[tomcat] branch main updated: Update handling of sensitive methods for TRACE

Wed, 22 Mar 2023 07:57:56 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new 4f10a86dee Update handling of sensitive methods for TRACE
4f10a86dee is described below

commit 4f10a86dee1f4a357bebd000b6b23e32031a1a27
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Mar 22 14:56:46 2023 +0000

    Update handling of sensitive methods for TRACE
    
    List of headers aligns with Servlet 6.1
    Add new protected method to allow customization
---
 java/jakarta/servlet/http/HttpServlet.java | 47 ++++++++++++++++++++++++------
 webapps/docs/changelog.xml                 |  6 ++++
 2 files changed, 44 insertions(+), 9 deletions(-)

diff --git a/java/jakarta/servlet/http/HttpServlet.java 
b/java/jakarta/servlet/http/HttpServlet.java
index 15bb6521de..08f317877b 100644
--- a/java/jakarta/servlet/http/HttpServlet.java
+++ b/java/jakarta/servlet/http/HttpServlet.java
@@ -24,11 +24,11 @@ import java.io.Writer;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.text.MessageFormat;
+import java.util.Arrays;
 import java.util.Enumeration;
-import java.util.HashSet;
+import java.util.List;
 import java.util.Locale;
 import java.util.ResourceBundle;
-import java.util.Set;
 
 import jakarta.servlet.AsyncEvent;
 import jakarta.servlet.AsyncListener;
@@ -85,7 +85,8 @@ public abstract class HttpServlet extends GenericServlet {
     private static final String LSTRING_FILE = 
"jakarta.servlet.http.LocalStrings";
     private static final ResourceBundle lStrings = 
ResourceBundle.getBundle(LSTRING_FILE);
 
-    private static final Set<String> SENSITIVE_HTTP_HEADERS = new HashSet<>();
+    private static final List<String> SENSITIVE_HTTP_HEADERS = 
Arrays.asList("authorization", "cookie", "x-forwarded",
+            "forwarded", "proxy-authorization");
 
     /**
      * @deprecated May be removed in a future release
@@ -107,11 +108,6 @@ public abstract class HttpServlet extends GenericServlet {
      */
     private volatile boolean cachedUseLegacyDoHead;
 
-    static {
-        SENSITIVE_HTTP_HEADERS.add("cookie");
-        SENSITIVE_HTTP_HEADERS.add("authorization");
-    }
-
 
     /**
      * Does nothing, because this is an abstract class.
@@ -544,7 +540,7 @@ public abstract class HttpServlet extends GenericServlet {
         while (reqHeaderNames.hasMoreElements()) {
             String headerName = reqHeaderNames.nextElement();
             // RFC 7231, 4.3.8 - skip 'sensitive' headers
-            if 
(!SENSITIVE_HTTP_HEADERS.contains(headerName.toLowerCase(Locale.ENGLISH))) {
+            if (!isSensitiveHeader(headerName)) {
                 Enumeration<String> headerValues = req.getHeaders(headerName);
                 while (headerValues.hasMoreElements()) {
                     String headerValue = headerValues.nextElement();
@@ -565,6 +561,39 @@ public abstract class HttpServlet extends GenericServlet {
     }
 
 
+    /**
+     * Is the provided HTTP request header considered sensitive and therefore 
should be excluded from the response to a
+     * {@code TRACE} request?
+     * <p>
+     * By default, the headers thats start with any of the following are 
considered sensitive:
+     * <ul>
+     * <li>authorization</li>
+     * <li>cookie</li>
+     * <li>x-forwarded</li>
+     * <li>forwarded</li>
+     * <li>proxy-authorization</li>
+     * </ul>
+     * <p>
+     * Note that HTTP header names are case insensitive.
+     *
+     * @param headerName the name of the HTTP request header to test
+     *
+     * @return (@code true} if the HTTP request header is considered sensitive 
and should be excluded from the response
+     *             to a {@code TRACE} request, otherwise {@code false}
+     *
+     * @since Servlet 6.1
+     */
+    protected boolean isSensitiveHeader(String headerName) {
+        String lcHeaderName = headerName.toLowerCase(Locale.ENGLISH);
+        for (String sensitiveHeaderName : SENSITIVE_HTTP_HEADERS) {
+            if (lcHeaderName.startsWith(sensitiveHeaderName)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+
     /**
      * Receives standard HTTP requests from the public <code>service</code> 
method and dispatches them to the
      * <code>do</code><i>Method</i> methods defined in this class. This method 
is an HTTP-specific version of the
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e88e2fdf22..d7034c69b8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -160,6 +160,12 @@
         Add support code for custom user attributes in <code>RealmBase</code>.
         Based on code from <pr>473</pr> by Carsten Klein. (remm)
       </update>
+      <fix>
+        Expand the set of HTTP request headers considered sensitive that should
+        be skipped when generating a response to a <code>TRACE</code> request.
+        This aligns with the current draft of the Servlet 6.1 specification.
+        (markt)  
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to