Skip to content

Commit 80a94a6

Browse files
author
Alexandre Chatiron
committed
[#1300] feat: Define allowed methods used in 'X-HTTP-Method-Override'
1 parent 6c4729f commit 80a94a6

File tree

3 files changed

+40
-5
lines changed

3 files changed

+40
-5
lines changed

documentation/manual/configuration.textile

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -602,6 +602,15 @@ bc. http.cacheControl=0
602602
Default: @3600@ - set cache expiry to one hour.
603603

604604

605+
h3(#http.allowed.method.override). http.allowed.method.override
606+
607+
Define allowed methods that will be handled when defined in X-HTTP-Method-Override
608+
609+
bc. http.allowed.method.override=POST
610+
611+
Default: none
612+
613+
605614
h3(#http.exposePlayServer). http.exposePlayServer
606615

607616
Disable the HTTP response header that identifies the HTTP server as Play. For example:

framework/src/play/server/PlayHandler.java

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
import java.security.NoSuchAlgorithmException;
2727
import java.text.ParseException;
2828
import java.util.ArrayList;
29+
import java.util.Arrays;
2930
import java.util.Collections;
3031
import java.util.Date;
3132
import java.util.HashMap;
@@ -104,6 +105,10 @@
104105

105106
public class PlayHandler extends SimpleChannelUpstreamHandler {
106107

108+
109+
110+
private static final String X_HTTP_METHOD_OVERRIDE = "X-HTTP-Method-Override";
111+
107112
/**
108113
* If true (the default), Play will send the HTTP header
109114
* "Server: Play! Framework; ....". This could be a security problem (old
@@ -124,6 +129,15 @@ public class PlayHandler extends SimpleChannelUpstreamHandler {
124129

125130
private WebSocketServerHandshaker handshaker;
126131

132+
133+
/**
134+
* Define allowed methods that will be handled when defined in X-HTTP-Method-Override
135+
* You can define allowed method in
136+
* application.conf: <code>http.allowed.method.override=POST,PUT</code>
137+
*/
138+
private static final List<String> allowedHttpMethodOverride = Arrays.asList(Play.configuration.getProperty("http.allowed.method.override", "").split(","));
139+
140+
127141
static {
128142
try {
129143
SHA_1 = MessageDigest.getInstance("SHA1");
@@ -598,8 +612,9 @@ public Request parseRequest(ChannelHandlerContext ctx, HttpRequest nettyRequest,
598612
String remoteAddress = getRemoteIPAddress(messageEvent);
599613
String method = nettyRequest.getMethod().getName();
600614

601-
if (nettyRequest.headers().get("X-HTTP-Method-Override") != null) {
602-
method = nettyRequest.headers().get("X-HTTP-Method-Override").intern();
615+
if (nettyRequest.headers().get(X_HTTP_METHOD_OVERRIDE) != null
616+
&& allowedHttpMethodOverride.contains(nettyRequest.headers().get(X_HTTP_METHOD_OVERRIDE).intern())) {
617+
method = nettyRequest.headers().get(X_HTTP_METHOD_OVERRIDE).intern();
603618
}
604619

605620
InputStream body = null;

framework/src/play/server/ServletWrapper.java

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,17 @@ public class ServletWrapper extends HttpServlet implements ServletContextListene
6464
public static final String SERVLET_RES = "__SERVLET_RES";
6565

6666
private static boolean routerInitializedWithContext = false;
67-
67+
68+
69+
private static final String X_HTTP_METHOD_OVERRIDE = "X-HTTP-Method-Override";
70+
71+
/**
72+
* Define allowed methods that will be handled when defined in X-HTTP-Method-Override
73+
* You can define allowed method in
74+
* application.conf: <code>http.allowed.method.override=POST,PUT</code>
75+
*/
76+
private static List<String> allowedHttpMethodOverride = Arrays.asList(Play.configuration.getProperty("http.allowed.method.override", "").split(","));
77+
6878
@Override
6979
public void contextInitialized(ServletContextEvent e) {
7080
Play.standalonePlayServer = false;
@@ -265,8 +275,9 @@ public static Request parseRequest(HttpServletRequest httpServletRequest) throws
265275
contentType = "text/html".intern();
266276
}
267277

268-
if (httpServletRequest.getHeader("X-HTTP-Method-Override") != null) {
269-
method = httpServletRequest.getHeader("X-HTTP-Method-Override").intern();
278+
if (httpServletRequest.getHeader(X_HTTP_METHOD_OVERRIDE) != null && allowedHttpMethodOverride
279+
.contains(httpServletRequest.getHeader(X_HTTP_METHOD_OVERRIDE).intern())) {
280+
method = httpServletRequest.getHeader(X_HTTP_METHOD_OVERRIDE).intern();
270281
}
271282

272283
InputStream body = httpServletRequest.getInputStream();

0 commit comments

Comments
 (0)