[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

usr.sbin/httpd: disable TRACE, comments?



Are there people who really *need* the TRACE method to work in
httpd?  It's a security risk for some web applications (using
JavaScript to sniff headers, particularly cookies, from other
domains).  http://www.kb.cert.org/vuls/id/867593

RFC 2616 section 5.1.1 states that TRACE is optional.  This
diff disables it, and httpd will return a 501 Method Not Implemented
as a result.

Index: src/main/http_protocol.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/main/http_protocol.c,v
retrieving revision 1.28
diff -u -r1.28 http_protocol.c
--- src/main/http_protocol.c	9 Feb 2005 12:13:09 -0000	1.28
+++ src/main/http_protocol.c	10 Nov 2005 20:30:49 -0000
@@ -824,10 +824,6 @@
            if (strcmp(method, "OPTIONS") == 0)
                return M_OPTIONS;
            break;
-        case 'T':
-           if (strcmp(method, "TRACE") == 0)
-               return M_TRACE;
-           break;
         case 'L':
            if (strcmp(method, "LOCK") == 0)
                return M_LOCK;