httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Rev 2: [PATCH] 1.3 TraceEnable [on|off|extended]
Date Thu, 23 Jun 2005 13:53:13 GMT
The patch, in final form, tested and works for T-E with C-L > body, 
T-E with C-L < body, C-L only, T-E only and no body.  It correctly
denies proxy TRACE with a body by default, and will deny all TRACE
requests for 'TraceEnable off'.

Votes please, before I invest in patching 2.x?

A related message r.e. 2.x to follow.

Bill

At 01:30 AM 6/23/2005, William A. Rowe, Jr. wrote:

>The attached patch resolved the issue I noted below,
>10.4.6 405 Method Not Allowed requires an Allow header 
>(I would presume, even if empty, based on #() grammar),
>while 10.5.2 501 Not Implemented states;
>
>   This is the appropriate response when the server does not
>   recognize the request method and is not capable of supporting 
>   it for any resource.
>
>If 'ProxyEnable off' is set for a given host, the setting is
>url-impotent, and does not vary.
>
>Because the patch does append a new member to the core_server_config
>structure, it seems a minor bump is in order.
>
>
>At 12:52 PM 6/22/2005, William A. Rowe, Jr. wrote:
>
>>FYI there is one small issue still.  The resulting Allow: <null>
>>response to denied TRACE request.  TRACE doesn't go through the
>>normal processing, so methods aren't added.  And since TRACE is
>>denied, it's removed too.
>
>At 08:56 AM 6/22/2005, William A. Rowe, Jr. wrote:
>>I've spent a large number of cycles investigating the Watchfire report 
>>(http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf) and
>>come up with a genuine reason to adopt the attached patch.
>>...
>>So the attached patch introduces the per-host directive
>>
>>TraceEnable on|off|extended
>>
>>where extended permits a message body, up to 64kb at the target server,
>>and of an unlimited size through a proxy server.  The default remains
>>'on', of course, denying a TRACE body request even via proxy.
>>
>>Following the semantics of TRACE, the request body is returned to the
>>host verbatim as part of the response, following the headers, exactly
>>as sent.

Mime
View raw message