https://issues.apache.org/bugzilla/show_bug.cgi?id=57534
Bug ID: 57534
Summary: CorsFilter.SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
check shall ignore content-type parameters
Product: Tomcat 7
Version: 7.0.59
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
In CorsFilter of trunk
starting with line 1030:
[[[
/**
* {@link Collection} of Simple HTTP request headers. Case in-sensitive.
*
* @see <a href="http://www.w3.org/TR/cors/#terminology";
* >http://www.w3.org/TR/cors/#terminology</a>
*/
public static final Collection<String>
SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES =
new HashSet<>(Arrays.asList("application/x-www-form-urlencoded",
"multipart/form-data", "text/plain"));
]]]
starting with line 641:
[[[
} else if ("POST".equals(method)) {
String contentType = request.getContentType();
if (contentType != null) {
contentType = contentType.toLowerCase().trim();
if (SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
.contains(contentType)) {
requestType = CORSRequestType.SIMPLE;
} else {
requestType = CORSRequestType.ACTUAL;
}
}
} else {
]]]
According to w3.org "Terminology" link above,
1) Javadoc for SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES is a bit off
(copy-pasted from another field). It is actually a collection of mime-type
values for Content-Type header so that this header is treated as a "simple
header"
2) The check using SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES shall ignore any
parameters that may be present in Content-Type header value.
E.g. "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" shall
match successfully.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
