Author: markt
Date: Fri Jun 28 18:53:47 2013
New Revision: 1497878
URL: http://svn.apache.org/r1497878
Log:
JSP 2.3, section JSP.11.1
Reduce supported verbs to GET, POST and HEAD
Modified:
tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java
Modified: tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties?rev=1497878&r1=1497877&r2=1497878&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties Fri
Jun 28 18:53:47 2013
@@ -367,6 +367,9 @@ jsp.error.tag.invalid.trimdirectivewhite
jsp.error.page.conflict.trimdirectivewhitespaces=Page directive: illegal to
have multiple occurrences of 'trimDirectiveWhitespaces' with different values
(old: {0}, new: {1})
jsp.error.tag.conflict.trimdirectivewhitespaces=Tag directive: illegal to have
multiple occurrences of 'trimDirectiveWhitespaces' with different values (old:
{0}, new: {1})
+# JSP Servlet
+jsp.error.servlet.invalid.method=JSPs only permit GET POST or HEAD
+
# JarScanner
jsp.warning.noJarScanner=Warning: No org.apache.tomcat.JarScanner set in
ServletContext. Falling back to default JarScanner implementation.
Modified: tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java?rev=1497878&r1=1497877&r2=1497878&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java (original)
+++ tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java Fri Jun 28
18:53:47 2013
@@ -280,6 +280,19 @@ public class JspServlet extends HttpServ
public void service (HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
+
+ String method = request.getMethod();
+
+ if (!"GET".equals(method) && !"POST".equals(method) &&
+ !"HEAD".equals(method)) {
+ // Specification states behaviour is undefined
+ // Jasper opts to reject any other verbs, partly as they are
+ // unlikely to make sense in a JSP context and partly to protect
+ // against verb tampering
+ response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED,
+ Localizer.getMessage("jsp.error.servlet.invalid.method"));
+ }
+
//jspFile may be configured as an init-param for this servlet instance
String jspUri = jspFile;
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
