You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by ff...@apache.org on 2019/05/21 13:27:28 UTC

[cxf] branch master updated: [CXF-8045]Disable HTTP TRACE method on CXF http-undertow transport

This is an automated email from the ASF dual-hosted git repository.

ffang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new a4f7ddc  [CXF-8045]Disable HTTP TRACE method on CXF http-undertow transport
a4f7ddc is described below

commit a4f7ddc2b51a2cbe0eaebd74e8f56de2753133da
Author: Freeman Fang <fr...@gmail.com>
AuthorDate: Tue May 21 09:27:16 2019 -0400

    [CXF-8045]Disable HTTP TRACE method on CXF http-undertow transport
---
 .../apache/cxf/transport/http_undertow/UndertowHTTPHandler.java    | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/UndertowHTTPHandler.java b/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/UndertowHTTPHandler.java
index dfcc060..0443488 100644
--- a/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/UndertowHTTPHandler.java
+++ b/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/UndertowHTTPHandler.java
@@ -21,6 +21,7 @@ package org.apache.cxf.transport.http_undertow;
 
 
 import javax.servlet.ServletContext;
+import javax.servlet.http.HttpServletResponse;
 
 import org.apache.cxf.Bus;
 
@@ -40,6 +41,7 @@ public class UndertowHTTPHandler implements HttpHandler {
 
     private static final String SSL_CIPHER_SUITE_ATTRIBUTE = "javax.servlet.request.cipher_suite";
     private static final String SSL_PEER_CERT_CHAIN_ATTRIBUTE = "javax.servlet.request.X509Certificate";
+    private static final String METHOD_TRACE = "TRACE";
 
     protected UndertowHTTPDestination undertowHTTPDestination;
     protected ServletContext servletContext;
@@ -97,7 +99,10 @@ public class UndertowHTTPHandler implements HttpHandler {
                                                                            (ServletContextImpl)servletContext);
             HttpServletRequestImpl request = new HttpServletRequestImpl(undertowExchange,
                                                                         (ServletContextImpl)servletContext);
-
+            if (request.getMethod().equals(METHOD_TRACE)) {
+                response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+                return;
+            }
             ServletRequestContext servletRequestContext = new ServletRequestContext(((ServletContextImpl)servletContext)
                 .getDeployment(), request, response, null);