From b224feacced410cf7074b9198d4bd0a702dc3e15 Mon Sep 17 00:00:00 2001
From: Vladimir Perfilev <persoff68@gmail.com>
Date: Sun, 5 Jan 2025 01:01:51 +0100
Subject: [PATCH] Exclude CONNECT from allowed HTTP methods

Updated initAllowedHttpMethods in WebContentGenerator and
RequestMappingInfoHandlerMapping to explicitly exclude the CONNECT
method.
---
 .../servlet/mvc/method/RequestMappingInfoHandlerMapping.java    | 2 +-
 .../web/servlet/support/WebContentGenerator.java                | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/RequestMappingInfoHandlerMapping.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/RequestMappingInfoHandlerMapping.java
index 5923e9ead263..3589ffb9ab61 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/RequestMappingInfoHandlerMapping.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/RequestMappingInfoHandlerMapping.java
@@ -517,7 +517,7 @@ private static Set<HttpMethod> initAllowedHttpMethods(Set<String> declaredMethod
 			Set<HttpMethod> result = CollectionUtils.newLinkedHashSet(declaredMethods.size());
 			if (declaredMethods.isEmpty()) {
 				for (HttpMethod method : HttpMethod.values()) {
-					if (method != HttpMethod.TRACE) {
+					if (method != HttpMethod.TRACE && method != HttpMethod.CONNECT) {
 						result.add(method);
 					}
 				}
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/support/WebContentGenerator.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/support/WebContentGenerator.java
index 4f5a3f7907e2..70484898241a 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/support/WebContentGenerator.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/support/WebContentGenerator.java
@@ -146,7 +146,7 @@ private void initAllowHeader() {
 		if (this.supportedMethods == null) {
 			allowedMethods = new ArrayList<>(HttpMethod.values().length - 1);
 			for (HttpMethod method : HttpMethod.values()) {
-				if (method != HttpMethod.TRACE) {
+				if (method != HttpMethod.TRACE && method != HttpMethod.CONNECT) {
 					allowedMethods.add(method.name());
 				}
 			}