tomcat = getTomcatInstance();
+        tomcat.getConnector().setAllowTrace(true);
+
+        // No file system docBase required
+        StandardContext ctx = (StandardContext) tomcat.addContext("", null);
+
+        // Map the test Servlet
+        Tomcat.addServlet(ctx, "servlet", new SimpleServlet());
+        ctx.addServletMappingDecoded("/", "servlet");
+
+        tomcat.start();
+
+        TraceClient client = new TraceClient();
+        client.setPort(getPort());
+        client.setRequest(new String[] {
+                "TRACE / HTTP/1.1" + SimpleHttpClient.CRLF +
+                "Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
+                "X-aaa: a1, a2" + SimpleHttpClient.CRLF +
+                "X-aaa: a3" + SimpleHttpClient.CRLF +
+                SimpleHttpClient.CRLF});
+        client.setUseContentLength(true);
+
+        client.connect();
+        client.sendRequest();
+        client.readResponse(true);
+
+        String body = client.getResponseBody();
+
+        System.out.println(body);
+
+        Assert.assertTrue(client.getResponseLine(), client.isResponse200());
+        // Far from perfect but good enough
+        Assert.assertTrue(body.contains("a1"));
+        Assert.assertTrue(body.contains("a2"));
+        Assert.assertTrue(body.contains("a3"));
+
+        client.disconnect();
+    }
+
+
+    private static final class TraceClient extends SimpleHttpClient {
+
+        @Override
+        public boolean isResponseBodyOK() {
+            return true;
+        }
+    }
+
+
     private class Client extends SimpleHttpClient {
 
         public Client(String request, boolean isHttp09) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 50e066e9ae..2483ac823f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,14 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 8.5.82 (schultz)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        Correct handling of HTTP TRACE requests where there are multiple
+        instances of an HTTP header with the same name. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Coyote">
     <changelog>
       <add>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to