View | Details | Raw Unified | Return to bug 61692
Collapse All | Expand All

(-)java/org/apache/catalina/servlets/CGIServlet.java (-4 / +57 lines)
Lines 276-281 Link Here
276
    private Pattern envHttpHeadersPattern = Pattern.compile(
276
    private Pattern envHttpHeadersPattern = Pattern.compile(
277
            "ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT");
277
            "ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT");
278
278
279
    /** Additional methods (other than GET and PUT) to handle by the servlet. */
280
    private Pattern additionalMethodsPattern = null;
281
    
282
    /** Methods that may require request body data (a. k. a. "POST data") */
283
    private Pattern requestBodyMethodsPattern = Pattern.compile("POST");
284
    
285
    /** Additional methods for OPTIONS method */
286
    private String additionalMethodsForOptions = "";
287
279
    /** object used to ensure multiple threads don't try to expand same file */
288
    /** object used to ensure multiple threads don't try to expand same file */
280
    private static final Object expandFileLock = new Object();
289
    private static final Object expandFileLock = new Object();
281
290
Lines 360-365 Link Here
360
                    Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders"));
369
                    Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders"));
361
        }
370
        }
362
371
372
        if (getServletConfig().getInitParameter("additionalMethods") != null) {
373
            String methodsConf = getServletConfig().getInitParameter("additionalMethods") + ",";
374
            if (!methodsConf.matches("([\\-\\+][A-Z]+,)+")) {
375
                throw new ServletException(sm.getString("cgiServlet.badAdditionalMethodsConfig"));
376
            }
377
            String withAndWithoutRequestBody = methodsConf.replaceAll(".([A-Z]+),", "|$1");
378
            String withRequestBody
379
                    = methodsConf.replaceAll("(?:-[A-Z]+,)*\\+([A-Z]+),(?:-[A-Z]+,)*", "|$1");
380
381
            additionalMethodsPattern = withAndWithoutRequestBody.isEmpty() ? null
382
                    : Pattern.compile(withAndWithoutRequestBody.substring(1));
383
384
            if (!withRequestBody.isEmpty()) {
385
                requestBodyMethodsPattern = Pattern.compile("POST|" + withRequestBody.substring(1));
386
            }
387
388
            additionalMethodsForOptions = methodsConf.replaceAll(
389
                    "(?:.GET,|.HEAD,|.POST,|.TRACE,|.OPTIONS,)*" +
390
                    ".(?!GET,|HEAD,|POST,|TRACE,|OPTIONS,)([A-Z]+)," +
391
                    "(?:.GET,|.HEAD,|.POST,|.TRACE,|.OPTIONS,)*", ", $1");
392
        }
393
        
363
        if (getServletConfig().getInitParameter("enableCmdLineArguments") != null) {
394
        if (getServletConfig().getInitParameter("enableCmdLineArguments") != null) {
364
            enableCmdLineArguments =
395
            enableCmdLineArguments =
365
                    Boolean.parseBoolean(config.getInitParameter("enableCmdLineArguments"));
396
                    Boolean.parseBoolean(config.getInitParameter("enableCmdLineArguments"));
Lines 496-501 Link Here
496
        }
527
        }
497
    }
528
    }
498
529
530
    /**
531
    * Handle special WebDAV and other methods.
532
    */
533
    @Override
534
    protected void service(HttpServletRequest req, HttpServletResponse resp)
535
            throws ServletException, IOException {
536
        if (additionalMethodsPattern != null
537
                    && additionalMethodsPattern.matcher(req.getMethod()).matches()) {
538
            doGet(req, resp);
539
        }
540
        else {
541
            super.service(req, resp); // DefaultServlet processing
542
        }
543
    }
544
    
