Restrict HTTP methods on Reactive HiddenHttpMethodFilter

This commit restricts the allowed HTTP methods on HiddenHttpMethodFilter (Reactive variant) to the following: PUT, DELETE, PATCH. This filter is meant to be used to simulate those methods from HTML forms sent by browsers, so no other methods are allowed. Issue: SPR-16836 (Cherry-picked from a5cd01a4c8)
7 years ago · dac97f1b7d
2 changed files with 21 additions and 3 deletions
--- a/spring-web/src/main/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.java
+++ b/spring-web/src/main/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,6 +16,9 @@
 package org.springframework.web.filter.reactive;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
 import reactor.core.publisher.Mono;
@ -45,6 +48,10 @@ import org.springframework.web.server.WebFilterChain;
 */
 public class HiddenHttpMethodFilter implements WebFilter {
 	private static final List<HttpMethod> ALLOWED_METHODS =
 			Collections.unmodifiableList(Arrays.asList(HttpMethod.PUT,
 					HttpMethod.DELETE, HttpMethod.PATCH));
 	/** Default name of the form parameter with the HTTP method to use */
 	public static final String DEFAULT_METHOD_PARAMETER_NAME = "_method";
@ -87,7 +94,12 @@ public class HiddenHttpMethodFilter implements WebFilter {
 	private ServerWebExchange mapExchange(ServerWebExchange exchange, String methodParamValue) {
 		HttpMethod httpMethod = HttpMethod.resolve(methodParamValue.toUpperCase(Locale.ENGLISH));
 		Assert.notNull(httpMethod, () -> "HttpMethod '" + methodParamValue + "' not supported");
-		return exchange.mutate().request(builder -> builder.method(httpMethod)).build();
+		if (ALLOWED_METHODS.contains(httpMethod)) {
 			return exchange.mutate().request(builder -> builder.method(httpMethod)).build();
 		}
 		else {
 			return exchange;
 		}
 	}
 }
--- a/spring-web/src/test/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilterTests.java
+++ b/spring-web/src/test/java/org/springframework/web/filter/reactive/HiddenHttpMethodFilterTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -52,6 +52,12 @@ public class HiddenHttpMethodFilterTests {
 		assertEquals(HttpMethod.DELETE, this.filterChain.getHttpMethod());
 	}
 	@Test
 	public void filterWithParameterMethodNotAllowed() {
 		postForm("_method=TRACE").block(Duration.ZERO);
 		assertEquals(HttpMethod.POST, this.filterChain.getHttpMethod());
 	}
 	@Test
 	public void filterWithNoParameter() {
 		postForm("").block(Duration.ZERO);