You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/02/04 10:31:02 UTC

svn commit: r1657041 - /tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java

Author: markt
Date: Wed Feb  4 09:31:02 2015
New Revision: 1657041

URL: http://svn.apache.org/r1657041
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57180
Additional fix. Do not attempt to enumerate valid HTTP methods.

Modified:
    tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java

Modified: tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java?rev=1657041&r1=1657040&r2=1657041&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CorsFilter.java Wed Feb  4 09:31:02 2015
@@ -338,8 +338,7 @@ public final class CorsFilter implements
         // Section 6.2.3
         String accessControlRequestMethod = request.getHeader(
                 CorsFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD);
-        if (accessControlRequestMethod == null ||
-                !HTTP_METHODS.contains(accessControlRequestMethod.trim())) {
+        if (accessControlRequestMethod == null) {
             handleInvalidCORS(request, response, filterChain);
             return;
         } else {
@@ -623,7 +622,7 @@ public final class CorsFilter implements
                 requestType = CORSRequestType.INVALID_CORS;
             } else {
                 String method = request.getMethod();
-                if (method != null && HTTP_METHODS.contains(method)) {
+                if (method != null) {
                     if ("OPTIONS".equals(method)) {
                         String accessControlRequestMethodHeader =
                                 request.getHeader(
@@ -1030,14 +1029,13 @@ public final class CorsFilter implements
 
     /**
      * {@link Collection} of HTTP methods. Case sensitive.
-     *
-     * @see  <a href="http://tools.ietf.org/html/rfc2616#section-5.1.1"
-     *       >http://tools.ietf.org/html/rfc2616#section-5.1.1</a>
-     *
+     * @deprecated Not used. Will be removed in Tomcat 9.0.x onwards.
      */
+    @Deprecated
     public static final Collection<String> HTTP_METHODS =
             new HashSet<>(Arrays.asList("OPTIONS", "GET", "HEAD", "POST", "PUT",
                     "DELETE", "TRACE", "CONNECT"));
+
     /**
      * {@link Collection} of Simple HTTP methods. Case sensitive.
      *



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org