From: markt Date: Mon, 10 Oct 2011 15:44:14 +0000 (+0000) Subject: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51940 X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=b27a00709f7bc5bb74a36632a53aee9165a70d68;p=tomcat7.0 Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51940 Don't limit saving of request bodies during FORM authentication to POST requests since any HTTP method may include a body. Based on a patch by Nicholas Sushkin git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1181028 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index a6b874d27..751028e82 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -368,6 +368,16 @@ public class FormAuthenticator HttpServletResponse response, LoginConfig config) throws IOException { + if (log.isDebugEnabled()) { + log.debug(sm.getString("formAuthenticator.forwardLogin", + request.getRequestURI(), request.getMethod(), + config.getLoginPage(), + context.getServletContext().getContextPath())); + } + + // Always use GET for the login page, regardless of the method used + request.getCoyoteRequest().method().setString("GET"); + String loginPage = config.getLoginPage(); if (loginPage == null || loginPage.length() == 0) { String msg = sm.getString("formAuthenticator.noLoginPage", @@ -535,27 +545,27 @@ public class FormAuthenticator // Ignore request body } - if ("POST".equalsIgnoreCase(saved.getMethod())) { - ByteChunk body = saved.getBody(); - - if (body != null) { - request.getCoyoteRequest().action - (ActionCode.REQ_SET_BODY_REPLAY, body); - - // Set content type - MessageBytes contentType = MessageBytes.newInstance(); - - //If no content type specified, use default for POST - String savedContentType = saved.getContentType(); - if (savedContentType == null) { - savedContentType = "application/x-www-form-urlencoded"; - } + ByteChunk body = saved.getBody(); + String method = saved.getMethod(); + + if (body != null) { + request.getCoyoteRequest().action + (ActionCode.REQ_SET_BODY_REPLAY, body); - contentType.setString(savedContentType); - request.getCoyoteRequest().setContentType(contentType); + // Set content type + MessageBytes contentType = MessageBytes.newInstance(); + + // If no content type specified, use default for POST + String savedContentType = saved.getContentType(); + if (savedContentType == null && "POST".equalsIgnoreCase(method)) { + savedContentType = "application/x-www-form-urlencoded"; } + + contentType.setString(savedContentType); + request.getCoyoteRequest().setContentType(contentType); } - request.getCoyoteRequest().method().setString(saved.getMethod()); + + request.getCoyoteRequest().method().setString(method); request.getCoyoteRequest().queryString().setString (saved.getQueryString()); @@ -599,20 +609,22 @@ public class FormAuthenticator saved.addLocale(locale); } - if ("POST".equalsIgnoreCase(request.getMethod())) { - // May need to acknowledge a 100-continue expectation - request.getResponse().sendAcknowledgement(); + // May need to acknowledge a 100-continue expectation + request.getResponse().sendAcknowledgement(); - ByteChunk body = new ByteChunk(); - body.setLimit(request.getConnector().getMaxSavePostSize()); + ByteChunk body = new ByteChunk(); + body.setLimit(request.getConnector().getMaxSavePostSize()); - byte[] buffer = new byte[4096]; - int bytesRead; - InputStream is = request.getInputStream(); - - while ( (bytesRead = is.read(buffer) ) >= 0) { - body.append(buffer, 0, bytesRead); - } + byte[] buffer = new byte[4096]; + int bytesRead; + InputStream is = request.getInputStream(); + + while ( (bytesRead = is.read(buffer) ) >= 0) { + body.append(buffer, 0, bytesRead); + } + + // Only save the request body if there is somethign to save + if (body.getLength() > 0) { saved.setContentType(request.getContentType()); saved.setBody(body); } diff --git a/java/org/apache/catalina/authenticator/LocalStrings.properties b/java/org/apache/catalina/authenticator/LocalStrings.properties index 98d68b6fa..e0f5ae8a5 100644 --- a/java/org/apache/catalina/authenticator/LocalStrings.properties +++ b/java/org/apache/catalina/authenticator/LocalStrings.properties @@ -31,6 +31,7 @@ authenticator.userDataConstraint=This request violates a User Data constraint fo digestAuthenticator.cacheRemove=A valid entry has been removed from client nonce cache to make room for new entries. A replay attack is now possible. To prevent the possibility of replay attacks, reduce nonceValidity or increase cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes. formAuthenticator.forwardErrorFail=Unexpected error forwarding to error page +formAuthenticator.forwardLogin=Forwarding request for [{0}] made with method [{1}] to login page [{2}] of context [{3}] using request method GET formAuthenticator.forwardLoginFail=Unexpected error forwarding to login page formAuthenticator.noErrorPage=No error page was defined for FORM authentication in context [{0}] formAuthenticator.noLoginPage=No login page was defined for FORM authentication in context [{0}]