Mark,
On 3/17/25 8:49 AM, Mark Thomas wrote:
On 12/03/2025 13:18, Rémy Maucherat wrote:
On Wed, Mar 12, 2025 at 1:23 PM Mark Thomas <ma...@apache.org> wrote:
All,
I have been working through the some specification compliance questions
raised by some research into HTTP conformance [1].
That paper's focus is security but I don't see any security concerns for
Tomcat. I do see a number of false positive results and I have raised
issues for those.
One of the results relates to how Tomcat responds to a POST request. I
am assuming it is the default servlet that responds as I don't see any
Servlet or JSP code in the test.
Looking at this got me thinking. Why is the default Servlet responding
to a POST request as if it is a GET request? I can see a case for doing
this for include/forwards but not for direct requests.
Because whatever back then seemed better that way if I did it that way.
Allowing the current behavior for request dispatcher use would be
good, yes, otherwise breakage seems quite likely (when doing that, you
may not care about whatever the original HTTP method was unless it
didn't work).
Should we be returning 405 for direct requests using POST?
It seems possible.
I'll add this to my TODO list (or open a BZ issue if I need to spend
time elsewhere).
What are the thoughts on:
- versions this change should apply to?
I wouldn't go back as far as Tomcat 9.0.x, at least not by default. I
would guess that not many users are using Tomcat 10.1.x yet, and those
who do use it are more likely to be agile enough to make any changes
required due to this change.
- whether it is configurable?
If you make it configurable, then the only difference between 9 vs 10+
(in my proposal) would be the default value.
- if configurable, what the default should be?
See above.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
