You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by ff...@apache.org on 2019/05/21 13:27:28 UTC
[cxf] branch master updated: [CXF-8045]Disable HTTP TRACE method on
CXF http-undertow transport
This is an automated email from the ASF dual-hosted git repository.
ffang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new a4f7ddc [CXF-8045]Disable HTTP TRACE method on CXF http-undertow transport
a4f7ddc is described below
commit a4f7ddc2b51a2cbe0eaebd74e8f56de2753133da
Author: Freeman Fang <fr...@gmail.com>
AuthorDate: Tue May 21 09:27:16 2019 -0400
[CXF-8045]Disable HTTP TRACE method on CXF http-undertow transport
---
.../apache/cxf/transport/http_undertow/UndertowHTTPHandler.java | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/UndertowHTTPHandler.java b/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/UndertowHTTPHandler.java
index dfcc060..0443488 100644
--- a/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/UndertowHTTPHandler.java
+++ b/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/UndertowHTTPHandler.java
@@ -21,6 +21,7 @@ package org.apache.cxf.transport.http_undertow;
import javax.servlet.ServletContext;
+import javax.servlet.http.HttpServletResponse;
import org.apache.cxf.Bus;
@@ -40,6 +41,7 @@ public class UndertowHTTPHandler implements HttpHandler {
private static final String SSL_CIPHER_SUITE_ATTRIBUTE = "javax.servlet.request.cipher_suite";
private static final String SSL_PEER_CERT_CHAIN_ATTRIBUTE = "javax.servlet.request.X509Certificate";
+ private static final String METHOD_TRACE = "TRACE";
protected UndertowHTTPDestination undertowHTTPDestination;
protected ServletContext servletContext;
@@ -97,7 +99,10 @@ public class UndertowHTTPHandler implements HttpHandler {
(ServletContextImpl)servletContext);
HttpServletRequestImpl request = new HttpServletRequestImpl(undertowExchange,
(ServletContextImpl)servletContext);
-
+ if (request.getMethod().equals(METHOD_TRACE)) {
+ response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+ return;
+ }
ServletRequestContext servletRequestContext = new ServletRequestContext(((ServletContextImpl)servletContext)
.getDeployment(), request, response, null);