[playframework#1300] feat: Define allowed methods used in 'X-HTTP-Met…

…hod-Override'

documentation/manual/configuration.textile

@@ -602,6 +602,15 @@ bc. http.cacheControl=0
 Default: @3600@ - set cache expiry to one hour.
 
 
+h3(#http.allowed.method.override). http.allowed.method.override
+
+Define allowed methods that will be handled when defined in X-HTTP-Method-Override
+
+bc. http.allowed.method.override=POST
+
+Default: none
+
+
 h3(#http.exposePlayServer). http.exposePlayServer
 
 Disable the HTTP response header that identifies the HTTP server as Play. For example:

framework/src/play/server/PlayHandler.java

@@ -104,6 +104,10 @@
 
 public class PlayHandler extends SimpleChannelUpstreamHandler {
 
+
+
+    private static final String X_HTTP_METHOD_OVERRIDE = "X-HTTP-Method-Override";
+
     /**
      * If true (the default), Play will send the HTTP header
      * "Server: Play! Framework; ....". This could be a security problem (old
@@ -124,6 +128,14 @@ public class PlayHandler extends SimpleChannelUpstreamHandler {
 
     private WebSocketServerHandshaker handshaker;
 
+
+    /**
+     * Define allowed methods that will be handled when defined in X-HTTP-Method-Override
+     * You can define allowed method in
+     * application.conf: <code>http.allowed.method.override=POST,PUT</code>
+     */
+    private static final Set<String> allowedHttpMethodOverride;
+
     static {
         try {
             SHA_1 = MessageDigest.getInstance("SHA1");
@@ -598,8 +610,9 @@ public Request parseRequest(ChannelHandlerContext ctx, HttpRequest nettyRequest,
         String remoteAddress = getRemoteIPAddress(messageEvent);
         String method = nettyRequest.getMethod().getName();
 
-        if (nettyRequest.headers().get("X-HTTP-Method-Override") != null) {
-            method = nettyRequest.headers().get("X-HTTP-Method-Override").intern();
+        if (nettyRequest.headers().get(X_HTTP_METHOD_OVERRIDE) != null
+                && allowedHttpMethodOverride.contains(nettyRequest.headers().get(X_HTTP_METHOD_OVERRIDE).intern())) {
+            method = nettyRequest.headers().get(X_HTTP_METHOD_OVERRIDE).intern();
         }
 
         InputStream body = null;

framework/src/play/server/ServletWrapper.java

@@ -36,6 +36,8 @@
 import java.net.URISyntaxException;
 import java.text.ParseException;
 import java.util.*;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import static org.apache.commons.io.IOUtils.closeQuietly;
 
@@ -64,6 +66,19 @@ public class ServletWrapper extends HttpServlet implements ServletContextListene
     public static final String SERVLET_RES = "__SERVLET_RES";
 
     private static boolean routerInitializedWithContext = false;
+
+
+    private static final String X_HTTP_METHOD_OVERRIDE = "X-HTTP-Method-Override";
+
+    /**
+     * Define allowed methods that will be handled when defined in X-HTTP-Method-Override
+     * You can define allowed method in
+     * application.conf: <code>http.allowed.method.override=POST,PUT</code>
+     */
+    private static final Set<String> allowedHttpMethodOverride;
+    static {
+        allowedHttpMethodOverride = Stream.of(Play.configuration.getProperty("http.allowed.method.override", "").split(",")).collect(Collectors.toSet());
+    }
 
     @Override
     public void contextInitialized(ServletContextEvent e) {
@@ -265,8 +280,9 @@ public static Request parseRequest(HttpServletRequest httpServletRequest) throws
             contentType = "text/html".intern();
         }
 
-        if (httpServletRequest.getHeader("X-HTTP-Method-Override") != null) {
-            method = httpServletRequest.getHeader("X-HTTP-Method-Override").intern();
+        if (httpServletRequest.getHeader(X_HTTP_METHOD_OVERRIDE) != null && allowedHttpMethodOverride
+                .contains(httpServletRequest.getHeader(X_HTTP_METHOD_OVERRIDE).intern())) {
+            method = httpServletRequest.getHeader(X_HTTP_METHOD_OVERRIDE).intern();
         }
 
         InputStream body = httpServletRequest.getInputStream();