HTTPCLIENT-1981: disallow TRACE requests with an enclosed entity

httpclient5/src/main/java/org/apache/hc/client5/http/async/methods/AsyncRequestBuilder.java

@@ -430,6 +430,11 @@ public class AsyncRequestBuilder {
                 }
             }
         }
+
+        if (entityProducerCopy != null && StandardMethods.TRACE.name().equalsIgnoreCase(method)) {
+            throw new IllegalStateException(StandardMethods.TRACE.name() + " requests may not include an entity.");
+        }
+
         final ConfigurableHttpRequest request = host != null ?
                 new ConfigurableHttpRequest(method, host, !TextUtils.isBlank(path) ? path : "/") :
                 new ConfigurableHttpRequest(method, uri != null ? uri : URI.create("/"));

httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/HttpTrace.java

@@ -29,6 +29,8 @@ package org.apache.hc.client5.http.classic.methods;
 
 import java.net.URI;
 
+import org.apache.hc.core5.http.HttpEntity;
+
 /**
  * HTTP TRACE method.
  *
@@ -60,4 +62,9 @@ public class HttpTrace extends HttpUriRequestBase {
         this(URI.create(uri));
     }
 
+    @Override
+    public void setEntity(final HttpEntity entity) {
+        throw new IllegalStateException(METHOD_NAME + " requests may not include an entity.");
+    }
+
 }

httpclient5/src/main/java/org/apache/hc/client5/http/classic/methods/RequestBuilder.java

@@ -482,6 +482,11 @@ public class RequestBuilder {
                 }
             }
         }
+
+        if (entityCopy != null && StandardMethods.TRACE.name().equalsIgnoreCase(method)) {
+            throw new IllegalStateException(StandardMethods.TRACE.name() + " requests may not include an entity.");
+        }
+
         final HttpUriRequestBase result = new HttpUriRequestBase(method, uriNotNull);
         result.setVersion(this.version != null ? this.version : HttpVersion.HTTP_1_1);
         if (this.headerGroup != null) {

httpclient5/src/test/java/org/apache/hc/client5/http/async/methods/TestAsyncRequestBuilder.java

@@ -0,0 +1,42 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.client5.http.async.methods;
+
+import org.apache.hc.core5.http.nio.entity.BasicAsyncEntityProducer;
+import org.junit.Test;
+
+public class TestAsyncRequestBuilder {
+
+    @Test(expected = IllegalStateException.class)
+    public void testBuildTraceWithEntity() {
+        final AsyncRequestBuilder builder = AsyncRequestBuilder.create("TRACE").setUri("/path");
+        builder.setEntity(new BasicAsyncEntityProducer("stuff"));
+        builder.build();
+    }
+
+}

httpclient5/src/test/java/org/apache/hc/client5/http/classic/methods/TestHttpTrace.java

@@ -0,0 +1,40 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.client5.http.classic.methods;
+
+import org.junit.Test;
+
+public class TestHttpTrace {
+
+    @Test(expected = IllegalStateException.class)
+    public void testHttpTraceSetEntity() {
+        final HttpTrace httpTrace = new HttpTrace("/path");
+        httpTrace.setEntity(null);
+    }
+
+}

httpclient5/src/test/java/org/apache/hc/client5/http/classic/methods/TestRequestBuilder.java

@@ -264,6 +264,13 @@ public class TestRequestBuilder {
         assertBuild(StandardCharsets.ISO_8859_1);
     }
 
+    @Test(expected = IllegalStateException.class)
+    public void testBuildTraceWithEntity() {
+        final RequestBuilder requestBuilder = RequestBuilder.create("TRACE").setUri("/path");
+        requestBuilder.setEntity(new StringEntity("foo"));
+        requestBuilder.build();
+    }
+
     private void assertBuild(final Charset charset) throws Exception {
         final RequestBuilder requestBuilder = RequestBuilder.create("GET").setCharset(charset);
         requestBuilder.setUri("https://somehost.com/stuff");