[tomcat] branch 9.0.x updated: Update handling of sensitive methods for TRACE

Wed, 22 Mar 2023 08:05:27 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 10fb0de3a5 Update handling of sensitive methods for TRACE
10fb0de3a5 is described below

commit 10fb0de3a5e87906574e3db9a026a534f108e193
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Mar 22 14:56:46 2023 +0000

    Update handling of sensitive methods for TRACE
    
    List of headers aligns with Tomcat 11.0.x
---
 java/javax/servlet/http/HttpServlet.java | 45 +++++++++++++++++++++++++-------
 webapps/docs/changelog.xml               |  5 ++++
 2 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/java/javax/servlet/http/HttpServlet.java 
b/java/javax/servlet/http/HttpServlet.java
index 0cefd0ea07..84e8e1971c 100644
--- a/java/javax/servlet/http/HttpServlet.java
+++ b/java/javax/servlet/http/HttpServlet.java
@@ -24,11 +24,11 @@ import java.io.Writer;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.text.MessageFormat;
+import java.util.Arrays;
 import java.util.Enumeration;
-import java.util.HashSet;
+import java.util.List;
 import java.util.Locale;
 import java.util.ResourceBundle;
-import java.util.Set;
 
 import javax.servlet.AsyncEvent;
 import javax.servlet.AsyncListener;
@@ -82,14 +82,10 @@ public abstract class HttpServlet extends GenericServlet {
     private static final String LSTRING_FILE = 
"javax.servlet.http.LocalStrings";
     private static final ResourceBundle lStrings = 
ResourceBundle.getBundle(LSTRING_FILE);
 
-    private static final Set<String> SENSITIVE_HTTP_HEADERS = new HashSet<>();
+    private static final List<String> SENSITIVE_HTTP_HEADERS = 
Arrays.asList("authorization", "cookie", "x-forwarded",
+            "forwarded", "proxy-authorization");
 
 
-    static {
-        SENSITIVE_HTTP_HEADERS.add("cookie");
-        SENSITIVE_HTTP_HEADERS.add("authorization");
-    }
-
 
     /**
      * Does nothing, because this is an abstract class.
@@ -456,7 +452,7 @@ public abstract class HttpServlet extends GenericServlet {
         while (reqHeaderNames.hasMoreElements()) {
             String headerName = reqHeaderNames.nextElement();
             // RFC 7231, 4.3.8 - skip 'sensitive' headers
-            if 
(!SENSITIVE_HTTP_HEADERS.contains(headerName.toLowerCase(Locale.ENGLISH))) {
+            if (!isSensitiveHeader(headerName)) {
                 Enumeration<String> headerValues = req.getHeaders(headerName);
                 while (headerValues.hasMoreElements()) {
                     String headerValue = headerValues.nextElement();
@@ -477,6 +473,37 @@ public abstract class HttpServlet extends GenericServlet {
     }
 
 
+    /**
+     * Is the provided HTTP request header considered sensitive and therefore 
should be excluded from the response to a
+     * {@code TRACE} request?
+     * <p>
+     * By default, the headers that start with any of the following are 
considered sensitive:
+     * <ul>
+     * <li>authorization</li>
+     * <li>cookie</li>
+     * <li>x-forwarded</li>
+     * <li>forwarded</li>
+     * <li>proxy-authorization</li>
+     * </ul>
+     * <p>
+     * Note that HTTP header names are case insensitive.
+     *
+     * @param headerName the name of the HTTP request header to test
+     *
+     * @return (@code true} if the HTTP request header is considered sensitive 
and should be excluded from the response
+     *             to a {@code TRACE} request, otherwise {@code false}
+     */
+    private boolean isSensitiveHeader(String headerName) {
+        String lcHeaderName = headerName.toLowerCase(Locale.ENGLISH);
+        for (String sensitiveHeaderName : SENSITIVE_HTTP_HEADERS) {
+            if (lcHeaderName.startsWith(sensitiveHeaderName)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+
     /**
      * Receives standard HTTP requests from the public <code>service</code> 
method and dispatches them to the
      * <code>do</code><i>Method</i> methods defined in this class. This method 
is an HTTP-specific version of the
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5b5f755ed6..c7a09f13b6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -146,6 +146,11 @@
         Add support code for custom user attributes in <code>RealmBase</code>.
         Based on code from <pr>473</pr> by Carsten Klein. (remm)
       </update>
+      <fix>
+        Expand the set of HTTP request headers considered sensitive that should
+        be skipped when generating a response to a <code>TRACE</code> request.
+        This aligns with 11.0.x. (markt)  
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to