You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/08/01 16:38:31 UTC
[tomcat] branch 9.0.x updated: Do not include sensitive headers in responses to HTTP TRACE requests
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 2e447ae82e Do not include sensitive headers in responses to HTTP TRACE requests
2e447ae82e is described below
commit 2e447ae82eccaa8ea5a52de57e0b2be8cd0a148e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Aug 1 17:36:18 2022 +0100
Do not include sensitive headers in responses to HTTP TRACE requests
This is a requirement of RFC 7231, 4.3.8
---
java/javax/servlet/http/HttpServlet.java | 22 ++++++++++++++++++----
test/javax/servlet/http/TestHttpServlet.java | 8 ++++++++
webapps/docs/changelog.xml | 4 ++++
3 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/java/javax/servlet/http/HttpServlet.java b/java/javax/servlet/http/HttpServlet.java
index 99906002b6..3ee5fa6abe 100644
--- a/java/javax/servlet/http/HttpServlet.java
+++ b/java/javax/servlet/http/HttpServlet.java
@@ -25,7 +25,10 @@ import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.text.MessageFormat;
import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Locale;
import java.util.ResourceBundle;
+import java.util.Set;
import javax.servlet.AsyncEvent;
import javax.servlet.AsyncListener;
@@ -93,6 +96,14 @@ public abstract class HttpServlet extends GenericServlet {
private static final String LSTRING_FILE = "javax.servlet.http.LocalStrings";
private static final ResourceBundle lStrings = ResourceBundle.getBundle(LSTRING_FILE);
+ private static final Set<String> SENSITIVE_HTTP_HEADERS = new HashSet<>();
+
+
+ static {
+ SENSITIVE_HTTP_HEADERS.add("cookie");
+ SENSITIVE_HTTP_HEADERS.add("www-authenticate");
+ }
+
/**
* Does nothing, because this is an abstract class.
@@ -599,10 +610,13 @@ public abstract class HttpServlet extends GenericServlet {
while (reqHeaderNames.hasMoreElements()) {
String headerName = reqHeaderNames.nextElement();
- Enumeration<String> headerValues = req.getHeaders(headerName);
- while (headerValues.hasMoreElements()) {
- String headerValue = headerValues.nextElement();
- buffer.append(CRLF).append(headerName).append(": ").append(headerValue);
+ // RFC 7231, 4.3.8 - skip 'sensitive' headers
+ if (!SENSITIVE_HTTP_HEADERS.contains(headerName.toLowerCase(Locale.ENGLISH))) {
+ Enumeration<String> headerValues = req.getHeaders(headerName);
+ while (headerValues.hasMoreElements()) {
+ String headerValue = headerValues.nextElement();
+ buffer.append(CRLF).append(headerName).append(": ").append(headerValue);
+ }
}
}
diff --git a/test/javax/servlet/http/TestHttpServlet.java b/test/javax/servlet/http/TestHttpServlet.java
index 39f3707800..4e683b0a15 100644
--- a/test/javax/servlet/http/TestHttpServlet.java
+++ b/test/javax/servlet/http/TestHttpServlet.java
@@ -20,6 +20,7 @@ import java.io.IOException;
import java.io.PrintWriter;
import java.util.HashMap;
import java.util.List;
+import java.util.Locale;
import java.util.Map;
import javax.servlet.AsyncContext;
@@ -315,6 +316,8 @@ public class TestHttpServlet extends TomcatBaseTest {
"Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
"X-aaa: a1, a2" + SimpleHttpClient.CRLF +
"X-aaa: a3" + SimpleHttpClient.CRLF +
+ "Cookie: c1-v1" + SimpleHttpClient.CRLF +
+ "WWW-Authenticate: not-a-real-credential" + SimpleHttpClient.CRLF +
SimpleHttpClient.CRLF});
client.setUseContentLength(true);
@@ -328,9 +331,14 @@ public class TestHttpServlet extends TomcatBaseTest {
Assert.assertTrue(client.getResponseLine(), client.isResponse200());
// Far from perfect but good enough
+ body = body.toLowerCase(Locale.ENGLISH);
Assert.assertTrue(body.contains("a1"));
Assert.assertTrue(body.contains("a2"));
Assert.assertTrue(body.contains("a3"));
+ // Sensitive headers (cookies, WWW-Authenticate) must not be reflected
+ // (since RFC 7231)
+ Assert.assertFalse(body.contains("cookie"));
+ Assert.assertFalse(body.contains("www-authenticate"));
client.disconnect();
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b4962dea2e..7e428939e8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -111,6 +111,10 @@
Correct handling of HTTP TRACE requests where there are multiple
instances of an HTTP header with the same name. (markt)
</fix>
+ <fix>
+ Implement the requirements of RFC 7231 and do not include sensitive
+ headers in responses to HTTP TRACE requests. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org