cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Luo (JIRA)" <>
Subject [jira] [Commented] (CXF-7114) Disable HTTP TRACE method on CXF http-jetty transport
Date Thu, 03 Nov 2016 14:46:59 GMT


Joe Luo commented on CXF-7114:

And should it be 405 status instead of 500 ?
Yeah, you were right, It should return 405 instead of 500. please find a new patch.txt attached.
It sets Jetty Server Request "handled" status to true and HttpServletResponse to status 405
instead of simply throwing back a ServletException.

Should it be optionally disabled (you mentioned Pax Web disabling it by default) ?
Yeah, Pax Web disabled it by default. But it was just simply throwing back a ServletException
so it was status of 500 returned back to client. 

I do not mind to have it optionally disabled. But I doubt that the TRACE method is still used
by anyone now. Particularly, it is only for standalone CXF endpoints using http-jetty transport.

> Disable HTTP TRACE method on CXF http-jetty transport
> -----------------------------------------------------
>                 Key: CXF-7114
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 3.0.4
>            Reporter: Joe Luo
>            Priority: Minor
>         Attachments: patch.txt
> We had a security scan and found that standalone CXF endpoint using http-jetty transport
still had HTTP TRACE method enabled. It is considered as a security risk. 
> It's not a problem if the CXF http-jetty transport is used with Pax Web as Pax Web had
already had it's embedded Jetty engine's HTTP TRACE method disabled by default. 
> So we should disable HTTP TRACE method in JettyHTTPHandler. Please find attached patch.txt
for more detail.

This message was sent by Atlassian JIRA

View raw message