This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 003e443185 Change the default for allowPostAsGet to false
003e443185 is described below
commit 003e443185c2b82748acb5ec48b8a908ff23d261
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Mar 20 16:58:18 2025 +0000
Change the default for allowPostAsGet to false
---
java/org/apache/catalina/servlets/DefaultServlet.java | 5 ++++-
test/org/apache/catalina/servlets/ServletOptionsBaseTest.java | 1 +
.../catalina/servlets/TestDefaultServletRfc9110Section13.java | 1 +
webapps/docs/changelog.xml | 7 +++++++
webapps/docs/default-servlet.xml | 3 +--
5 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 1c9596478d..64954a6cf8 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -267,7 +267,7 @@ public class DefaultServlet extends HttpServlet {
* processed as GET requests. If not allowed, direct requests using the
POST method will be rejected with a 405
* (method not allowed).
*/
- private boolean allowPostAsGet = true;
+ private boolean allowPostAsGet = false;
// --------------------------------------------------------- Public Methods
@@ -404,6 +404,9 @@ public class DefaultServlet extends HttpServlet {
useStrongETags =
Boolean.parseBoolean(getServletConfig().getInitParameter("useStrongETags"));
}
+ if (getServletConfig().getInitParameter("allowPostAsGet") != null) {
+ allowPostAsGet =
Boolean.parseBoolean(getServletConfig().getInitParameter("allowPostAsGet"));
+ }
}
private CompressionFormat[] parseCompressionFormats(String precompressed,
String gzip) {
diff --git a/test/org/apache/catalina/servlets/ServletOptionsBaseTest.java
b/test/org/apache/catalina/servlets/ServletOptionsBaseTest.java
index d23bbb80ef..cbb5aba540 100644
--- a/test/org/apache/catalina/servlets/ServletOptionsBaseTest.java
+++ b/test/org/apache/catalina/servlets/ServletOptionsBaseTest.java
@@ -84,6 +84,7 @@ public abstract class ServletOptionsBaseTest extends
TomcatBaseTest {
Wrapper w = Tomcat.addServlet(ctx, "servlet", createServlet());
w.addInitParameter("listings", Boolean.toString(listings));
w.addInitParameter("readonly", Boolean.toString(readonly));
+ w.addInitParameter("allowPostAsGet", "true");
ctx.addServletMappingDecoded("/*", "servlet");
diff --git
a/test/org/apache/catalina/servlets/TestDefaultServletRfc9110Section13.java
b/test/org/apache/catalina/servlets/TestDefaultServletRfc9110Section13.java
index c4a13c547d..8a49cb6049 100644
--- a/test/org/apache/catalina/servlets/TestDefaultServletRfc9110Section13.java
+++ b/test/org/apache/catalina/servlets/TestDefaultServletRfc9110Section13.java
@@ -577,6 +577,7 @@ public class TestDefaultServletRfc9110Section13 extends
TomcatBaseTest {
Wrapper w = Tomcat.addServlet(ctxt, "default",
DefaultServlet.class.getName());
w.addInitParameter("readonly", "false");
w.addInitParameter("allowPartialPut", "true");
+ w.addInitParameter("allowPostAsGet", "true");
w.addInitParameter("useStrongETags", Boolean.toString(useStrongETags));
ctxt.addServletMappingDecoded("/", "default");
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index bae456ffd4..37fa07bd45 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -149,6 +149,13 @@
always return <code>null</code> if the provided name starts with
<code>/</code>. (markt)
</fix>
+ <update>
+ Update the default value for the <code>allowPostAsGet</code>
+ initialisation parameter of the Default servlet from <code>true</code>
+ to <code>false</code>. This means a direct request (i.e. not a forward
+ or an include) for a static resource using the POST method will be
+ rejected by default. (markt)
+ </update>
<!-- Entries for backport and removal before 12.0.0-M1 below this line
-->
<fix>
Return 400 if the amount of content sent for a partial PUT is
diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml
index 85fcddd5af..3ad270060a 100644
--- a/webapps/docs/default-servlet.xml
+++ b/webapps/docs/default-servlet.xml
@@ -215,8 +215,7 @@ Tomcat.</p>
Controls whether a direct request (i.e. not a forward or an include)
for
a static resource using the POST method will be processed as if the GET
method had been used. If not allowed, the request will be rejected. The
- default behaviour of processing the request as if the GET method had
- been used is unchanged. [true]
+ default behaviour is to reject such requests. [false]
</property>
</properties>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
