You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2011/10/10 17:46:51 UTC

svn commit: r1181030 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/authenticator/FormAuthenticator.java java/org/apache/catalina/authenticator/LocalStrings.properties webapps/docs/changelog.xml

Author: markt
Date: Mon Oct 10 15:46:51 2011
New Revision: 1181030

URL: http://svn.apache.org/viewvc?rev=1181030&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51940
Don't limit saving of request bodies during FORM authentication to POST requests since any HTTP method may include a body.
Based on a patch by Nicholas Sushkin

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Oct 10 15:46:51 2011
@@ -1 +1 @@
-/tomcat/trunk:1156115,1156171,1156276,1156304,1156519,1156530,1156602,1157015,1157018,1157151,1157198,1157204,1157810,1157832,1157834,1157847,1157908,1157939,1158155,1158160,1158176,1158195,1158198-1158199,1158227,1158331,1158334-1158335,1158426,1160347,1160592,1160611,1160619,1160626,1160639,1160652,1160720-1160721,1160772,1160774,1160776,1161303,1161310,1161322,1161339,1161486,1161540,1161549,1161584,1162082,1162149,1162169,1162721,1162769,1162836,1162932,1163630,1164419,1164438,1164469,1164480,1164567,1165234,1165247-1165248,1165253,1165273,1165282,1165309,1165331,1165338,1165347,1165360-1165361,1165367-1165368,1165602,1165608,1165677,1165693,1165721,1165723,1165728,1165730,1165738,1165746,1165765,1165777,1165918,1165921,1166077,1166150-1166151,1166290,1166366,1166620,1166686,1166752,1166757,1167368,1167394,1169447,1170647,1171692,1172233-1172234,1172236,1172269,1172278,1172282,1172610,1172664,1172689,1172711,1173020-1173021,1173082,1173088,1173090,1173096,1173241,1173256
 ,1173288,1173333,1173342,1173461,1173614,1173630,1173659,1173722,1174061,1174239,1174322,1174325,1174329-1174330,1174337-1174339,1174343,1174353,1174799,1174882,1174884,1174983,1175155,1175158,1175167,1175182,1175190,1175201,1175272,1175275,1175283,1175582,1175589-1175590,1175594,1175602,1175613,1175633,1175690,1175713,1175889,1175896,1175907,1176584,1176590,1176799,1177050,1177060,1177125,1177152,1177160,1177245,1177850,1177862,1177978,1178209,1178228,1178233,1178449,1178542,1178681,1178721,1180261,1180907
+/tomcat/trunk:1156115,1156171,1156276,1156304,1156519,1156530,1156602,1157015,1157018,1157151,1157198,1157204,1157810,1157832,1157834,1157847,1157908,1157939,1158155,1158160,1158176,1158195,1158198-1158199,1158227,1158331,1158334-1158335,1158426,1160347,1160592,1160611,1160619,1160626,1160639,1160652,1160720-1160721,1160772,1160774,1160776,1161303,1161310,1161322,1161339,1161486,1161540,1161549,1161584,1162082,1162149,1162169,1162721,1162769,1162836,1162932,1163630,1164419,1164438,1164469,1164480,1164567,1165234,1165247-1165248,1165253,1165273,1165282,1165309,1165331,1165338,1165347,1165360-1165361,1165367-1165368,1165602,1165608,1165677,1165693,1165721,1165723,1165728,1165730,1165738,1165746,1165765,1165777,1165918,1165921,1166077,1166150-1166151,1166290,1166366,1166620,1166686,1166752,1166757,1167368,1167394,1169447,1170647,1171692,1172233-1172234,1172236,1172269,1172278,1172282,1172610,1172664,1172689,1172711,1173020-1173021,1173082,1173088,1173090,1173096,1173241,1173256
 ,1173288,1173333,1173342,1173461,1173614,1173630,1173659,1173722,1174061,1174239,1174322,1174325,1174329-1174330,1174337-1174339,1174343,1174353,1174799,1174882,1174884,1174983,1175155,1175158,1175167,1175182,1175190,1175201,1175272,1175275,1175283,1175582,1175589-1175590,1175594,1175602,1175613,1175633,1175690,1175713,1175889,1175896,1175907,1176584,1176590,1176799,1177050,1177060,1177125,1177152,1177160,1177245,1177850,1177862,1177978,1178209,1178228,1178233,1178449,1178542,1178681,1178721,1180261,1180907,1181028

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1181030&r1=1181029&r2=1181030&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Mon Oct 10 15:46:51 2011
@@ -368,6 +368,16 @@ public class FormAuthenticator
             HttpServletResponse response, LoginConfig config)
             throws IOException {
         
