Re: (tomcat) branch main updated: BZ 69360: Inconsistent DELETE behavior between DefaultServlet and WebdavServlet

Wed, 02 Oct 2024 03:41:43 -0700 

On 02/10/2024 11:30, Michael Osipov wrote:

On 2024/10/02 10:21:07 Mark Thomas wrote:

-1 veto

This change is not compliant with RFC 9110.

If Tomcat sends METHOD_NOT_ALLOWED it MUST also send an Allow header.



<snip/>


diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java 
b/java/org/apache/catalina/servlets/WebdavServlet.java
index d32868a9b3..c2cf8f3d78 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -1696,7 +1696,7 @@ public class WebdavServlet extends DefaultServlet 
implements PeriodicEventListen
if (!resource.isDirectory()) { 
               if (!resource.delete()) {
-                resp.sendError(WebdavStatus.SC_INTERNAL_SERVER_ERROR);
+                resp.sendError(WebdavStatus.SC_METHOD_NOT_ALLOWED);


May be able to utilise sendNotAllowed() for this one. Thinking about it
probably not as WebDAV has additional methods that need to be taken
account of. It will need a dedicated method for WebDAV.


I agree, infact I have written this in the BZ issue: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=69360#c2
For a single resource (not collection) I will use the method mentioned. Agreed?
If you mean write a WebDAV specific sendNotAllowed() method and use it here then yes, that would be acceptable. 


Generally, SC_METHOD_NOT_ALLOWED is probably the right status code as
the most likely failure mode is a lack of permissions. I just wonder if
there are circumstances where we would want to return
SC_INTERNAL_SERVER_ERROR and how we would determine if that were the case.


This I have described here: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=69360#c0
Files#delete(Path) can give us a proper exception to map to 
INTERNAL_SERVER_ERROR.
I'm not sure Files#delete(Path) can give us a proper exception given that a number of the detailed exceptions are optional.
This wasn't a concern with the commit, more a wondering how likely it was that we would want to return SC_INTERNAL_SERVER_ERROR and, if we did, how easy it would be to differentiate the failure modes.
The more I look at it the more I think it is unlikely we'd want to return SC_INTERNAL_SERVER_ERROR that often and when we did, differentiating the failure modes is likely to be tricky. Overall, I don't think it is worth doing at this point. 

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to