This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 9e1aebd2d1 Fix BZ 69214. CORS. POST with no content-type is not a
reason to reject
9e1aebd2d1 is described below
commit 9e1aebd2d166bb9216776c6e934ad279d2ea2cbb
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Jul 22 20:44:25 2024 +0100
Fix BZ 69214. CORS. POST with no content-type is not a reason to reject
https://bz.apache.org/bugzilla/show_bug.cgi?id=69214
---
java/org/apache/catalina/filters/CorsFilter.java | 4 +++-
test/org/apache/catalina/filters/TestCorsFilter.java | 18 +++++++++++++++++-
webapps/docs/changelog.xml | 6 ++++++
3 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/filters/CorsFilter.java
b/java/org/apache/catalina/filters/CorsFilter.java
index 4fb910c533..504af77dcf 100644
--- a/java/org/apache/catalina/filters/CorsFilter.java
+++ b/java/org/apache/catalina/filters/CorsFilter.java
@@ -567,7 +567,9 @@ public class CorsFilter extends GenericFilter {
requestType = CORSRequestType.SIMPLE;
} else if ("POST".equals(method)) {
String mediaType =
getMediaType(request.getContentType());
- if (mediaType != null) {
+ if (mediaType == null) {
+ requestType = CORSRequestType.SIMPLE;
+ } else {
if
(SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES.contains(mediaType)) {
requestType = CORSRequestType.SIMPLE;
} else {
diff --git a/test/org/apache/catalina/filters/TestCorsFilter.java
b/test/org/apache/catalina/filters/TestCorsFilter.java
index e1c6233fbe..f05af1beaf 100644
--- a/test/org/apache/catalina/filters/TestCorsFilter.java
+++ b/test/org/apache/catalina/filters/TestCorsFilter.java
@@ -703,7 +703,7 @@ public class TestCorsFilter {
* @throws ServletException
*/
@Test
- public void testCheckSimpleRequestType() throws ServletException {
+ public void testCheckSimpleRequestTypeGet() throws ServletException {
TesterHttpServletRequest request = new TesterHttpServletRequest();
request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN,
TesterFilterConfigs.HTTP_TOMCAT_APACHE_ORG);
request.setMethod("GET");
@@ -713,6 +713,22 @@ public class TestCorsFilter {
Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType);
}
+ /*
+ * Happy path test, when a valid CORS Simple request arrives.
+ *
+ * @throws ServletException
+ */
+ @Test
+ public void testCheckSimpleRequestTypePost() throws ServletException {
+ TesterHttpServletRequest request = new TesterHttpServletRequest();
+ request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN,
TesterFilterConfigs.HTTP_TOMCAT_APACHE_ORG);
+ request.setMethod("POST");
+ CorsFilter corsFilter = new CorsFilter();
+ corsFilter.init(TesterFilterConfigs.getDefaultFilterConfig());
+ CorsFilter.CORSRequestType requestType =
corsFilter.checkRequestType(request);
+ Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType);
+ }
+
/*
* Happy path test, when a valid CORS Simple request arrives.
*
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9511034e32..ea44079cc0 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -115,6 +115,12 @@
the Servlet API (removing the need for the cast) in Servlet 6.2
onwards.
(markt)
</add>
+ <fix>
+ <bug>69214</bug>: Do not reject a CORS request that uses POST but does
+ not include a <code>content-type</code> header. Tomcat now correctly
+ processes this as a simple CORS request. Based on a patch suggested by
+ thebluemountain. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
