Author: remy.maucherat(a)jboss.com Date: 2013-07-04 10:27:16 -0400 (Thu, 04 Jul 2013) New Revision: 2228 Modified: branches/8.0.x/src/main/java/org/apache/jasper/servlet/JspServlet.java branches/8.0.x/src/main/java/org/jboss/web/JasperMessages.java Log: Port JSP 2.3 restriction to GET, POST and HEAD. Modified: branches/8.0.x/src/main/java/org/apache/jasper/servlet/JspServlet.java =================================================================== --- branches/8.0.x/src/main/java/org/apache/jasper/servlet/JspServlet.java 2013-07-04 09:55:49 UTC (rev 2227) +++ branches/8.0.x/src/main/java/org/apache/jasper/servlet/JspServlet.java 2013-07-04 14:27:16 UTC (rev 2228) @@ -200,6 +200,18 @@ HttpServletResponse response) throws ServletException, IOException { + String method = request.getMethod(); + + if (!"GET".equals(method) && !"POST".equals(method) && + !"HEAD".equals(method)) { + // Specification states behaviour is undefined + // Jasper opts to reject any other verbs, partly as they are + // unlikely to make sense in a JSP context and partly to protect + // against verb tampering + response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, + MESSAGES.forbiddenHttpMethod()); + } + String jspUri = null; String jspFile = (String) request.getAttribute(Constants.JSP_FILE); Modified: branches/8.0.x/src/main/java/org/jboss/web/JasperMessages.java =================================================================== --- branches/8.0.x/src/main/java/org/jboss/web/JasperMessages.java 2013-07-04 09:55:49 UTC (rev 2227) +++ branches/8.0.x/src/main/java/org/jboss/web/JasperMessages.java 2013-07-04 14:27:16 UTC (rev 2228) @@ -781,4 +781,7 @@ @Message(id = 4247, value = "Unexpected internal error during <import&gt: Target servlet called getOutputStream(), then getWriter()") IllegalStateException usedWriterAfterOutputStream(); + @Message(id = 4248, value = "JSPs only permit GET POST or HEAD") + String forbiddenHttpMethod(); + }