Author: markt
Date: Mon Oct 10 15:46:51 2011
New Revision: 1181030
URL: http://svn.apache.org/viewvc?rev=1181030&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51940
Don't limit saving of request bodies during FORM authentication to POST
requests since any HTTP method may include a body.
Based on a patch by Nicholas Sushkin
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Oct 10 15:46:51 2011
@@ -1 +1 @@
-/tomcat/trunk:1156115,1156171,1156276,1156304,1156519,1156530,1156602,1157015,1157018,1157151,1157198,1157204,1157810,1157832,1157834,1157847,1157908,1157939,1158155,1158160,1158176,1158195,1158198-1158199,1158227,1158331,1158334-1158335,1158426,1160347,1160592,1160611,1160619,1160626,1160639,1160652,1160720-1160721,1160772,1160774,1160776,1161303,1161310,1161322,1161339,1161486,1161540,1161549,1161584,1162082,1162149,1162169,1162721,1162769,1162836,1162932,1163630,1164419,1164438,1164469,1164480,1164567,1165234,1165247-1165248,1165253,1165273,1165282,1165309,1165331,1165338,1165347,1165360-1165361,1165367-1165368,1165602,1165608,1165677,1165693,1165721,1165723,1165728,1165730,1165738,1165746,1165765,1165777,1165918,1165921,1166077,1166150-1166151,1166290,1166366,1166620,1166686,1166752,1166757,1167368,1167394,1169447,1170647,1171692,1172233-1172234,1172236,1172269,1172278,1172282,1172610,1172664,1172689,1172711,1173020-1173021,1173082,1173088,1173090,1173096,1173241,1173256
,1173288,1173333,1173342,1173461,1173614,1173630,1173659,1173722,1174061,1174239,1174322,1174325,1174329-1174330,1174337-1174339,1174343,1174353,1174799,1174882,1174884,1174983,1175155,1175158,1175167,1175182,1175190,1175201,1175272,1175275,1175283,1175582,1175589-1175590,1175594,1175602,1175613,1175633,1175690,1175713,1175889,1175896,1175907,1176584,1176590,1176799,1177050,1177060,1177125,1177152,1177160,1177245,1177850,1177862,1177978,1178209,1178228,1178233,1178449,1178542,1178681,1178721,1180261,1180907
+/tomcat/trunk:1156115,1156171,1156276,1156304,1156519,1156530,1156602,1157015,1157018,1157151,1157198,1157204,1157810,1157832,1157834,1157847,1157908,1157939,1158155,1158160,1158176,1158195,1158198-1158199,1158227,1158331,1158334-1158335,1158426,1160347,1160592,1160611,1160619,1160626,1160639,1160652,1160720-1160721,1160772,1160774,1160776,1161303,1161310,1161322,1161339,1161486,1161540,1161549,1161584,1162082,1162149,1162169,1162721,1162769,1162836,1162932,1163630,1164419,1164438,1164469,1164480,1164567,1165234,1165247-1165248,1165253,1165273,1165282,1165309,1165331,1165338,1165347,1165360-1165361,1165367-1165368,1165602,1165608,1165677,1165693,1165721,1165723,1165728,1165730,1165738,1165746,1165765,1165777,1165918,1165921,1166077,1166150-1166151,1166290,1166366,1166620,1166686,1166752,1166757,1167368,1167394,1169447,1170647,1171692,1172233-1172234,1172236,1172269,1172278,1172282,1172610,1172664,1172689,1172711,1173020-1173021,1173082,1173088,1173090,1173096,1173241,1173256
,1173288,1173333,1173342,1173461,1173614,1173630,1173659,1173722,1174061,1174239,1174322,1174325,1174329-1174330,1174337-1174339,1174343,1174353,1174799,1174882,1174884,1174983,1175155,1175158,1175167,1175182,1175190,1175201,1175272,1175275,1175283,1175582,1175589-1175590,1175594,1175602,1175613,1175633,1175690,1175713,1175889,1175896,1175907,1176584,1176590,1176799,1177050,1177060,1177125,1177152,1177160,1177245,1177850,1177862,1177978,1178209,1178228,1178233,1178449,1178542,1178681,1178721,1180261,1180907,1181028
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1181030&r1=1181029&r2=1181030&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
Mon Oct 10 15:46:51 2011
@@ -368,6 +368,16 @@ public class FormAuthenticator
HttpServletResponse response, LoginConfig config)
throws IOException {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("formAuthenticator.forwardLogin",
+ request.getRequestURI(), request.getMethod(),
+ config.getLoginPage(),
+ context.getServletContext().getContextPath()));
+ }
+
+ // Always use GET for the login page, regardless of the method used
+ request.getCoyoteRequest().method().setString("GET");
+
String loginPage = config.getLoginPage();
if (loginPage == null || loginPage.length() == 0) {
String msg = sm.getString("formAuthenticator.noLoginPage",
