'svn commit: r1686590 - in /httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http:'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       httpcomponents-commits
Subject:    svn commit: r1686590 - in /httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http:
From:       olegk () apache ! org
Date:       2015-06-20 12:12:18
Message-ID: 20150620121218.A18BDAC048D () hades ! apache ! org
[Download RAW message or body]

Author: olegk
Date: Sat Jun 20 12:12:18 2015
New Revision: 1686590

URL: http://svn.apache.org/r1686590
Log:
RFC 7231: do not generate header fields in TRACE requests containing sensitive data \
such as cookie and user credentials

Modified:
    httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/client/protocol/RequestAddCookies.java
  httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/execchain/MainClientExec.java


Modified: httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/client/protocol/RequestAddCookies.java
                
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient/src/main/ \
java/org/apache/http/client/protocol/RequestAddCookies.java?rev=1686590&r1=1686589&r2=1686590&view=diff
 ==============================================================================
--- httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/client/protocol/RequestAddCookies.java \
                (original)
+++ httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/client/protocol/RequestAddCookies.java \
Sat Jun 20 12:12:18 2015 @@ -79,7 +79,7 @@ public class RequestAddCookies implement
         Args.notNull(context, "HTTP context");
 
         final String method = request.getRequestLine().getMethod();
-        if (method.equalsIgnoreCase("CONNECT")) {
+        if (method.equalsIgnoreCase("CONNECT") || method.equalsIgnoreCase("TRACE")) \
{  return;
         }
 

Modified: httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/execchain/MainClientExec.java
                
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient/src/main/ \
java/org/apache/http/impl/execchain/MainClientExec.java?rev=1686590&r1=1686589&r2=1686590&view=diff
 ==============================================================================
--- httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/execchain/MainClientExec.java \
                (original)
+++ httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/impl/execchain/MainClientExec.java \
Sat Jun 20 12:12:18 2015 @@ -277,6 +277,11 @@ public class MainClientExec implements \
C  connHolder.markNonReusable();
                 }
 
+                if (request.getMethod().equalsIgnoreCase("TRACE")) {
+                    // Do not perform authentication for TRACE request
+                    break;
+                }
+
                 if (needAuthentication(
                         targetAuthState, proxyAuthState, route, response, context)) \
                {
                     // Make sure the response body is fully consumed, if present


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic