Mark,
On 8/1/22 12:36, ma...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 7c8a605bf8 Do not include sensitive headers in responses to HTTP
TRACE requests
7c8a605bf8 is described below
commit 7c8a605bf86585ae7687a99ef473227007cd8f5e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Aug 1 17:36:18 2022 +0100
Do not include sensitive headers in responses to HTTP TRACE requests
This is a requirement of RFC 7231, 4.3.8
---
java/jakarta/servlet/http/HttpServlet.java | 22 ++++++++++++++++++----
test/jakarta/servlet/http/TestHttpServlet.java | 8 ++++++++
webapps/docs/changelog.xml | 4 ++++
3 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/java/jakarta/servlet/http/HttpServlet.java
b/java/jakarta/servlet/http/HttpServlet.java
index ce85988633..16007586ed 100644
--- a/java/jakarta/servlet/http/HttpServlet.java
+++ b/java/jakarta/servlet/http/HttpServlet.java
@@ -25,7 +25,10 @@ import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.text.MessageFormat;
import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Locale;
import java.util.ResourceBundle;
+import java.util.Set;
import jakarta.servlet.AsyncEvent;
import jakarta.servlet.AsyncListener;
@@ -95,6 +98,8 @@ public abstract class HttpServlet extends GenericServlet {
private static final String LSTRING_FILE =
"jakarta.servlet.http.LocalStrings";
private static final ResourceBundle lStrings =
ResourceBundle.getBundle(LSTRING_FILE);
+ private static final Set<String> SENSITIVE_HTTP_HEADERS = new HashSet<>();
+
/**
* @deprecated May be removed in a future release
*
@@ -116,6 +121,12 @@ public abstract class HttpServlet extends GenericServlet {
*/
private volatile boolean cachedUseLegacyDoHead;
+ static {
+ SENSITIVE_HTTP_HEADERS.add("cookie");
+ SENSITIVE_HTTP_HEADERS.add("www-authenticate");
How about "Authorization"?
Is there a standard way for HTTP TRACE to reply to the client saying "oh
and btw I removed the Cookie and Authentication headers you sent, so
they aren't there but you did send them"?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org