You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/07/01 20:16:46 UTC

[tomcat] 01/05: Make partial PUT processing optional but still enabled by default

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit bb497d62e1405c8ba56d1910672d8c476e0b8dba
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Jul 1 13:28:31 2019 +0100

    Make partial PUT processing optional but still enabled by default
---
 conf/web.xml                                       |  5 +++++
 .../apache/catalina/servlets/DefaultServlet.java   | 22 ++++++++++++++++++++++
 webapps/docs/changelog.xml                         |  6 ++++++
 webapps/docs/default-servlet.xml                   |  5 +++++
 4 files changed, 38 insertions(+)

diff --git a/conf/web.xml b/conf/web.xml
index 4106441..9c0a248 100644
--- a/conf/web.xml
+++ b/conf/web.xml
@@ -104,6 +104,11 @@
   <!--   showServerInfo      Should server information be presented in the  -->
   <!--                       response sent to clients when directory        -->
   <!--                       listings is enabled? [true]                    -->
+  <!--                                                                      -->
+  <!--   allowPartialPut     Should the server treat an HTTP PUT request    -->
+  <!--                       with a Range header as a partial PUT? Note     -->
+  <!--                       that RFC 7233 clarified that Range headers are -->
+  <!--                       only valid for GET requests. [true]            -->
 
     <servlet>
         <servlet-name>default</servlet-name>
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
index d5b9ab0..5ddfcb8 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -271,6 +271,12 @@ public class DefaultServlet extends HttpServlet {
      */
     protected transient SortManager sortManager;
 
+    /**
+     * Flag that indicates whether partial PUTs are permitted.
+     */
+    private boolean allowPartialPut = true;
+
+
     // --------------------------------------------------------- Public Methods
 
     /**
@@ -371,6 +377,10 @@ public class DefaultServlet extends HttpServlet {
                 sortManager = new SortManager(sortDirectoriesFirst);
             }
         }
+
+        if (getServletConfig().getInitParameter("allowPartialPut") != null) {
+            allowPartialPut = Boolean.parseBoolean(getServletConfig().getInitParameter("allowPartialPut"));
+        }
     }
 
     private CompressionFormat[] parseCompressionFormats(String precompressed, String gzip) {
@@ -1444,6 +1454,18 @@ public class DefaultServlet extends HttpServlet {
             HttpServletResponse response,
             WebResource resource) throws IOException {
 
+        if (!"GET".equals(request.getMethod())) {
+            // RFC 7233#3.1 clarifies the intention of RFC 2616 was to only
+            // allow Range headers on GET requests. However, many people
+            // incorrectly read RFC 2616#14.35.1 as allowing partial PUT and
+            // implemented. Tomcat was one such implementation. It is optionally
+            // allowed to retain compatibility with clients that use it.
+            if (!allowPartialPut || !"PUT".equals(request.getMethod())) {
+                return FULL;
+            }
+        }
+
+
         // Checking If-Range
         String headerValue = request.getHeader("If-Range");
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3c2105c..14ab5f8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -59,6 +59,12 @@
         When comparing a date from a <code>If-Range</code> header, an exact
         match is required. Based on a pull request by zhanhb. (markt)
       </fix>
+      <fix>
+        Add an option to the default servlet to disable processing of PUT
+        requests with Range headers as partial PUTs. The default behaviour
+        (processing as partial PUT) is unchanged. Based on a pull request by
+        zhanhb. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">
diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml
index a515f73..cd7d30e 100644
--- a/webapps/docs/default-servlet.xml
+++ b/webapps/docs/default-servlet.xml
@@ -201,6 +201,11 @@ Tomcat.</p>
   <property name="sortDirectoriesFirst">
         Should the server list all directories before all files. [false]
   </property>
+  <property name="allowPartialPut">
+        Should the server treat an HTTP PUT request with a Range header as a
+        partial PUT? Note that RFC 7233 clarified that Range headers are only
+        valid for GET requests. [true]
+  </property>
 </properties>
 </section>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org