+        if (log.isDebugEnabled()) {
+            log.debug(sm.getString("formAuthenticator.forwardLogin",
+                    request.getRequestURI(), request.getMethod(),
+                    config.getLoginPage(),
+                    context.getServletContext().getContextPath()));
+        }
+
+        // Always use GET for the login page, regardless of the method used
+        request.getCoyoteRequest().method().setString("GET");
+
         String loginPage = config.getLoginPage();
         if (loginPage == null || loginPage.length() == 0) {
             String msg = sm.getString("formAuthenticator.noLoginPage",
@@ -535,27 +545,27 @@ public class FormAuthenticator
             // Ignore request body
         }
         
-        if ("POST".equalsIgnoreCase(saved.getMethod())) {
-            ByteChunk body = saved.getBody();
-            
-            if (body != null) {
-                request.getCoyoteRequest().action
-                    (ActionCode.REQ_SET_BODY_REPLAY, body);
-    
-                // Set content type
-                MessageBytes contentType = MessageBytes.newInstance();
-                
-                //If no content type specified, use default for POST
-                String savedContentType = saved.getContentType();
-                if (savedContentType == null) {
-                    savedContentType = "application/x-www-form-urlencoded";
-                }
+        ByteChunk body = saved.getBody();
+        String method = saved.getMethod();
+        
+        if (body != null) {
+            request.getCoyoteRequest().action
+                (ActionCode.REQ_SET_BODY_REPLAY, body);
 
-                contentType.setString(savedContentType);
-                request.getCoyoteRequest().setContentType(contentType);
+            // Set content type
+            MessageBytes contentType = MessageBytes.newInstance();
+            
+            // If no content type specified, use default for POST
+            String savedContentType = saved.getContentType();
+            if (savedContentType == null && "POST".equalsIgnoreCase(method)) {
+                savedContentType = "application/x-www-form-urlencoded";
             }
+
+            contentType.setString(savedContentType);
+            request.getCoyoteRequest().setContentType(contentType);
         }
-        request.getCoyoteRequest().method().setString(saved.getMethod());
+
+        request.getCoyoteRequest().method().setString(method);
 
         request.getCoyoteRequest().queryString().setString
             (saved.getQueryString());
@@ -599,20 +609,22 @@ public class FormAuthenticator
             saved.addLocale(locale);
         }
 
-        if ("POST".equalsIgnoreCase(request.getMethod())) {
-            // May need to acknowledge a 100-continue expectation
-            request.getResponse().sendAcknowledgement();
-
-            ByteChunk body = new ByteChunk();
-            body.setLimit(request.getConnector().getMaxSavePostSize());
-
-            byte[] buffer = new byte[4096];
-            int bytesRead;
-            InputStream is = request.getInputStream();
-        
-            while ( (bytesRead = is.read(buffer) ) >= 0) {
-                body.append(buffer, 0, bytesRead);
-            }
+        // May need to acknowledge a 100-continue expectation
+        request.getResponse().sendAcknowledgement();
+
+        ByteChunk body = new ByteChunk();
+        body.setLimit(request.getConnector().getMaxSavePostSize());
+
+        byte[] buffer = new byte[4096];
+        int bytesRead;
+        InputStream is = request.getInputStream();
+    
+        while ( (bytesRead = is.read(buffer) ) >= 0) {
+            body.append(buffer, 0, bytesRead);
+        }
+
+        // Only save the request body if there is somethign to save
+        if (body.getLength() > 0) {
             saved.setContentType(request.getContentType());
             saved.setBody(body);
         }

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties?rev=1181030&r1=1181029&r2=1181030&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties Mon Oct 10 15:46:51 2011
@@ -31,6 +31,7 @@ authenticator.userDataConstraint=This re
 digestAuthenticator.cacheRemove=A valid entry has been removed from client nonce cache to make room for new entries. A replay attack is now possible. To prevent the possibility of replay attacks, reduce nonceValidity or increase cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
  
 formAuthenticator.forwardErrorFail=Unexpected error forwarding to error page
+formAuthenticator.forwardLogin=Forwarding request for [{0}] made with method [{1}] to login page [{2}] of context [{3}] using request method GET  
 formAuthenticator.forwardLoginFail=Unexpected error forwarding to login page
 formAuthenticator.noErrorPage=No error page was defined for FORM authentication in context [{0}]
 formAuthenticator.noLoginPage=No login page was defined for FORM authentication in context [{0}]

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1181030&r1=1181029&r2=1181030&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Oct 10 15:46:51 2011
@@ -61,6 +61,11 @@
         are being used without the CometConnectionManagerValve. (markt)
       </fix>
       <fix>
+        <bug>51940</bug>: Do not limit saving of request bodies during FORM
+        authentication to POST requests since any HTTP method may include a
+        request body. Based on a patch by Nicholas Sushkin. (markt)
+      </fix>
+      <fix>
         <bug>51956</bug>: RemoteAddrFilter used getRemoteHost instead of
         getRemoteAddr when filtering Comet events. (schultz)
       </fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org