@@ -535,27 +545,27 @@ public class FormAuthenticator
// Ignore request body
}
- if ("POST".equalsIgnoreCase(saved.getMethod())) {
- ByteChunk body = saved.getBody();
-
- if (body != null) {
- request.getCoyoteRequest().action
- (ActionCode.REQ_SET_BODY_REPLAY, body);
-
- // Set content type
- MessageBytes contentType = MessageBytes.newInstance();
-
- //If no content type specified, use default for POST
- String savedContentType = saved.getContentType();
- if (savedContentType == null) {
- savedContentType = "application/x-www-form-urlencoded";
- }
+ ByteChunk body = saved.getBody();
+ String method = saved.getMethod();
+
+ if (body != null) {
+ request.getCoyoteRequest().action
+ (ActionCode.REQ_SET_BODY_REPLAY, body);
- contentType.setString(savedContentType);
- request.getCoyoteRequest().setContentType(contentType);
+ // Set content type
+ MessageBytes contentType = MessageBytes.newInstance();
+
+ // If no content type specified, use default for POST
+ String savedContentType = saved.getContentType();
+ if (savedContentType == null && "POST".equalsIgnoreCase(method)) {
+ savedContentType = "application/x-www-form-urlencoded";
}
+
+ contentType.setString(savedContentType);
+ request.getCoyoteRequest().setContentType(contentType);
}
- request.getCoyoteRequest().method().setString(saved.getMethod());
+
+ request.getCoyoteRequest().method().setString(method);
request.getCoyoteRequest().queryString().setString
(saved.getQueryString());
@@ -599,20 +609,22 @@ public class FormAuthenticator
saved.addLocale(locale);
}
- if ("POST".equalsIgnoreCase(request.getMethod())) {
- // May need to acknowledge a 100-continue expectation
- request.getResponse().sendAcknowledgement();
-
- ByteChunk body = new ByteChunk();
- body.setLimit(request.getConnector().getMaxSavePostSize());
-
- byte[] buffer = new byte[4096];
- int bytesRead;
- InputStream is = request.getInputStream();
-
- while ( (bytesRead = is.read(buffer) ) >= 0) {
- body.append(buffer, 0, bytesRead);
- }
+ // May need to acknowledge a 100-continue expectation
+ request.getResponse().sendAcknowledgement();
+
+ ByteChunk body = new ByteChunk();
+ body.setLimit(request.getConnector().getMaxSavePostSize());
+
+ byte[] buffer = new byte[4096];
+ int bytesRead;
+ InputStream is = request.getInputStream();
+
+ while ( (bytesRead = is.read(buffer) ) >= 0) {
+ body.append(buffer, 0, bytesRead);
+ }
+
+ // Only save the request body if there is somethign to save
+ if (body.getLength() > 0) {
saved.setContentType(request.getContentType());
saved.setBody(body);
}
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties?rev=1181030&r1=1181029&r2=1181030&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
Mon Oct 10 15:46:51 2011
@@ -31,6 +31,7 @@ authenticator.userDataConstraint=This re
digestAuthenticator.cacheRemove=A valid entry has been removed from client
nonce cache to make room for new entries. A replay attack is now possible. To
prevent the possibility of replay attacks, reduce nonceValidity or increase
cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
formAuthenticator.forwardErrorFail=Unexpected error forwarding to error page
+formAuthenticator.forwardLogin=Forwarding request for [{0}] made with method
[{1}] to login page [{2}] of context [{3}] using request method GET
formAuthenticator.forwardLoginFail=Unexpected error forwarding to login page
formAuthenticator.noErrorPage=No error page was defined for FORM
authentication in context [{0}]
formAuthenticator.noLoginPage=No login page was defined for FORM
authentication in context [{0}]
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1181030&r1=1181029&r2=1181030&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Oct 10 15:46:51 2011
@@ -61,6 +61,11 @@
are being used without the CometConnectionManagerValve. (markt)
</fix>
<fix>
+ <bug>51940</bug>: Do not limit saving of request bodies during FORM
+ authentication to POST requests since any HTTP method may include a
+ request body. Based on a patch by Nicholas Sushkin. (markt)
+ </fix>
+ <fix>
<bug>51956</bug>: RemoteAddrFilter used getRemoteHost instead of
getRemoteAddr when filtering Comet events. (schultz)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
