This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 8fa5551b45 Be more explicit about the need for CORS protection for
WebDAV
8fa5551b45 is described below
commit 8fa5551b45006d73a8085b1ae46a3bd9beccf7a9
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Sep 16 16:13:22 2025 +0100
Be more explicit about the need for CORS protection for WebDAV
---
java/org/apache/catalina/servlets/WebdavServlet.java | 3 +++
webapps/docs/security-howto.xml | 9 ++++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java
b/java/org/apache/catalina/servlets/WebdavServlet.java
index 09d8fa6b68..b48e7b0918 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -100,6 +100,9 @@ import org.xml.sax.SAXException;
* functionality. In particular, administrators should be aware that security
constraints apply only to the request URL.
* Security constraints do not apply to any destination URL associated with
the WebDAV operation (such as COPY or MOVE).
* <p>
+ * If WebDAV functionality is included in a web application where legitimate
users may access it via a browser, it is
+ * recommended that the application include CORS protection.
+ * <p>
* To enable WebDAV for a context add the following to web.xml:
*
* <pre>
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index f4eb889c96..990cf2ae46 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -189,6 +189,11 @@
limited in scope (e.g. via security constraints) such that users with
access
to the functionality are unable to imapct the security of either the web
application or the Tomcat instance on which it is running.</p>
+
+ <p>Consider using the
+ <a href="config/filter.html#CORS_Filter">CORS filter</a> and/or the
+ <a href="config/filter.html#CSRF_Prevention_Filter">CSRF prevention
+ filter</a> with deployed web applications.</p>
</section>
<section name="Security manager">
@@ -572,7 +577,9 @@
<p>The WebDAV servlet enables edit functionality for web application
content. If the WebDAV servlet is enabled, the WebDAV functionality should
- be appropriately secured.</p>
+ be appropriately secured. This should include CORS protection if it is
+ expected that any legitimate users will access the web application via a
+ browser.</p>
<p>When configuring security constraints, care should be taken if the URL
pattern for one or more constraints covers any segment of the URL that
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
