Author: markt Date: Thu Sep 13 13:26:54 2018 New Revision: 1840812 URL: http://svn.apache.org/viewvc?rev=1840812&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61692 Add the ability to control which HTTP methods are handled by the CGI Servlet via a new initialization parameter cgiMethods.
Modified: tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java tomcat/trunk/webapps/docs/cgi-howto.xml tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java?rev=1840812&r1=1840811&r2=1840812&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java (original) +++ tomcat/trunk/java/org/apache/catalina/servlets/CGIServlet.java Thu Sep 13 13:26:54 2018 @@ -29,10 +29,12 @@ import java.nio.file.Files; import java.util.ArrayList; import java.util.Date; import java.util.Enumeration; +import java.util.HashSet; import java.util.Hashtable; import java.util.List; import java.util.Locale; import java.util.Map.Entry; +import java.util.Set; import java.util.StringTokenizer; import java.util.Vector; import java.util.regex.Pattern; @@ -242,6 +244,14 @@ public final class CGIServlet extends Ht private static final long serialVersionUID = 1L; + private static final Set<String> DEFAULT_SUPER_METHODS = new HashSet<>(); + static { + DEFAULT_SUPER_METHODS.add("HEAD"); + DEFAULT_SUPER_METHODS.add("OPTIONS"); + DEFAULT_SUPER_METHODS.add("TRACE"); + } + + /** * The CGI search path will start at * webAppRootDir + File.separator + cgiPathPrefix @@ -260,6 +270,11 @@ public final class CGIServlet extends Ht private String parameterEncoding = System.getProperty("file.encoding", "UTF-8"); + /* The HTTP methods this Servlet will pass to the CGI script */ + private Set<String> cgiMethods = new HashSet<>(); + private boolean cgiMethodsAll = false; + + /** * The time (in milliseconds) to wait for the reading of stderr to complete * before terminating the CGI process. @@ -364,6 +379,23 @@ public final class CGIServlet extends Ht enableCmdLineArguments = Boolean.parseBoolean(config.getInitParameter("enableCmdLineArguments")); } + + if (getServletConfig().getInitParameter("cgiMethods") != null) { + String paramValue = getServletConfig().getInitParameter("cgiMethods"); + paramValue.trim(); + if ("*".equals(paramValue)) { + cgiMethodsAll = true; + } else { + String[] methods = paramValue.split(","); + for (String method : methods) { + String trimmedMethod = method.trim(); + cgiMethods.add(trimmedMethod); + } + } + } else { + cgiMethods.add("GET"); + cgiMethods.add("POST"); + } } @@ -497,20 +529,21 @@ public final class CGIServlet extends Ht } - /** - * Provides CGI Gateway service -- delegates to - * {@link #doGet(HttpServletRequest, HttpServletResponse)}. - * - * @param req HttpServletRequest passed in by servlet container - * @param res HttpServletResponse passed in by servlet container - * - * @exception ServletException if a servlet-specific exception occurs - * @exception IOException if a read/write exception occurs - */ @Override - protected void doPost(HttpServletRequest req, HttpServletResponse res) - throws IOException, ServletException { - doGet(req, res); + protected void service(HttpServletRequest req, HttpServletResponse res) + throws ServletException, IOException { + + String method = req.getMethod(); + if (cgiMethodsAll || cgiMethods.contains(method)) { + doGet(req, res); + } else if (DEFAULT_SUPER_METHODS.contains(method)){ + // If the CGI servlet is explicitly configured to handle one of + // these methods it will be handled in the previous condition + super.service(req, res); + } else { + // Unsupported method + res.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); + } } Modified: tomcat/trunk/webapps/docs/cgi-howto.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/cgi-howto.xml?rev=1840812&r1=1840811&r2=1840812&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/cgi-howto.xml (original) +++ tomcat/trunk/webapps/docs/cgi-howto.xml Thu Sep 13 13:26:54 2018 @@ -91,6 +91,12 @@ file affects all web applications. See <p>There are several servlet init parameters which can be used to configure the behaviour of the CGI servlet.</p> <ul> +<li><strong>cgiMethods</strong> - Comma separated list of HTTP methods. Requests +using one of these methods will be passed to the CGI script for the script to +generate the response. The default value is <code>GET,POST</code>. Use +<code>*</code> for the script to handle all requests regardless of method. +Unless over-ridden by the configuration of this parameter, requests using HEAD, +OPTIONS or TRACE will have handled by the superclass.</li> <li><strong>cgiPathPrefix</strong> - The CGI search path will start at the web application root directory + File.separator + this prefix. By default there is no value, which results in the web application root Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1840812&r1=1840811&r2=1840812&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Thu Sep 13 13:26:54 2018 @@ -47,6 +47,11 @@ <section name="Tomcat 9.0.13 (markt)" rtext="in development"> <subsection name="Catalina"> <changelog> + <add> + <bug>61692</bug>: Add the ability to control which HTTP methods are + handled by the CGI Servlet via a new initialization parameter + <code>cgiMethods</code>. (markt) + </add> <fix> <bug>62687</bug>: Expose content length information for resources when using a compressed war. (remm) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org