On 12/03/2025 13:18, Rémy Maucherat wrote:
On Wed, Mar 12, 2025 at 1:23 PM Mark Thomas <ma...@apache.org> wrote:
All,
I have been working through the some specification compliance questions
raised by some research into HTTP conformance [1].
That paper's focus is security but I don't see any security concerns for
Tomcat. I do see a number of false positive results and I have raised
issues for those.
One of the results relates to how Tomcat responds to a POST request. I
am assuming it is the default servlet that responds as I don't see any
Servlet or JSP code in the test.
Looking at this got me thinking. Why is the default Servlet responding
to a POST request as if it is a GET request? I can see a case for doing
this for include/forwards but not for direct requests.
Because whatever back then seemed better that way if I did it that way.
Allowing the current behavior for request dispatcher use would be
good, yes, otherwise breakage seems quite likely (when doing that, you
may not care about whatever the original HTTP method was unless it
didn't work).
Should we be returning 405 for direct requests using POST?
It seems possible.
I'll add this to my TODO list (or open a BZ issue if I need to spend
time elsewhere).
What are the thoughts on:
- versions this change should apply to?
- whether it is configurable?
- if configurable, what the default should be?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
