You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/02/04 15:07:25 UTC
[Bug 57534] New: CorsFilter.SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
check shall ignore content-type parameters
https://issues.apache.org/bugzilla/show_bug.cgi?id=57534
Bug ID: 57534
Summary: CorsFilter.SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
check shall ignore content-type parameters
Product: Tomcat 7
Version: 7.0.59
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: knst.kolinko@gmail.com
In CorsFilter of trunk
starting with line 1030:
[[[
/**
* {@link Collection} of Simple HTTP request headers. Case in-sensitive.
*
* @see <a href="http://www.w3.org/TR/cors/#terminology"
* >http://www.w3.org/TR/cors/#terminology</a>
*/
public static final Collection<String>
SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES =
new HashSet<>(Arrays.asList("application/x-www-form-urlencoded",
"multipart/form-data", "text/plain"));
]]]
starting with line 641:
[[[
} else if ("POST".equals(method)) {
String contentType = request.getContentType();
if (contentType != null) {
contentType = contentType.toLowerCase().trim();
if (SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
.contains(contentType)) {
requestType = CORSRequestType.SIMPLE;
} else {
requestType = CORSRequestType.ACTUAL;
}
}
} else {
]]]
According to w3.org "Terminology" link above,
1) Javadoc for SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES is a bit off
(copy-pasted from another field). It is actually a collection of mime-type
values for Content-Type header so that this header is treated as a "simple
header"
2) The check using SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES shall ignore any
parameters that may be present in Content-Type header value.
E.g. "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" shall
match successfully.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57534] CorsFilter.SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES check
shall ignore content-type parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57534
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
This has the potential to get expensive performance-wise. Parsing mime-types
from a content-type header is non-trivial but we do have
o.a.tomcat.util.http.parser.MediaType and MediaTypeCache
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57534] CorsFilter.SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES check
shall ignore content-type parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57534
--- Comment #2 from Konstantin Kolinko <kn...@gmail.com> ---
Parsing is needed when you need the value of a parameter (e.g. charset).
In this case just trimming at the first ';' is OK.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57534] CorsFilter.SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES check
shall ignore content-type parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57534
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
You are right.
When I first looked at this I started to look at how the request content-type
header was parsed and that has some issues that would need
o.a.tomcat.util.http.parser.MediaType to solve but that isn't required for this
specific usage.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57534] CorsFilter.SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES check
shall ignore content-type parameters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57534
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Mark Thomas <ma...@apache.org> ---
Fixed in trunk, 8.0.x (for 8.0.19 onwards( and 7.0.x (for 7.0.60 onwards)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org