(tomcat) branch 9.0.x updated: Add allowPostAsGet to default Servlet

Thu, 20 Mar 2025 09:00:48 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new e430ce1340 Add allowPostAsGet to default Servlet
e430ce1340 is described below

commit e430ce134055adb9065591c80ce3c8d764ca4f60
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Mar 20 15:54:53 2025 +0000

    Add allowPostAsGet to default Servlet
    
    Default behaviour is unchanged but users can now disabled the behaviour
    where direct requests for static resources using POST are handled as if
    GET had been used.
---
 .../apache/catalina/servlets/DefaultServlet.java   | 40 ++++++++++++++++++++--
 webapps/docs/changelog.xml                         |  9 +++++
 webapps/docs/default-servlet.xml                   |  7 ++++
 3 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java 
b/java/org/apache/catalina/servlets/DefaultServlet.java
index de8ff47707..a3fd00fd88 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -294,6 +294,13 @@ public class DefaultServlet extends HttpServlet {
      */
     private boolean useStrongETags = false;
 
+    /**
+     * Will direct ({@link DispatcherType#REQUEST} or {@link 
DispatcherType#ASYNC}) requests using the POST method be
+     * processed as GET requests. If not allowed, direct requests using the 
POST method will be rejected with a 405
+     * (method not allowed).
+     */
+    private boolean allowPostAsGet = true;
+
 
     // --------------------------------------------------------- Public Methods
 
@@ -572,7 +579,11 @@ public class DefaultServlet extends HttpServlet {
         StringBuilder allow = new StringBuilder();
 
         // Start with methods that are always allowed
-        allow.append("OPTIONS, GET, HEAD, POST");
+        allow.append("OPTIONS, GET, HEAD");
+
+        if (allowPostAsGet) {
+            allow.append(", POST");
+        }
 
         // PUT and DELETE depend on readonly
         if (!isReadOnly()) {
@@ -597,7 +608,32 @@ public class DefaultServlet extends HttpServlet {
     @Override
     protected void doPost(HttpServletRequest request, HttpServletResponse 
response)
             throws IOException, ServletException {
-        doGet(request, response);
+        if (allowPostAsGet) {
+            doGet(request, response);
+        } else {
+            // Use a switch without a default to ensure all possibilities are 
explicitly handled
+            switch (request.getDispatcherType()) {
+                case ASYNC:
+                case REQUEST: {
+                    // Direct POST requests may not be processed as GET
+                    sendNotAllowed(request, response);
+                    break;
+                }
+                case ERROR:
+                case FORWARD:
+                case INCLUDE: {
+                    /*
+                     * Forward and Include are processed as GET as it is 
possible that a POST to a servlet may use a
+                     * forward or an include as part of generating the 
response.
+                     *
+                     * Error should have already been converted to GET but 
convert here anyway as that is better than
+                     * failing the request.
+                     */
+                    doGet(request, response);
+                    break;
+                }
+            }
+        }
     }
 
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 46f6be7768..f58a1e5437 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -132,6 +132,15 @@
         and/or using reflection to dynamically add external repositories to the
         web application class loader. (markt)
       </fix>
+      <add>
+        Add a new initialisation parameter to the Default servlet -
+        <code>allowPostAsGet</code> - which controls whether a direct request
+        (i.e. not a forward or an include) for a static resource using the POST
+        method will be processed as if the GET method had been used. If not
+        allowed, the request will be rejected. The default behaviour of
+        processing the request as if the GET method had been used is unchanged.
+        (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">
diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml
index b02eb5c1b5..8e8139b65f 100644
--- a/webapps/docs/default-servlet.xml
+++ b/webapps/docs/default-servlet.xml
@@ -214,6 +214,13 @@ Tomcat.</p>
         with a Content-Range header field is a bad request, RFC 9110
         (which obsoletes RFC 7231) now allows partial PUT. [true]
   </property>
+  <property name="allowPostAsGet">
+        Controls whether a direct request (i.e. not a forward or an include) 
for
+        a static resource using the POST method will be processed as if the GET
+        method had been used. If not allowed, the request will be rejected. The
+        default behaviour of processing the request as if the GET method had
+        been used is unchanged. [true]
+  </property>
 </properties>
 </section>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to