httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 50328] TraceEnable off : Directive: In apache 2.2.x does not work
Date Wed, 24 Nov 2010 16:51:48 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=50328

mishra <mishra@nrl.navy.mil> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |

--- Comment #2 from mishra <mishra@nrl.navy.mil> 2010-11-24 11:51:46 EST ---
(In reply to comment #1)
> You send a request that is syntactically malformed HTTP, you get a 400
> response.
> 
> If you need clarification of that, please use a user support forum.


Our security scans are showing that TRACE is enabled on our apache server.
I have read documentation that this method was a way to manually test it.

Are you saying that TraceEnable off  is working correctly?

Is it or is it not suppose to return METHOD NOT ALLOWED?

How do you propose testing the TraceEnable feature if the following is not
the way to do it:

TRACE / HTTP/1.0
Host: foo
Any text entered here will be echoed back in the response

Why was I able to get the text echoed back if the TraceEnable off is working?
Where was the METHOD NOT ALLOWED response.

I looked at the http_filters.c and it showed that with TraceEnable off, I
should
get return information as such:
                      "TRACE denied by server configuration");
        return HTTP_METHOD_NOT_ALLOWED;


But I am not getting that, either are our security scans.
It does not seem like TraceEnable off directive is working correctly.

Please test this and advise?



Thanks,

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message