Restrict HTTP methods on Servlet HiddenHttpMethodFilter
This commit restricts the allowed HTTP methods on HiddenHttpMethodFilter (Servlet variant) to the following: PUT, DELETE, PATCH. This filter is meant to be used to simulate those methods from HTML forms sent by browsers, so no other methods are allowed. Issue: SPR-16836
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -17,6 +17,9 @@
|
||||
package org.springframework.web.filter;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
@@ -24,6 +27,7 @@ import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletRequestWrapper;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.web.util.WebUtils;
|
||||
@@ -35,6 +39,7 @@ import org.springframework.web.util.WebUtils;
|
||||
* is to use a normal POST with an additional hidden form field ({@code _method})
|
||||
* to pass the "real" HTTP method along. This filter reads that parameter and changes
|
||||
* the {@link HttpServletRequestWrapper#getMethod()} return value accordingly.
|
||||
* Only {@code "PUT"}, {@code "DELETE"} and {@code "PATCH"} HTTP methods are allowed.
|
||||
*
|
||||
* <p>The name of the request parameter defaults to {@code _method}, but can be
|
||||
* adapted via the {@link #setMethodParam(String) methodParam} property.
|
||||
@@ -50,6 +55,10 @@ import org.springframework.web.util.WebUtils;
|
||||
*/
|
||||
public class HiddenHttpMethodFilter extends OncePerRequestFilter {
|
||||
|
||||
private static final List<String> ALLOWED_METHODS =
|
||||
Collections.unmodifiableList(Arrays.asList(HttpMethod.PUT.name(),
|
||||
HttpMethod.DELETE.name(), HttpMethod.PATCH.name()));
|
||||
|
||||
/** Default method parameter: {@code _method} */
|
||||
public static final String DEFAULT_METHOD_PARAM = "_method";
|
||||
|
||||
@@ -74,7 +83,10 @@ public class HiddenHttpMethodFilter extends OncePerRequestFilter {
|
||||
if ("POST".equals(request.getMethod()) && request.getAttribute(WebUtils.ERROR_EXCEPTION_ATTRIBUTE) == null) {
|
||||
String paramValue = request.getParameter(this.methodParam);
|
||||
if (StringUtils.hasLength(paramValue)) {
|
||||
requestToUse = new HttpMethodRequestWrapper(request, paramValue);
|
||||
String method = paramValue.toUpperCase(Locale.ENGLISH);
|
||||
if (ALLOWED_METHODS.contains(method)) {
|
||||
requestToUse = new HttpMethodRequestWrapper(request, method);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -92,7 +104,7 @@ public class HiddenHttpMethodFilter extends OncePerRequestFilter {
|
||||
|
||||
public HttpMethodRequestWrapper(HttpServletRequest request, String method) {
|
||||
super(request);
|
||||
this.method = method.toUpperCase(Locale.ENGLISH);
|
||||
this.method = method;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
Reference in New Issue
Block a user