[jbossweb-commits] JBossWeb SVN: r2228 - in branches/8.0.x/src/main/java/org: jboss/web and 1 other directory.

Thu Jul 4 10:27:16 EDT 2013

Author: remy.maucherat at jboss.com
Date: 2013-07-04 10:27:16 -0400 (Thu, 04 Jul 2013)
New Revision: 2228

Modified:
   branches/8.0.x/src/main/java/org/apache/jasper/servlet/JspServlet.java
   branches/8.0.x/src/main/java/org/jboss/web/JasperMessages.java
Log:
Port JSP 2.3 restriction to GET, POST and HEAD.

Modified: branches/8.0.x/src/main/java/org/apache/jasper/servlet/JspServlet.java
===================================================================

--- branches/8.0.x/src/main/java/org/apache/jasper/servlet/JspServlet.java	2013-07-04 09:55:49 UTC (rev 2227)
+++ branches/8.0.x/src/main/java/org/apache/jasper/servlet/JspServlet.java	2013-07-04 14:27:16 UTC (rev 2228)
@@ -200,6 +200,18 @@
     			 HttpServletResponse response)
                 throws ServletException, IOException {
 
+        String method = request.getMethod();
+
+        if (!"GET".equals(method) && !"POST".equals(method) &&
+                !"HEAD".equals(method)) {
+            // Specification states behaviour is undefined
+            // Jasper opts to reject any other verbs, partly as they are
+            // unlikely to make sense in a JSP context and partly to protect
+            // against verb tampering
+            response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED,
+                    MESSAGES.forbiddenHttpMethod());
+        }
+
         String jspUri = null;
 
         String jspFile = (String) request.getAttribute(Constants.JSP_FILE);

Modified: branches/8.0.x/src/main/java/org/jboss/web/JasperMessages.java
===================================================================
--- branches/8.0.x/src/main/java/org/jboss/web/JasperMessages.java	2013-07-04 09:55:49 UTC (rev 2227)
+++ branches/8.0.x/src/main/java/org/jboss/web/JasperMessages.java	2013-07-04 14:27:16 UTC (rev 2228)
@@ -781,4 +781,7 @@
     @Message(id = 4247, value = "Unexpected internal error during &lt;import&gt: Target servlet called getOutputStream(), then getWriter()")
     IllegalStateException usedWriterAfterOutputStream();
 
+    @Message(id = 4248, value = "JSPs only permit GET POST or HEAD")
+    String forbiddenHttpMethod();
+
 }

