RFC 7231: do not generate header fields in TRACE requests containing sensitive data such as cookie and user credentials

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1686590 13f79535-47bb-0310-9956-ffa450edef68
2015-06-20 12:12:18 +00:00 · 2015-06-20 12:12:18 +00:00 · 12a8eaabab
parent 6d72c0e326
commit 12a8eaabab
2 changed files with 6 additions and 1 deletions
--- a/httpclient/src/main/java/org/apache/http/client/protocol/RequestAddCookies.java
+++ b/httpclient/src/main/java/org/apache/http/client/protocol/RequestAddCookies.java
@ -79,7 +79,7 @@ public class RequestAddCookies implements HttpRequestInterceptor {
        Args.notNull(context, "HTTP context");

        final String method = request.getRequestLine().getMethod();
-        if (method.equalsIgnoreCase("CONNECT")) {
+        if (method.equalsIgnoreCase("CONNECT") || method.equalsIgnoreCase("TRACE")) {
            return;
        }

--- a/httpclient/src/main/java/org/apache/http/impl/execchain/MainClientExec.java
+++ b/httpclient/src/main/java/org/apache/http/impl/execchain/MainClientExec.java
@ -277,6 +277,11 @@ public class MainClientExec implements ClientExecChain {
                    connHolder.markNonReusable();
                }

+                if (request.getMethod().equalsIgnoreCase("TRACE")) {
+                    // Do not perform authentication for TRACE request
+                    break;
+                }
+
                if (needAuthentication(
                        targetAuthState, proxyAuthState, route, response, context)) {
                    // Make sure the response body is fully consumed, if present