svn commit: r1785245 - in /tomcat/trunk/java: javax/servlet/http/PushBuilder.java org/apache/catalina/core/ApplicationPushBuilder.java org/apache/catalina/core/LocalStrings.properties

Fri, 03 Mar 2017 00:56:32 -0800 

Author: markt
Date: Fri Mar  3 08:55:24 2017
New Revision: 1785245

URL: http://svn.apache.org/viewvc?rev=1785245&view=rev
Log:
Servlet 4.0
Additional validation for HTTP method used for server push

Modified:
    tomcat/trunk/java/javax/servlet/http/PushBuilder.java
    tomcat/trunk/java/org/apache/catalina/core/ApplicationPushBuilder.java
    tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties

Modified: tomcat/trunk/java/javax/servlet/http/PushBuilder.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/http/PushBuilder.java?rev=1785245&r1=1785244&r2=1785245&view=diff
==============================================================================
--- tomcat/trunk/java/javax/servlet/http/PushBuilder.java (original)
+++ tomcat/trunk/java/javax/servlet/http/PushBuilder.java Fri Mar  3 08:55:24 
2017
@@ -49,6 +49,13 @@ public interface PushBuilder {
      * @param method The method to use for the push request
      *
      * @return This builder instance
+     *
+     * @throws IllegalArgumentException if an HTTP method is specified that is
+     *         known not to be <a
+     *         href="https://tools.ietf.org/html/rfc7540#section-8.2";>cacheable
+     *         and safe</a>. POST, PUT, DELETE, CONNECT, OPTIONS and TRACE will
+     *         trigger the exception.
+     *
      */
     PushBuilder method(String method);
 

Modified: tomcat/trunk/java/org/apache/catalina/core/ApplicationPushBuilder.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/ApplicationPushBuilder.java?rev=1785245&r1=1785244&r2=1785245&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/ApplicationPushBuilder.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/ApplicationPushBuilder.java Fri 
Mar  3 08:55:24 2017
@@ -21,6 +21,7 @@ import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Enumeration;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
@@ -42,11 +43,22 @@ import org.apache.tomcat.util.buf.B2CCon
 import org.apache.tomcat.util.buf.HexUtils;
 import org.apache.tomcat.util.collections.CaseInsensitiveKeyMap;
 import org.apache.tomcat.util.http.CookieProcessor;
+import org.apache.tomcat.util.http.parser.HttpParser;
 import org.apache.tomcat.util.res.StringManager;
 
 public class ApplicationPushBuilder implements PushBuilder {
 
     private static final StringManager sm = 
StringManager.getManager(ApplicationPushBuilder.class);
+    private static final Set<String> DISALLOWED_METHODS = new HashSet<>();
+
+    static {
+        DISALLOWED_METHODS.add("POST");
+        DISALLOWED_METHODS.add("PUT");
+        DISALLOWED_METHODS.add("DELETE");
+        DISALLOWED_METHODS.add("CONNECT");
+        DISALLOWED_METHODS.add("OPTIONS");
+        DISALLOWED_METHODS.add("TRACE");
+    }
 
     private final HttpServletRequest baseRequest;
     private final Request catalinaRequest;
@@ -192,6 +204,18 @@ public class ApplicationPushBuilder impl
 
     @Override
     public PushBuilder method(String method) {
+        String upperMethod = method.trim().toUpperCase();
+        if (DISALLOWED_METHODS.contains(upperMethod)) {
+            throw new IllegalArgumentException(
+                    sm.getString("applicationPushBuilder.methodInvalid", 
upperMethod));
+        }
+        // Check a token was supplied
+        for (char c : upperMethod.toCharArray()) {
+            if (!HttpParser.isToken(c)) {
+                throw new IllegalArgumentException(
+                        sm.getString("applicationPushBuilder.methodNotToken", 
upperMethod));
+            }
+        }
         this.method = method;
         return this;
     }

Modified: tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1785245&r1=1785244&r2=1785245&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties Fri Mar  
3 08:55:24 2017
@@ -55,6 +55,8 @@ applicationFilterConfig.release=Failed t
 applicationFilterRegistration.nullInitParam=Unable to set initialisation 
parameter for filter due to null name and/or value. Name [{0}], Value [{1}]
 applicationFilterRegistration.nullInitParams=Unable to set initialisation 
parameters for filter due to null name and/or value. Name [{0}], Value [{1}]
 
+applicationPushBuilder.methodInvalid=The HTTP method for a push request must 
be both cacheable and safe but [{0}] is not
+applicationPushBuilder.methodNotToken=HTTP methods must be tokens but [{0}] 
contains a non-token character
 applicationPushBuilder.noCoyoteRequest=Unable to find the underlying Coyote 
request object (which is required to create a push request) from the request of 
type [{0}]
 
 applicationServletRegistration.setServletSecurity.iae=Null constraint 
specified for servlet [{0}] deployed to context with name [{1}]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to