diff --git a/spring-web/src/main/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.java b/spring-web/src/main/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.java index bd0021b310..72723aa4e1 100644 --- a/spring-web/src/main/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.java +++ b/spring-web/src/main/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,9 @@ package org.springframework.web.filter.reactive; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; import java.util.Locale; import reactor.core.publisher.Mono; @@ -45,6 +48,10 @@ import org.springframework.web.server.WebFilterChain; */ public class HiddenHttpMethodFilter implements WebFilter { + private static final List ALLOWED_METHODS = + Collections.unmodifiableList(Arrays.asList(HttpMethod.PUT, + HttpMethod.DELETE, HttpMethod.PATCH)); + /** Default name of the form parameter with the HTTP method to use */ public static final String DEFAULT_METHOD_PARAMETER_NAME = "_method"; @@ -87,7 +94,12 @@ public class HiddenHttpMethodFilter implements WebFilter { private ServerWebExchange mapExchange(ServerWebExchange exchange, String methodParamValue) { HttpMethod httpMethod = HttpMethod.resolve(methodParamValue.toUpperCase(Locale.ENGLISH)); Assert.notNull(httpMethod, () -> "HttpMethod '" + methodParamValue + "' not supported"); - return exchange.mutate().request(builder -> builder.method(httpMethod)).build(); + if (ALLOWED_METHODS.contains(httpMethod)) { + return exchange.mutate().request(builder -> builder.method(httpMethod)).build(); + } + else { + return exchange; + } } } diff --git a/spring-web/src/test/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilterTests.java b/spring-web/src/test/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilterTests.java index eba7491b50..f962728da4 100644 --- a/spring-web/src/test/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilterTests.java +++ b/spring-web/src/test/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -52,6 +52,12 @@ public class HiddenHttpMethodFilterTests { assertEquals(HttpMethod.DELETE, this.filterChain.getHttpMethod()); } + @Test + public void filterWithParameterMethodNotAllowed() { + postForm("_method=TRACE").block(Duration.ZERO); + assertEquals(HttpMethod.POST, this.filterChain.getHttpMethod()); + } + @Test public void filterWithNoParameter() { postForm("").block(Duration.ZERO);