(tomcat) branch main updated: Change the default for allowPostAsGet to false

Thu, 20 Mar 2025 10:24:13 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new 003e443185 Change the default for allowPostAsGet to false
003e443185 is described below

commit 003e443185c2b82748acb5ec48b8a908ff23d261
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Mar 20 16:58:18 2025 +0000

    Change the default for allowPostAsGet to false
---
 java/org/apache/catalina/servlets/DefaultServlet.java              | 5 ++++-
 test/org/apache/catalina/servlets/ServletOptionsBaseTest.java      | 1 +
 .../catalina/servlets/TestDefaultServletRfc9110Section13.java      | 1 +
 webapps/docs/changelog.xml                                         | 7 +++++++
 webapps/docs/default-servlet.xml                                   | 3 +--
 5 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java 
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 1c9596478d..64954a6cf8 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -267,7 +267,7 @@ public class DefaultServlet extends HttpServlet {
      * processed as GET requests. If not allowed, direct requests using the 
POST method will be rejected with a 405
      * (method not allowed).
      */
-    private boolean allowPostAsGet = true;
+    private boolean allowPostAsGet = false;
 
 
     // --------------------------------------------------------- Public Methods
@@ -404,6 +404,9 @@ public class DefaultServlet extends HttpServlet {
             useStrongETags = 
Boolean.parseBoolean(getServletConfig().getInitParameter("useStrongETags"));
         }
 
+        if (getServletConfig().getInitParameter("allowPostAsGet") != null) {
+            allowPostAsGet = 
Boolean.parseBoolean(getServletConfig().getInitParameter("allowPostAsGet"));
+        }
     }
 
     private CompressionFormat[] parseCompressionFormats(String precompressed, 
String gzip) {
diff --git a/test/org/apache/catalina/servlets/ServletOptionsBaseTest.java 
b/test/org/apache/catalina/servlets/ServletOptionsBaseTest.java
index d23bbb80ef..cbb5aba540 100644
--- a/test/org/apache/catalina/servlets/ServletOptionsBaseTest.java
+++ b/test/org/apache/catalina/servlets/ServletOptionsBaseTest.java
@@ -84,6 +84,7 @@ public abstract class ServletOptionsBaseTest extends 
TomcatBaseTest {
         Wrapper w = Tomcat.addServlet(ctx, "servlet", createServlet());
         w.addInitParameter("listings", Boolean.toString(listings));
         w.addInitParameter("readonly", Boolean.toString(readonly));
+        w.addInitParameter("allowPostAsGet", "true");
 
         ctx.addServletMappingDecoded("/*", "servlet");
 
diff --git 
a/test/org/apache/catalina/servlets/TestDefaultServletRfc9110Section13.java 
b/test/org/apache/catalina/servlets/TestDefaultServletRfc9110Section13.java
index c4a13c547d..8a49cb6049 100644
--- a/test/org/apache/catalina/servlets/TestDefaultServletRfc9110Section13.java
+++ b/test/org/apache/catalina/servlets/TestDefaultServletRfc9110Section13.java
@@ -577,6 +577,7 @@ public class TestDefaultServletRfc9110Section13 extends 
TomcatBaseTest {
         Wrapper w = Tomcat.addServlet(ctxt, "default", 
DefaultServlet.class.getName());
         w.addInitParameter("readonly", "false");
         w.addInitParameter("allowPartialPut", "true");
+        w.addInitParameter("allowPostAsGet", "true");
         w.addInitParameter("useStrongETags", Boolean.toString(useStrongETags));
         ctxt.addServletMappingDecoded("/", "default");
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index bae456ffd4..37fa07bd45 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -149,6 +149,13 @@
         always return <code>null</code> if the provided name starts with
         <code>/</code>. (markt)
       </fix>
+      <update>
+        Update the default value for the <code>allowPostAsGet</code>
+        initialisation parameter of the Default servlet from <code>true</code>
+        to <code>false</code>. This means a direct request (i.e. not a forward
+        or an include) for a static resource using the POST method will be
+        rejected by default. (markt)
+      </update>
       <!-- Entries for backport and removal before 12.0.0-M1 below this line 
-->
       <fix>
         Return 400 if the amount of content sent for a partial PUT is
diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml
index 85fcddd5af..3ad270060a 100644
--- a/webapps/docs/default-servlet.xml
+++ b/webapps/docs/default-servlet.xml
@@ -215,8 +215,7 @@ Tomcat.</p>
         Controls whether a direct request (i.e. not a forward or an include) 
for
         a static resource using the POST method will be processed as if the GET
         method had been used. If not allowed, the request will be rejected. The
-        default behaviour of processing the request as if the GET method had
-        been used is unchanged. [true]
+        default behaviour is to reject such requests. [false]
   </property>
 </properties>
 </section>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to