This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new e9c52c30cf Be more explicit about the need for CORS protection for
WebDAV
e9c52c30cf is described below
commit e9c52c30cf427db6a089d53beb40994c4ac925a2
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Sep 16 16:13:22 2025 +0100
Be more explicit about the need for CORS protection for WebDAV
---
java/org/apache/catalina/servlets/WebdavServlet.java | 3 +++
webapps/docs/security-howto.xml | 9 ++++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java
b/java/org/apache/catalina/servlets/WebdavServlet.java
index 09d8fa6b68..b48e7b0918 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -100,6 +100,9 @@ import org.xml.sax.SAXException;
* functionality. In particular, administrators should be aware that security
constraints apply only to the request URL.
* Security constraints do not apply to any destination URL associated with
the WebDAV operation (such as COPY or MOVE).
* <p>
+ * If WebDAV functionality is included in a web application where legitimate
users may access it via a browser, it is
+ * recommended that the application include CORS protection.
+ * <p>
* To enable WebDAV for a context add the following to web.xml:
*
* <pre>
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index f4eb889c96..990cf2ae46 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -189,6 +189,11 @@
limited in scope (e.g. via security constraints) such that users with
access
to the functionality are unable to imapct the security of either the web
application or the Tomcat instance on which it is running.</p>
+
+ <p>Consider using the
+ <a href="config/filter.html#CORS_Filter">CORS filter</a> and/or the
+ <a href="config/filter.html#CSRF_Prevention_Filter">CSRF prevention
+ filter</a> with deployed web applications.</p>
</section>
<section name="Security manager">
@@ -572,7 +577,9 @@
<p>The WebDAV servlet enables edit functionality for web application
content. If the WebDAV servlet is enabled, the WebDAV functionality should
- be appropriately secured.</p>
+ be appropriately secured. This should include CORS protection if it is
+ expected that any legitimate users will access the web application via a
+ browser.</p>
<p>When configuring security constraints, care should be taken if the URL
pattern for one or more constraints covers any segment of the URL that
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
