[tomcat] 02/02: Update handling of sensitive methods for TRACE

Wed, 22 Mar 2023 08:01:57 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit d81dc233b5d7433576c5c1cca7712e16358b5c9c
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Mar 22 15:00:40 2023 +0000

    Update handling of sensitive methods for TRACE
    
    List of headers aligns with 11.0.x
---
 java/jakarta/servlet/http/HttpServlet.java | 6 ++----
 webapps/docs/changelog.xml                 | 3 +--
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/java/jakarta/servlet/http/HttpServlet.java 
b/java/jakarta/servlet/http/HttpServlet.java
index 72934570de..83942847ce 100644
--- a/java/jakarta/servlet/http/HttpServlet.java
+++ b/java/jakarta/servlet/http/HttpServlet.java
@@ -512,7 +512,7 @@ public abstract class HttpServlet extends GenericServlet {
      * Is the provided HTTP request header considered sensitive and therefore 
should be excluded from the response to a
      * {@code TRACE} request?
      * <p>
-     * By default, the headers thats start with any of the following are 
considered sensitive:
+     * By default, the headers that start with any of the following are 
considered sensitive:
      * <ul>
      * <li>authorization</li>
      * <li>cookie</li>
@@ -527,10 +527,8 @@ public abstract class HttpServlet extends GenericServlet {
      *
      * @return (@code true} if the HTTP request header is considered sensitive 
and should be excluded from the response
      *             to a {@code TRACE} request, otherwise {@code false}
-     *
-     * @since Servlet 6.1
      */
-    protected boolean isSensitiveHeader(String headerName) {
+    private boolean isSensitiveHeader(String headerName) {
         String lcHeaderName = headerName.toLowerCase(Locale.ENGLISH);
         for (String sensitiveHeaderName : SENSITIVE_HTTP_HEADERS) {
             if (lcHeaderName.startsWith(sensitiveHeaderName)) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 34cea70a65..8dd6c08408 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -149,8 +149,7 @@
       <fix>
         Expand the set of HTTP request headers considered sensitive that should
         be skipped when generating a response to a <code>TRACE</code> request.
-        This aligns with the current draft of the Servlet 6.1 specification.
-        (markt)  
+        This aligns with 11.0.x. (markt)  
       </fix>
     </changelog>
   </subsection>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to