svn commit: r1497878 - in /tomcat/trunk/java/org/apache/jasper: resources/LocalStrings.properties servlet/JspServlet.java

Fri, 28 Jun 2013 11:54:09 -0700 

Author: markt
Date: Fri Jun 28 18:53:47 2013
New Revision: 1497878

URL: http://svn.apache.org/r1497878
Log:
JSP 2.3, section JSP.11.1
Reduce supported verbs to GET, POST and HEAD

Modified:
    tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
    tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java

Modified: tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties?rev=1497878&r1=1497877&r2=1497878&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties Fri 
Jun 28 18:53:47 2013
@@ -367,6 +367,9 @@ jsp.error.tag.invalid.trimdirectivewhite
 jsp.error.page.conflict.trimdirectivewhitespaces=Page directive: illegal to 
have multiple occurrences of 'trimDirectiveWhitespaces' with different values 
(old: {0}, new: {1})
 jsp.error.tag.conflict.trimdirectivewhitespaces=Tag directive: illegal to have 
multiple occurrences of 'trimDirectiveWhitespaces' with different values (old: 
{0}, new: {1})
 
+# JSP Servlet
+jsp.error.servlet.invalid.method=JSPs only permit GET POST or HEAD
+
 # JarScanner
 jsp.warning.noJarScanner=Warning: No org.apache.tomcat.JarScanner set in 
ServletContext. Falling back to default JarScanner implementation.
 

Modified: tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java?rev=1497878&r1=1497877&r2=1497878&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java (original)
+++ tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java Fri Jun 28 
18:53:47 2013
@@ -280,6 +280,19 @@ public class JspServlet extends HttpServ
     public void service (HttpServletRequest request,
                              HttpServletResponse response)
                 throws ServletException, IOException {
+
+        String method = request.getMethod();
+
+        if (!"GET".equals(method) && !"POST".equals(method) &&
+                !"HEAD".equals(method)) {
+            // Specification states behaviour is undefined
+            // Jasper opts to reject any other verbs, partly as they are
+            // unlikely to make sense in a JSP context and partly to protect
+            // against verb tampering
+            response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED,
+                    Localizer.getMessage("jsp.error.servlet.invalid.method"));
+        }
+
         //jspFile may be configured as an init-param for this servlet instance
         String jspUri = jspFile;
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to