Re: (tomcat) branch main updated: BZ 69360: Inconsistent DELETE behavior between DefaultServlet and WebdavServlet

Wed, 02 Oct 2024 04:02:19 -0700 

On 2024/10/02 10:41:38 Mark Thomas wrote:
> On 02/10/2024 11:30, Michael Osipov wrote:
> > On 2024/10/02 10:21:07 Mark Thomas wrote:
> >> -1 veto
> >>
> >> This change is not compliant with RFC 9110.
> >>
> >> If Tomcat sends METHOD_NOT_ALLOWED it MUST also send an Allow header.
> >>
> 
> <snip/>
> 
> >>> diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java 
> >>> b/java/org/apache/catalina/servlets/WebdavServlet.java
> >>> index d32868a9b3..c2cf8f3d78 100644
> >>> --- a/java/org/apache/catalina/servlets/WebdavServlet.java
> >>> +++ b/java/org/apache/catalina/servlets/WebdavServlet.java
> >>> @@ -1696,7 +1696,7 @@ public class WebdavServlet extends DefaultServlet 
> >>> implements PeriodicEventListen
> >>>    
> >>>            if (!resource.isDirectory()) {
> >>>                if (!resource.delete()) {
> >>> -                resp.sendError(WebdavStatus.SC_INTERNAL_SERVER_ERROR);
> >>> +                resp.sendError(WebdavStatus.SC_METHOD_NOT_ALLOWED);
> >>
> >> May be able to utilise sendNotAllowed() for this one. Thinking about it
> >> probably not as WebDAV has additional methods that need to be taken
> >> account of. It will need a dedicated method for WebDAV.
> > 
> > I agree, infact I have written this in the BZ issue: 
> > https://bz.apache.org/bugzilla/show_bug.cgi?id=69360#c2
> > For a single resource (not collection) I will use the method mentioned. 
> > Agreed?
> 
> If you mean write a WebDAV specific sendNotAllowed() method and use it 
> here then yes, that would be acceptable.

I believe we have that already with an override: 
WebdavServlet#determineMethodsAllowed(HttpServletRequest) then the super 
sendNotAllowed() will use this. With a proper patch I get that now:
> $ curl --negotiate -u : -X DELETE 
> 'https://example.com/backend-dev/dav/log/sadfs'  --verbose
> ...* Request completely sent off
> < HTTP/1.1 405
> < Date: Wed, 02 Oct 2024 10:59:10 GMT
> < Server: Apache
> < X-Frame-Options: SAMEORIGIN
> < Correlation-Id: Zv0nfp0p3XwFWtOGfc5vXAAAARQ
> < Cache-Control: private
> < WWW-Authenticate: Negotiate oY...
> < Allow: OPTIONS, GET, POST, HEAD, DELETE, PUT, LOCK, UNLOCK, PROPPATCH, 
> COPY, MOVE, PROPFIND
> < Content-Type: text/html;charset=utf-8
> < Content-Language: en
> < Content-Length: 656

Patch:
> -                resp.sendError(WebdavStatus.SC_METHOD_NOT_ALLOWED);
> +                sendNotAllowed(req, resp);

OK for you?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to