This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 86b5218b9c Minor WebDAV fixes
86b5218b9c is described below
commit 86b5218b9c72409ce09b214fd2708d66e3a3d5b3
Author: remm <[email protected]>
AuthorDate: Mon Oct 28 22:37:10 2024 +0100
Minor WebDAV fixes
Reject with 400 any Depth header with invalid values (as was done in
copyResource, which I had forgotten about), submitted by Chen Jp.
Reject bad propfind requests with 400.
Accept chunked body for propfind.
---
.../apache/catalina/servlets/WebdavServlet.java | 34 ++++++++++++++++++++--
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java
b/java/org/apache/catalina/servlets/WebdavServlet.java
index 2497d4e79d..c775b2aa7a 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -816,7 +816,7 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
// Propfind depth
int depth = maxDepth;
// Propfind type
- int type = FIND_ALL_PROP;
+ int type = -1;
String depthStr = req.getHeader("Depth");
@@ -829,10 +829,13 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
depth = 1;
} else if (depthStr.equals("infinity")) {
depth = maxDepth;
+ } else {
+ resp.sendError(WebdavStatus.SC_BAD_REQUEST);
+ return;
}
}
- if (req.getContentLengthLong() > 0) {
+ if (req.getContentLengthLong() > 0 ||
"chunked".equalsIgnoreCase(req.getHeader("Transfer-Encoding"))) {
DocumentBuilder documentBuilder = getDocumentBuilder();
try {
@@ -854,6 +857,11 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
case Node.ELEMENT_NODE:
String nodeName = getDAVNode(currentNode);
if ("prop".equals(nodeName)) {
+ if (type >= 0) {
+ // Another was already defined
+
resp.sendError(WebdavStatus.SC_BAD_REQUEST);
+ return;
+ }
type = FIND_BY_PROPERTY;
NodeList propChildList =
currentNode.getChildNodes();
for (int j = 0; j < propChildList.getLength();
j++) {
@@ -868,9 +876,19 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
}
}
if ("propname".equals(nodeName)) {
+ if (type >= 0) {
+ // Another was already defined
+
resp.sendError(WebdavStatus.SC_BAD_REQUEST);
+ return;
+ }
type = FIND_PROPERTY_NAMES;
}
if ("allprop".equals(nodeName)) {
+ if (type >= 0) {
+ // Another was already defined
+
resp.sendError(WebdavStatus.SC_BAD_REQUEST);
+ return;
+ }
type = FIND_ALL_PROP;
}
break;
@@ -881,6 +899,13 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
resp.sendError(WebdavStatus.SC_BAD_REQUEST);
return;
}
+ if (type == -1) {
+ // Nothing meaningful in the propfind element
+ resp.sendError(WebdavStatus.SC_BAD_REQUEST);
+ return;
+ }
+ } else {
+ type = FIND_ALL_PROP;
}
WebResource resource = resources.getResource(path);
@@ -1322,8 +1347,11 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
} else {
if (depthStr.equals("0")) {
lock.depth = 0;
- } else {
+ } else if (depthStr.equals("infinity")) {
lock.depth = maxDepth;
+ } else {
+ resp.sendError(WebdavStatus.SC_BAD_REQUEST);
+ return;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