545
    /**
546
     * Return header with allowed HTTP methods.
547
     */
548
    @Override
549
    protected void doOptions(HttpServletRequest req, HttpServletResponse resp)
550
            throws ServletException, IOException {
551
        super.doOptions(req, resp);
552
        resp.setHeader("Allow", resp.getHeader("Allow") + additionalMethodsForOptions);
553
    }
499
554
500
    /**
555
    /**
501
     * Provides CGI Gateway service -- delegates to
556
     * Provides CGI Gateway service -- delegates to
Lines 535-541 Link Here
535
                                          cgiEnv.getWorkingDirectory(),
590
                                          cgiEnv.getWorkingDirectory(),
536
                                          cgiEnv.getParameters());
591
                                          cgiEnv.getParameters());
537
592
538
            if ("POST".equals(req.getMethod())) {
593
            if (requestBodyMethodsPattern.matcher(req.getMethod()).matches()) {
539
                cgi.setInput(req.getInputStream());
594
                cgi.setInput(req.getInputStream());
540
            }
595
            }
541
            cgi.setResponse(res);
596
            cgi.setResponse(res);
Lines 1524-1532 Link Here
1524
                        cmdAndArgs.toArray(new String[cmdAndArgs.size()]),
1579
                        cmdAndArgs.toArray(new String[cmdAndArgs.size()]),
1525
                        hashToStringArray(env), wd);
1580
                        hashToStringArray(env), wd);
1526
1581
1527
                String sContentLength = env.get("CONTENT_LENGTH");
1582
                if(stdin != null) {
1528
1529
                if(!"".equals(sContentLength)) {
1530
                    commandsStdIn = new BufferedOutputStream(proc.getOutputStream());
1583
                    commandsStdIn = new BufferedOutputStream(proc.getOutputStream());
1531
                    IOTools.flow(stdin, commandsStdIn);
1584
                    IOTools.flow(stdin, commandsStdIn);
1532
                    commandsStdIn.flush();
1585
                    commandsStdIn.flush();
(-)java/org/apache/catalina/servlets/LocalStrings.properties (+1 lines)
Lines 13-18 Link Here
13
# See the License for the specific language governing permissions and
13
# See the License for the specific language governing permissions and
14
# limitations under the License.
14
# limitations under the License.
15
15
16
cgiServlet.badAdditionalMethodsConfig=Additional method names must be upper case, separated by comma (,), no white space allowed [additionalMethods]
16
cgiServlet.emptyEnvVarName=Empty environment variable name in initialisation parameter [environment-variable-]
17
cgiServlet.emptyEnvVarName=Empty environment variable name in initialisation parameter [environment-variable-]
17
cgiServlet.expandCloseFail=Failed to close input stream for script at path [{0}]
18
cgiServlet.expandCloseFail=Failed to close input stream for script at path [{0}]
18
cgiServlet.expandCreateDirFail=Failed to create destination directory [{0}] for script expansion
19
cgiServlet.expandCreateDirFail=Failed to create destination directory [{0}] for script expansion
(-)webapps/docs/cgi-howto.xml (+12 lines)
Lines 117-122 Link Here
117
name must match the pattern. Default is
117
name must match the pattern. Default is
118
<code>ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT</code>
118
<code>ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT</code>
119
</li>
119
</li>
120
<li><strong>additionalMethods</strong> - A list of additionally allowed HTTP
121
methods. Default handles:
122
<ul>
123
  <li>GET, POST and OPTIONS</li>
124
  <li>HEAD and TRACE - handled by parent class javax.servlet.http.HttpServlet</li>
125
</ul>
126
List items are separarated by comma (,) and must be prefixed by + or -,
127
+ meaning "handle request body data", - meaning "forbid request body data". If
128
the list contains HEAD, TRACE or OPTIONS, the request is forwarded to the CGI
129
script and not handled by HttpServlet. Example (for Nextcloud version 12):
130
<code>-DELETE,+MKCALENDAR,+MKCOL,+PROPFIND,+PROPPATCH,+PUT,+REPORT</code>
131
</li>
120
<li><strong>parameterEncoding</strong> - Name of the parameter encoding
132
<li><strong>parameterEncoding</strong> - Name of the parameter encoding
121
to be used with the CGI servlet. Default is
133
to be used with the CGI servlet. Default is
122
<code>System.getProperty("file.encoding","UTF-8")</code>. That is the system
134
<code>System.getProperty("file.encoding","UTF-8")</code>. That is the system

Return to bug 61692