cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CXF-7114) Disable HTTP TRACE method on CXF http-jetty transport
Date Thu, 03 Nov 2016 16:34:59 GMT

     [ https://issues.apache.org/jira/browse/CXF-7114?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sergey Beryozkin resolved CXF-7114.
-----------------------------------
       Resolution: Fixed
         Assignee: Sergey Beryozkin
    Fix Version/s: 3.0.12
                   3.1.9
                   3.2.0

Thanks for the patch. I guess a property to optionally support it can be introduced in the
future if it will be ever needed

> Disable HTTP TRACE method on CXF http-jetty transport
> -----------------------------------------------------
>
>                 Key: CXF-7114
>                 URL: https://issues.apache.org/jira/browse/CXF-7114
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 3.0.4
>            Reporter: Joe Luo
>            Assignee: Sergey Beryozkin
>            Priority: Minor
>             Fix For: 3.2.0, 3.1.9, 3.0.12
>
>         Attachments: patch.txt
>
>
> We had a security scan and found that standalone CXF endpoint using http-jetty transport
still had HTTP TRACE method enabled. It is considered as a security risk. 
> It's not a problem if the CXF http-jetty transport is used with Pax Web as Pax Web had
already had it's embedded Jetty engine's HTTP TRACE method disabled by default. 
> So we should disable HTTP TRACE method in JettyHTTPHandler. Please find attached patch.txt
for more detail.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message