This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 6dcdd3db93 Be more explicit about the need for CORS protection for
WebDAV
6dcdd3db93 is described below
commit 6dcdd3db93253c3599045e29b4491c4fe16c3a9e
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Sep 16 16:13:22 2025 +0100
Be more explicit about the need for CORS protection for WebDAV
---
java/org/apache/catalina/servlets/WebdavServlet.java | 3 +++
webapps/docs/security-howto.xml | 9 ++++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java
b/java/org/apache/catalina/servlets/WebdavServlet.java
index 4a470dd936..c1f83050a8 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -99,6 +99,9 @@ import org.xml.sax.SAXException;
* functionality. In particular, administrators should be aware that security
constraints apply only to the request URL.
* Security constraints do not apply to any destination URL associated with
the WebDAV operation (such as COPY or MOVE).
* <p>
+ * If WebDAV functionality is included in a web application where legitimate
users may access it via a browser, it is
+ * recommended that the application include CORS protection.
+ * <p>
* To enable WebDAV for a context add the following to web.xml:
*
* <pre>
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index ef5d9cd589..080932dda0 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -189,6 +189,11 @@
limited in scope (e.g. via security constraints) such that users with
access
to the functionality are unable to imapct the security of either the web
application or the Tomcat instance on which it is running.</p>
+
+ <p>Consider using the
+ <a href="config/filter.html#CORS_Filter">CORS filter</a> and/or the
+ <a href="config/filter.html#CSRF_Prevention_Filter">CSRF prevention
+ filter</a> with deployed web applications.</p>
</section>
<section name="Security manager">
@@ -594,7 +599,9 @@
<p>The WebDAV servlet enables edit functionality for web application
content. If the WebDAV servlet is enabled, the WebDAV functionality should
- be appropriately secured.</p>
+ be appropriately secured. This should include CORS protection if it is
+ expected that any legitimate users will access the web application via a
+ browser.</p>
<p>When configuring security constraints, care should be taken if the URL
pattern for one or more constraints covers any segment of the URL that
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
