This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit d81dc233b5d7433576c5c1cca7712e16358b5c9c Author: Mark Thomas <ma...@apache.org> AuthorDate: Wed Mar 22 15:00:40 2023 +0000 Update handling of sensitive methods for TRACE List of headers aligns with 11.0.x --- java/jakarta/servlet/http/HttpServlet.java | 6 ++---- webapps/docs/changelog.xml | 3 +-- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/java/jakarta/servlet/http/HttpServlet.java b/java/jakarta/servlet/http/HttpServlet.java index 72934570de..83942847ce 100644 --- a/java/jakarta/servlet/http/HttpServlet.java +++ b/java/jakarta/servlet/http/HttpServlet.java @@ -512,7 +512,7 @@ public abstract class HttpServlet extends GenericServlet { * Is the provided HTTP request header considered sensitive and therefore should be excluded from the response to a * {@code TRACE} request? * <p> - * By default, the headers thats start with any of the following are considered sensitive: + * By default, the headers that start with any of the following are considered sensitive: * <ul> * <li>authorization</li> * <li>cookie</li> @@ -527,10 +527,8 @@ public abstract class HttpServlet extends GenericServlet { * * @return (@code true} if the HTTP request header is considered sensitive and should be excluded from the response * to a {@code TRACE} request, otherwise {@code false} - * - * @since Servlet 6.1 */ - protected boolean isSensitiveHeader(String headerName) { + private boolean isSensitiveHeader(String headerName) { String lcHeaderName = headerName.toLowerCase(Locale.ENGLISH); for (String sensitiveHeaderName : SENSITIVE_HTTP_HEADERS) { if (lcHeaderName.startsWith(sensitiveHeaderName)) { diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 34cea70a65..8dd6c08408 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -149,8 +149,7 @@ <fix> Expand the set of HTTP request headers considered sensitive that should be skipped when generating a response to a <code>TRACE</code> request. - This aligns with the current draft of the Servlet 6.1 specification. - (markt) + This aligns with 11.0.x. (markt) </fix> </changelog> </subsection> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org