(tomcat) branch 11.0.x updated: Add allowPostAsGet to default Servlet

Thu, 20 Mar 2025 08:55:27 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 3133c38abd Add allowPostAsGet to default Servlet
3133c38abd is described below

commit 3133c38abd4abc66ad16dcb6ee1008be43dbb268
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Mar 20 15:54:53 2025 +0000

    Add allowPostAsGet to default Servlet
    
    Default behaviour is unchanged but users can now disabled the behaviour
    where direct requests for static resources using POST are handled as if
    GET had been used.
---
 .../apache/catalina/servlets/DefaultServlet.java   | 40 ++++++++++++++++++++--
 webapps/docs/changelog.xml                         |  9 +++++
 webapps/docs/default-servlet.xml                   |  7 ++++
 3 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java 
b/java/org/apache/catalina/servlets/DefaultServlet.java
index a9875e6a73..55e6a43c48 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -271,6 +271,13 @@ public class DefaultServlet extends HttpServlet {
      */
     private boolean useStrongETags = false;
 
+    /**
+     * Will direct ({@link DispatcherType#REQUEST} or {@link 
DispatcherType#ASYNC}) requests using the POST method be
+     * processed as GET requests. If not allowed, direct requests using the 
POST method will be rejected with a 405
+     * (method not allowed).
+     */
+    private boolean allowPostAsGet = true;
+
 
     // --------------------------------------------------------- Public Methods
 
@@ -564,7 +571,11 @@ public class DefaultServlet extends HttpServlet {
         StringBuilder allow = new StringBuilder();
 
         // Start with methods that are always allowed
-        allow.append("OPTIONS, GET, HEAD, POST");
+        allow.append("OPTIONS, GET, HEAD");
+
+        if (allowPostAsGet) {
+            allow.append(", POST");
+        }
 
         // PUT and DELETE depend on readonly
         if (!isReadOnly()) {
@@ -589,7 +600,32 @@ public class DefaultServlet extends HttpServlet {
     @Override
     protected void doPost(HttpServletRequest request, HttpServletResponse 
response)
             throws IOException, ServletException {
-        doGet(request, response);
+        if (allowPostAsGet) {
+            doGet(request, response);
+        } else {
+            // Use a switch without a default to ensure all possibilities are 
explicitly handled
+            switch (request.getDispatcherType()) {
+                case ASYNC:
+                case REQUEST: {
+                    // Direct POST requests may not be processed as GET
+                    sendNotAllowed(request, response);
+                    break;
+                }
+                case ERROR:
+                case FORWARD:
+                case INCLUDE: {
+                    /*
+                     * Forward and Include are processed as GET as it is 
possible that a POST to a servlet may use a
+                     * forward or an include as part of generating the 
response.
+                     *
+                     * Error should have already been converted to GET but 
convert here anyway as that is better than
+                     * failing the request.
+                     */
+                    doGet(request, response);
+                    break;
+                }
+            }
+        }
     }
 
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6032de95ce..5c6ba883dc 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -138,6 +138,15 @@
         and/or using reflection to dynamically add external repositories to the
         web application class loader. (markt)
       </fix>
+      <add>
+        Add a new initialisation parameter to the Default servlet -
+        <code>allowPostAsGet</code> - which controls whether a direct request
+        (i.e. not a forward or an include) for a static resource using the POST
+        method will be processed as if the GET method had been used. If not
+        allowed, the request will be rejected. The default behaviour of
+        processing the request as if the GET method had been used is unchanged.
+        (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">
diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml
index 8616351af6..c7093d3f13 100644
--- a/webapps/docs/default-servlet.xml
+++ b/webapps/docs/default-servlet.xml
@@ -218,6 +218,13 @@ Tomcat.</p>
         When a directory redirect (trailing slash missing) is made, use this as
         the the HTTP response code. [302]
   </property>
+  <property name="allowPostAsGet">
+        Controls whether a direct request (i.e. not a forward or an include) 
for
+        a static resource using the POST method will be processed as if the GET
+        method had been used. If not allowed, the request will be rejected. The
+        default behaviour of processing the request as if the GET method had
+        been used is unchanged. [true]
+  </property>
 </properties>
 </section>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to