This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit bb497d62e1405c8ba56d1910672d8c476e0b8dba Author: Mark Thomas <ma...@apache.org> AuthorDate: Mon Jul 1 13:28:31 2019 +0100 Make partial PUT processing optional but still enabled by default --- conf/web.xml | 5 +++++ .../apache/catalina/servlets/DefaultServlet.java | 22 ++++++++++++++++++++++ webapps/docs/changelog.xml | 6 ++++++ webapps/docs/default-servlet.xml | 5 +++++ 4 files changed, 38 insertions(+) diff --git a/conf/web.xml b/conf/web.xml index 4106441..9c0a248 100644 --- a/conf/web.xml +++ b/conf/web.xml @@ -104,6 +104,11 @@ <!-- showServerInfo Should server information be presented in the --> <!-- response sent to clients when directory --> <!-- listings is enabled? [true] --> + <!-- --> + <!-- allowPartialPut Should the server treat an HTTP PUT request --> + <!-- with a Range header as a partial PUT? Note --> + <!-- that RFC 7233 clarified that Range headers are --> + <!-- only valid for GET requests. [true] --> <servlet> <servlet-name>default</servlet-name> diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java index d5b9ab0..5ddfcb8 100644 --- a/java/org/apache/catalina/servlets/DefaultServlet.java +++ b/java/org/apache/catalina/servlets/DefaultServlet.java @@ -271,6 +271,12 @@ public class DefaultServlet extends HttpServlet { */ protected transient SortManager sortManager; + /** + * Flag that indicates whether partial PUTs are permitted. + */ + private boolean allowPartialPut = true; + + // --------------------------------------------------------- Public Methods /** @@ -371,6 +377,10 @@ public class DefaultServlet extends HttpServlet { sortManager = new SortManager(sortDirectoriesFirst); } } + + if (getServletConfig().getInitParameter("allowPartialPut") != null) { + allowPartialPut = Boolean.parseBoolean(getServletConfig().getInitParameter("allowPartialPut")); + } } private CompressionFormat[] parseCompressionFormats(String precompressed, String gzip) { @@ -1444,6 +1454,18 @@ public class DefaultServlet extends HttpServlet { HttpServletResponse response, WebResource resource) throws IOException { + if (!"GET".equals(request.getMethod())) { + // RFC 7233#3.1 clarifies the intention of RFC 2616 was to only + // allow Range headers on GET requests. However, many people + // incorrectly read RFC 2616#14.35.1 as allowing partial PUT and + // implemented. Tomcat was one such implementation. It is optionally + // allowed to retain compatibility with clients that use it. + if (!allowPartialPut || !"PUT".equals(request.getMethod())) { + return FULL; + } + } + + // Checking If-Range String headerValue = request.getHeader("If-Range"); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 3c2105c..14ab5f8 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -59,6 +59,12 @@ When comparing a date from a <code>If-Range</code> header, an exact match is required. Based on a pull request by zhanhb. (markt) </fix> + <fix> + Add an option to the default servlet to disable processing of PUT + requests with Range headers as partial PUTs. The default behaviour + (processing as partial PUT) is unchanged. Based on a pull request by + zhanhb. (markt) + </fix> </changelog> </subsection> <subsection name="Coyote"> diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml index a515f73..cd7d30e 100644 --- a/webapps/docs/default-servlet.xml +++ b/webapps/docs/default-servlet.xml @@ -201,6 +201,11 @@ Tomcat.</p> <property name="sortDirectoriesFirst"> Should the server list all directories before all files. [false] </property> + <property name="allowPartialPut"> + Should the server treat an HTTP PUT request with a Range header as a + partial PUT? Note that RFC 7233 clarified that Range headers are only + valid for GET requests. [true] + </property> </properties> </section> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org