httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@apache.org>
Subject Re: HTTP TRACE issues (text-only)
Date Mon, 24 Feb 2003 23:50:39 GMT
There is no reason to discuss this on the security or pmc lists.

> Which brings us back to the start... How should we address this, umm...
> concern. Seems to me the 3 options are:
>
>     1. (continue to) Ignore it.

As far as the XSS concern, I'd ignore it.  However, it is perfectly
reasonable for server owners to want to allow or disallow this thing,
provided that the default is allow.

>     2. Address it via documentation (and relay our
>        POV regarding the risks associated)

I would include a link to the response that other person made to
the original bugtraq posting, but I don't have it.

>     3. Add AllowTrace enable|disable

AllowTRACE yes|no     (not available in .htaccess)

The "right" way to implement it would be to have the input filter
retain the original message as a read-only brigade and have the
parsed headers be a data structure that simply pointed to
places in that buffer, but that is obviously not feasible for 1.3
and won't even work efficiently with 2.0.  That would allow TRACE
to be implemented in a module.

In any case, disabling TRACE will not make a site more secure.

....Roy


Mime
View raw message