(tomcat) branch main updated: Add allowPostAsGet to default Servlet

Thu, 20 Mar 2025 08:55:11 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new b16689f0ed Add allowPostAsGet to default Servlet
b16689f0ed is described below

commit b16689f0edc0af8fa78406a5ff85442eef4bfaac
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Mar 20 15:54:53 2025 +0000

    Add allowPostAsGet to default Servlet
    
    Default behaviour is unchanged but users can now disabled the behaviour
    where direct requests for static resources using POST are handled as if
    GET had been used.
---
 .../apache/catalina/servlets/DefaultServlet.java   | 40 ++++++++++++++++++++--
 webapps/docs/changelog.xml                         |  9 +++++
 webapps/docs/default-servlet.xml                   |  7 ++++
 3 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java 
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 26f843df53..1c9596478d 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -262,6 +262,13 @@ public class DefaultServlet extends HttpServlet {
      */
     private boolean useStrongETags = false;
 
+    /**
+     * Will direct ({@link DispatcherType#REQUEST} or {@link 
DispatcherType#ASYNC}) requests using the POST method be
+     * processed as GET requests. If not allowed, direct requests using the 
POST method will be rejected with a 405
+     * (method not allowed).
+     */
+    private boolean allowPostAsGet = true;
+
 
     // --------------------------------------------------------- Public Methods
 
@@ -551,7 +558,11 @@ public class DefaultServlet extends HttpServlet {
         StringBuilder allow = new StringBuilder();
 
         // Start with methods that are always allowed
-        allow.append("OPTIONS, GET, HEAD, POST");
+        allow.append("OPTIONS, GET, HEAD");
+
+        if (allowPostAsGet) {
+            allow.append(", POST");
+        }
 
         // PUT and DELETE depend on readonly
         if (!isReadOnly()) {
@@ -576,7 +587,32 @@ public class DefaultServlet extends HttpServlet {
     @Override
     protected void doPost(HttpServletRequest request, HttpServletResponse 
response)
             throws IOException, ServletException {
-        doGet(request, response);
+        if (allowPostAsGet) {
+            doGet(request, response);
+        } else {
+            // Use a switch without a default to ensure all possibilities are 
explicitly handled
+            switch (request.getDispatcherType()) {
+                case ASYNC:
+                case REQUEST: {
+                    // Direct POST requests may not be processed as GET
+                    sendNotAllowed(request, response);
+                    break;
+                }
+                case ERROR:
+                case FORWARD:
+                case INCLUDE: {
+                    /*
+                     * Forward and Include are processed as GET as it is 
possible that a POST to a servlet may use a
+                     * forward or an include as part of generating the 
response.
+                     *
+                     * Error should have already been converted to GET but 
convert here anyway as that is better than
+                     * failing the request.
+                     */
+                    doGet(request, response);
+                    break;
+                }
+            }
+        }
     }
 
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ae44c2dcec..bae456ffd4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -175,6 +175,15 @@
         and/or using reflection to dynamically add external repositories to the
         web application class loader. (markt)
       </fix>
+      <add>
+        Add a new initialisation parameter to the Default servlet -
+        <code>allowPostAsGet</code> - which controls whether a direct request
+        (i.e. not a forward or an include) for a static resource using the POST
+        method will be processed as if the GET method had been used. If not
+        allowed, the request will be rejected. The default behaviour of
+        processing the request as if the GET method had been used is unchanged.
+        (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">
diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml
index dcdd743ef0..85fcddd5af 100644
--- a/webapps/docs/default-servlet.xml
+++ b/webapps/docs/default-servlet.xml
@@ -211,6 +211,13 @@ Tomcat.</p>
         When a directory redirect (trailing slash missing) is made, use this as
         the the HTTP response code. [302]
   </property>
+  <property name="allowPostAsGet">
+        Controls whether a direct request (i.e. not a forward or an include) 
for
+        a static resource using the POST method will be processed as if the GET
+        method had been used. If not allowed, the request will be rejected. The
+        default behaviour of processing the request as if the GET method had
+        been used is unchanged. [true]
+  </property>
 </properties>
 </section>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to