httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erich Oliphant <eri...@vantixweb.com>
Subject Re: [users@httpd] Limiting HTTP Methods
Date Wed, 19 Nov 2003 22:17:28 GMT
Thanks.   Hmm, is there any other way to disable the TRACE method?

Erich

On Wednesday, November 19, 2003, at 04:46  PM, Aaron Morris wrote:

>
>
> Erich Oliphant wrote:
>> I am trying to prevent nastiness such as TRACE based attacks.  The 
>> following short PERL script:
>> #!/usr/local/bin/perl -w
>> use LWP::UserAgent;
>> my $ua = new LWP::UserAgent;
>> $ua->agent("AgentName/0.1" . $ua->agent);
>> my $req = new HTTP::Request TRACE => "https://<my url...>/";
>> my $res = $ua->request($req);
>> if ($res->is_success)
>> {
>>         print $res->content;
>> }
>> else
>> {
>>         print "failed";
>>         print $res->error_as_HTML;
>> }
>> Prints the following:
>> -- 
>> TRACE / HTTP/1.1
>> TE: deflate,gzip;q=0.3
>> Connection: TE, close
>> Host: <my url ...>
>> User-Agent: AgentName/0.1libwww-perl/5.75
>> -- 
>> as opposed to "failed" and a "Method Not Allowed" error as I would 
>> expect.  I thought maybe it was an issue with the resolving of my 
>> various Directory, Location, etc directives but I've tried both 
>> making this the first and last directive and received the same 
>> results.
>> I will try it on a fresh Apache setup as well to verify that some of 
>> the preexisting directives are not confusing it.
>> On Wednesday, November 19, 2003, at 03:36  PM, Joshua Slive wrote:
>>>
>>> On Wed, 19 Nov 2003, Erich Oliphant wrote:
>>>
>>>> Hello,
>>>> I am trying to limit the methods sent by any client.   For example,
>>>> I've tried the following to prevent anything other than POSTs or 
>>>> GETs:
>>>>
>>>> <Location />
>>>>          <LimitExcept GET POST>
>>>>                  Order deny,allow
>>>>                  Deny from all
>>>>          </LimitExcept>
>>>> </Location>
>>>>
>>>> This is not working (hence this email :)).  Any suggestions would be
>>>> greatly appreciated.
>>>
>>>
>>> That technique is basically correct.  What is your evidence that it 
>>> is not
>>> working?
>>>
>>> Joshua.
>>>
>>>
>>>
>> Sum Cogito Ergo
>> I Am Therefore I Think
>
> The TRACE method cannot be limited with the <Limit> or <LimitExcept> 
> directives.
>
> -- 
> Aaron W Morris <aaronmorris@mindspring.com> (decep)
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Sum Cogito Ergo
I Am Therefore I Think


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message