[tomcat] branch 9.0.x updated: Do not include sensitive headers in responses to HTTP TRACE requests

markt Mon, 01 Aug 2022 09:38:36 -0700

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/9.0.x by this push:
     new 2e447ae82e Do not include sensitive headers in responses to HTTP TRACE 
requests
2e447ae82e is described below

commit 2e447ae82eccaa8ea5a52de57e0b2be8cd0a148e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Aug 1 17:36:18 2022 +0100

    Do not include sensitive headers in responses to HTTP TRACE requests
    
    This is a requirement of RFC 7231, 4.3.8
---
 java/javax/servlet/http/HttpServlet.java     | 22 ++++++++++++++++++----
 test/javax/servlet/http/TestHttpServlet.java |  8 ++++++++
 webapps/docs/changelog.xml                   |  4 ++++
 3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/java/javax/servlet/http/HttpServlet.java 
b/java/javax/servlet/http/HttpServlet.java
index 99906002b6..3ee5fa6abe 100644
--- a/java/javax/servlet/http/HttpServlet.java
+++ b/java/javax/servlet/http/HttpServlet.java
@@ -25,7 +25,10 @@ import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.text.MessageFormat;
 import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Locale;
 import java.util.ResourceBundle;
+import java.util.Set;
 
 import javax.servlet.AsyncEvent;
 import javax.servlet.AsyncListener;
@@ -93,6 +96,14 @@ public abstract class HttpServlet extends GenericServlet {
     private static final String LSTRING_FILE = 
"javax.servlet.http.LocalStrings";
     private static final ResourceBundle lStrings = 
ResourceBundle.getBundle(LSTRING_FILE);
 
+    private static final Set<String> SENSITIVE_HTTP_HEADERS = new HashSet<>();
+
+
+    static {
+        SENSITIVE_HTTP_HEADERS.add("cookie");
+        SENSITIVE_HTTP_HEADERS.add("www-authenticate");
+    }
+
 
     /**
      * Does nothing, because this is an abstract class.
@@ -599,10 +610,13 @@ public abstract class HttpServlet extends GenericServlet {
 
         while (reqHeaderNames.hasMoreElements()) {
             String headerName = reqHeaderNames.nextElement();
-            Enumeration<String> headerValues = req.getHeaders(headerName);
-            while (headerValues.hasMoreElements()) {
-                String headerValue = headerValues.nextElement();
-                buffer.append(CRLF).append(headerName).append(": 
").append(headerValue);
+            // RFC 7231, 4.3.8 - skip 'sensitive' headers
+            if 
(!SENSITIVE_HTTP_HEADERS.contains(headerName.toLowerCase(Locale.ENGLISH))) {
+                Enumeration<String> headerValues = req.getHeaders(headerName);
+                while (headerValues.hasMoreElements()) {
+                    String headerValue = headerValues.nextElement();
+                    buffer.append(CRLF).append(headerName).append(": 
").append(headerValue);
+                }
             }
         }
 
diff --git a/test/javax/servlet/http/TestHttpServlet.java 
b/test/javax/servlet/http/TestHttpServlet.java
index 39f3707800..4e683b0a15 100644
--- a/test/javax/servlet/http/TestHttpServlet.java
+++ b/test/javax/servlet/http/TestHttpServlet.java
@@ -20,6 +20,7 @@ import java.io.IOException;
 import java.io.PrintWriter;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 
 import javax.servlet.AsyncContext;
@@ -315,6 +316,8 @@ public class TestHttpServlet extends TomcatBaseTest {
                 "Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
                 "X-aaa: a1, a2" + SimpleHttpClient.CRLF +
                 "X-aaa: a3" + SimpleHttpClient.CRLF +
+                "Cookie: c1-v1" + SimpleHttpClient.CRLF +
+                "WWW-Authenticate: not-a-real-credential" + 
SimpleHttpClient.CRLF +
                 SimpleHttpClient.CRLF});
         client.setUseContentLength(true);
 
@@ -328,9 +331,14 @@ public class TestHttpServlet extends TomcatBaseTest {
 
         Assert.assertTrue(client.getResponseLine(), client.isResponse200());
         // Far from perfect but good enough
+        body = body.toLowerCase(Locale.ENGLISH);
         Assert.assertTrue(body.contains("a1"));
         Assert.assertTrue(body.contains("a2"));
         Assert.assertTrue(body.contains("a3"));
+        // Sensitive headers (cookies, WWW-Authenticate) must not be reflected
+        // (since RFC 7231)
+        Assert.assertFalse(body.contains("cookie"));
+        Assert.assertFalse(body.contains("www-authenticate"));
 
         client.disconnect();
     }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b4962dea2e..7e428939e8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -111,6 +111,10 @@
         Correct handling of HTTP TRACE requests where there are multiple
         instances of an HTTP header with the same name. (markt)
       </fix>
+      <fix>
+        Implement the requirements of RFC 7231 and do not include sensitive
+        headers in responses to HTTP TRACE requests. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 9.0.x updated: Do not include sensitive headers in responses to HTTP TRACE requests

Reply via email to