Re: [tomcat] branch main updated: Do not include sensitive headers in responses to HTTP TRACE requests

Mon, 01 Aug 2022 10:03:50 -0700 

Mark,

On 8/1/22 12:36, ma...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
      new 7c8a605bf8 Do not include sensitive headers in responses to HTTP 
TRACE requests
7c8a605bf8 is described below

commit 7c8a605bf86585ae7687a99ef473227007cd8f5e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Aug 1 17:36:18 2022 +0100

     Do not include sensitive headers in responses to HTTP TRACE requests
This is a requirement of RFC 7231, 4.3.8 
---
  java/jakarta/servlet/http/HttpServlet.java     | 22 ++++++++++++++++++----
  test/jakarta/servlet/http/TestHttpServlet.java |  8 ++++++++
  webapps/docs/changelog.xml                     |  4 ++++
  3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/java/jakarta/servlet/http/HttpServlet.java 
b/java/jakarta/servlet/http/HttpServlet.java
index ce85988633..16007586ed 100644
--- a/java/jakarta/servlet/http/HttpServlet.java
+++ b/java/jakarta/servlet/http/HttpServlet.java
@@ -25,7 +25,10 @@ import java.lang.reflect.InvocationTargetException;
  import java.lang.reflect.Method;
  import java.text.MessageFormat;
  import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Locale;
  import java.util.ResourceBundle;
+import java.util.Set;
import jakarta.servlet.AsyncEvent; 
  import jakarta.servlet.AsyncListener;
@@ -95,6 +98,8 @@ public abstract class HttpServlet extends GenericServlet {
      private static final String LSTRING_FILE = 
"jakarta.servlet.http.LocalStrings";
      private static final ResourceBundle lStrings = 
ResourceBundle.getBundle(LSTRING_FILE);
+ private static final Set<String> SENSITIVE_HTTP_HEADERS = new HashSet<>(); 
+
      /**
       * @deprecated May be removed in a future release
       *
@@ -116,6 +121,12 @@ public abstract class HttpServlet extends GenericServlet {
       */
      private volatile boolean cachedUseLegacyDoHead;
+ static { 
+        SENSITIVE_HTTP_HEADERS.add("cookie");
+        SENSITIVE_HTTP_HEADERS.add("www-authenticate");


How about "Authorization"?
Is there a standard way for HTTP TRACE to reply to the client saying "oh and btw I removed the Cookie and Authentication headers you sent, so they aren't there but you did send them"? 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to