usr.sbin/httpd: disable TRACE, comments?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

usr.sbin/httpd: disable TRACE, comments?

Chad Loder-2
Are there people who really *need* the TRACE method to work in
httpd?  It's a security risk for some web applications (using
JavaScript to sniff headers, particularly cookies, from other
domains).  http://www.kb.cert.org/vuls/id/867593

RFC 2616 section 5.1.1 states that TRACE is optional.  This
diff disables it, and httpd will return a 501 Method Not Implemented
as a result.

Index: src/main/http_protocol.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/main/http_protocol.c,v
retrieving revision 1.28
diff -u -r1.28 http_protocol.c
--- src/main/http_protocol.c 9 Feb 2005 12:13:09 -0000 1.28
+++ src/main/http_protocol.c 10 Nov 2005 20:30:49 -0000
@@ -824,10 +824,6 @@
            if (strcmp(method, "OPTIONS") == 0)
                return M_OPTIONS;
            break;
-        case 'T':
-           if (strcmp(method, "TRACE") == 0)
-               return M_TRACE;
-           break;
         case 'L':
            if (strcmp(method, "LOCK") == 0)
                return M_LOCK;

Reply | Threaded
Open this post in threaded view
|

Re: usr.sbin/httpd: disable TRACE, comments?

Sam Hart-2
Chad wrote:

> Are there people who really *need* the TRACE method to work in
> httpd?  It's a security risk for some web applications (using
> JavaScript to sniff headers, particularly cookies, from other
> domains).  http://www.kb.cert.org/vuls/id/867593
>
> RFC 2616 section 5.1.1 states that TRACE is optional.  This
> diff disables it, and httpd will return a 501 Method Not Implemented
> as a result.

TRACE can be useful for debugging, and I have used it in the past.

I am not keen to see it go, but am all for disabling it by default.

Is there some kind of half-way-house on this ?


S a m