This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 4338ab9911 HTTP method names are case sensitive (RFC 9110, 9.1)
4338ab9911 is described below
commit 4338ab99113c8cb95f8babfb2ac8ab596ed542be
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Sep 10 17:04:48 2025 +0100
HTTP method names are case sensitive (RFC 9110, 9.1)
---
java/org/apache/catalina/authenticator/AuthenticatorBase.java | 2 +-
java/org/apache/catalina/authenticator/FormAuthenticator.java | 4 ++--
java/org/apache/catalina/ssi/SSIServletExternalResolver.java | 2 +-
test/org/apache/catalina/startup/TomcatBaseTest.java | 2 +-
webapps/docs/changelog.xml | 4 ++++
5 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index 8f99ee8a12..0efd94e587 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -486,7 +486,7 @@ public abstract class AuthenticatorBase extends ValveBase
implements Authenticat
// Make sure that constrained resources are not cached by web proxies
// or browsers as caching can provide a security hole
- if (constraints != null && disableProxyCaching &&
!"POST".equalsIgnoreCase(request.getMethod())) {
+ if (constraints != null && disableProxyCaching &&
!"POST".equals(request.getMethod())) {
if (securePagesWithPragma) {
// Note: These can cause problems with downloading files with
IE
response.setHeader("Pragma", "No-cache");
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 56c5228284..3e5c60ff8d 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -585,7 +585,7 @@ public class FormAuthenticator extends AuthenticatorBase {
String method = saved.getMethod();
MimeHeaders rmh = request.getCoyoteRequest().getMimeHeaders();
rmh.recycle();
- boolean cacheable = "GET".equalsIgnoreCase(method) ||
"HEAD".equalsIgnoreCase(method);
+ boolean cacheable = "GET".equals(method) || "HEAD".equals(method);
Iterator<String> names = saved.getHeaderNames();
while (names.hasNext()) {
String name = names.next();
@@ -619,7 +619,7 @@ public class FormAuthenticator extends AuthenticatorBase {
// If no content type specified, use default for POST
String savedContentType = saved.getContentType();
- if (savedContentType == null && "POST".equalsIgnoreCase(method)) {
+ if (savedContentType == null && "POST".equals(method)) {
savedContentType = Globals.CONTENT_TYPE_FORM_URL_ENCODING;
}
diff --git a/java/org/apache/catalina/ssi/SSIServletExternalResolver.java
b/java/org/apache/catalina/ssi/SSIServletExternalResolver.java
index 204cd9ab94..4d2bdbc0b1 100644
--- a/java/org/apache/catalina/ssi/SSIServletExternalResolver.java
+++ b/java/org/apache/catalina/ssi/SSIServletExternalResolver.java
@@ -493,7 +493,7 @@ public class SSIServletExternalResolver implements
SSIExternalResolver {
* Make an assumption that an empty response is a failure. This is
a problem if a truly empty file were
* included, but not sure how else to tell.
*/
- if (retVal.isEmpty() && !req.getMethod().equalsIgnoreCase("HEAD"))
{
+ if (retVal.isEmpty() && !req.getMethod().equals("HEAD")) {
throw new
IOException(sm.getString("ssiServletExternalResolver.noFile", path));
}
return retVal;
diff --git a/test/org/apache/catalina/startup/TomcatBaseTest.java
b/test/org/apache/catalina/startup/TomcatBaseTest.java
index 5183e129a8..81b360e929 100644
--- a/test/org/apache/catalina/startup/TomcatBaseTest.java
+++ b/test/org/apache/catalina/startup/TomcatBaseTest.java
@@ -596,7 +596,7 @@ public abstract class TomcatBaseTest extends
LoggingBaseTest {
}
int bodySize = 0;
- if ("PUT".equalsIgnoreCase(request.getMethod())) {
+ if ("PUT".equals(request.getMethod())) {
InputStream is = request.getInputStream();
int read = 0;
byte[] buffer = new byte[8192];
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e845af503c..d98c4be3c7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -113,6 +113,10 @@
in RFC 9110 that hash functions used to generate strong ETags should be
collision resistant. (markt)
</update>
+ <fix>
+ HTTP methods are case-sensitive so always use case sensitive
comparisons
+ when comparing HTTP methods. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
