Bug 57534 - CorsFilter.SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES check shall ignore content-type parameters
Summary: CorsFilter.SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES check shall ignore content...
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.59
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2015-02-04 14:07 UTC by Konstantin Kolinko
Modified: 2015-02-11 19:24 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2015-02-04 14:07:25 UTC
In CorsFilter of trunk

starting with line 1030:
     * {@link Collection} of Simple HTTP request headers. Case in-sensitive.
     * @see  <a href="http://www.w3.org/TR/cors/#terminology"
     *       >http://www.w3.org/TR/cors/#terminology</a>
    public static final Collection<String> SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES =
            new HashSet<>(Arrays.asList("application/x-www-form-urlencoded",
                    "multipart/form-data", "text/plain"));

starting with line 641:
                    } else if ("POST".equals(method)) {
                        String contentType = request.getContentType();
                        if (contentType != null) {
                            contentType = contentType.toLowerCase().trim();
                            if (SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
                                    .contains(contentType)) {
                                requestType = CORSRequestType.SIMPLE;
                            } else {
                                requestType = CORSRequestType.ACTUAL;
                    } else {

According to w3.org "Terminology" link above,
1) Javadoc for SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES is a bit off (copy-pasted from another field). It is actually a collection of mime-type values for Content-Type header so that this header is treated as a "simple header"

2) The check using SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES shall ignore any parameters that may be present in Content-Type header value.

E.g. "Content-Type: application/x-www-form-urlencoded; charset=UTF-8"  shall match successfully.
Comment 1 Mark Thomas 2015-02-10 23:38:05 UTC
This has the potential to get expensive performance-wise. Parsing mime-types from a content-type header is non-trivial but we do have o.a.tomcat.util.http.parser.MediaType and MediaTypeCache
Comment 2 Konstantin Kolinko 2015-02-10 23:41:59 UTC
Parsing is needed when you need the value of a parameter (e.g. charset).

In this case just trimming at the first ';' is OK.
Comment 3 Mark Thomas 2015-02-11 14:42:00 UTC
You are right.

When I first looked at this I started to look at how the request content-type header was parsed and that has some issues that would need o.a.tomcat.util.http.parser.MediaType to solve but that isn't required for this specific usage.
Comment 4 Mark Thomas 2015-02-11 19:24:40 UTC
Fixed in trunk, 8.0.x (for 8.0.19 onwards( and 7.0.x (for 7.0.60 onwards)