Author: markt Date: Fri Jun 28 18:53:47 2013 New Revision: 1497878 URL: http://svn.apache.org/r1497878 Log: JSP 2.3, section JSP.11.1 Reduce supported verbs to GET, POST and HEAD
Modified: tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java Modified: tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties?rev=1497878&r1=1497877&r2=1497878&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties (original) +++ tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties Fri Jun 28 18:53:47 2013 @@ -367,6 +367,9 @@ jsp.error.tag.invalid.trimdirectivewhite jsp.error.page.conflict.trimdirectivewhitespaces=Page directive: illegal to have multiple occurrences of 'trimDirectiveWhitespaces' with different values (old: {0}, new: {1}) jsp.error.tag.conflict.trimdirectivewhitespaces=Tag directive: illegal to have multiple occurrences of 'trimDirectiveWhitespaces' with different values (old: {0}, new: {1}) +# JSP Servlet +jsp.error.servlet.invalid.method=JSPs only permit GET POST or HEAD + # JarScanner jsp.warning.noJarScanner=Warning: No org.apache.tomcat.JarScanner set in ServletContext. Falling back to default JarScanner implementation. Modified: tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java?rev=1497878&r1=1497877&r2=1497878&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java (original) +++ tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java Fri Jun 28 18:53:47 2013 @@ -280,6 +280,19 @@ public class JspServlet extends HttpServ public void service (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + + String method = request.getMethod(); + + if (!"GET".equals(method) && !"POST".equals(method) && + !"HEAD".equals(method)) { + // Specification states behaviour is undefined + // Jasper opts to reject any other verbs, partly as they are + // unlikely to make sense in a JSP context and partly to protect + // against verb tampering + response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, + Localizer.getMessage("jsp.error.servlet.invalid.method")); + } + //jspFile may be configured as an init-param for this servlet instance String jspUri = jspFile; --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org