Re: (tomcat) branch main updated: BZ 69360: Inconsistent DELETE behavior between DefaultServlet and WebdavServlet

Wed, 02 Oct 2024 04:16:37 -0700 

On 02/10/2024 12:00, Michael Osipov wrote:

On 2024/10/02 10:41:38 Mark Thomas wrote:

On 02/10/2024 11:30, Michael Osipov wrote:

On 2024/10/02 10:21:07 Mark Thomas wrote:

-1 veto

This change is not compliant with RFC 9110.

If Tomcat sends METHOD_NOT_ALLOWED it MUST also send an Allow header.



<snip/>


diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java 
b/java/org/apache/catalina/servlets/WebdavServlet.java
index d32868a9b3..c2cf8f3d78 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -1696,7 +1696,7 @@ public class WebdavServlet extends DefaultServlet 
implements PeriodicEventListen
if (!resource.isDirectory()) { 
                if (!resource.delete()) {
-                resp.sendError(WebdavStatus.SC_INTERNAL_SERVER_ERROR);
+                resp.sendError(WebdavStatus.SC_METHOD_NOT_ALLOWED);


May be able to utilise sendNotAllowed() for this one. Thinking about it
probably not as WebDAV has additional methods that need to be taken
account of. It will need a dedicated method for WebDAV.


I agree, infact I have written this in the BZ issue: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=69360#c2
For a single resource (not collection) I will use the method mentioned. Agreed?


If you mean write a WebDAV specific sendNotAllowed() method and use it
here then yes, that would be acceptable.


I believe we have that already with an override: 
WebdavServlet#determineMethodsAllowed(HttpServletRequest) then the super 
sendNotAllowed() will use this. With a proper patch I get that now:

$ curl --negotiate -u : -X DELETE 
'https://example.com/backend-dev/dav/log/sadfs'  --verbose
...* Request completely sent off
< HTTP/1.1 405
< Date: Wed, 02 Oct 2024 10:59:10 GMT
< Server: Apache
< X-Frame-Options: SAMEORIGIN
< Correlation-Id: Zv0nfp0p3XwFWtOGfc5vXAAAARQ
< Cache-Control: private
< WWW-Authenticate: Negotiate oY...
< Allow: OPTIONS, GET, POST, HEAD, DELETE, PUT, LOCK, UNLOCK, PROPPATCH, COPY, 
MOVE, PROPFIND
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 656


Patch:

-                resp.sendError(WebdavStatus.SC_METHOD_NOT_ALLOWED);
+                sendNotAllowed(req, resp);


OK for you?


That works for me. Tx.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to