tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability
Date Sun, 11 Jan 2004 23:54:26 GMT

----- Original Message ----- 
From: "Remy Maucherat" <remm@apache.org>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Sunday, January 11, 2004 1:18 AM
Subject: Re: SECURITY BUG: No place to disable HTTP TRACE vulnerability


> Bill Barker wrote:
> > Ok, this isn't right.  Tomcat defaults to NonLoginAuthenticator if there
is
> > no login-config.  This one just approves everybody for everything.
>
> Ok. This isn't absolutely critical, but needs to be fixed.
>

I just tested this with a fresh build of everything, and it seems that
Tomcat is working fine.  I set allowTrace="true" on the connector, and put
in a security-constraint to forbid TRACE in ROOT/WEB-INF/web.xml but no
login-config.  The result is a perfectly good 403 response to 'TRACE /
HTTP/1.0', and a perfectly good TRACE response to 'TRACE /jsp-examples/
HTTP/1.0'.

I'm afraid that you will have to provide a test case if you want to re-open
this issue ;-).  I'm resolving it as WORKSFORME.

> Rémy
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>


Mime
View raw message