From: Greg W. <gr...@mo...> - 2003-11-16 15:04:59
|
Thanks, but I think Trace is currently disabled by default in Jetty. There is an option on HttpServer called setTrace. Unless that is true, then trace will not echo the request in the response and cross site scripting should not be a concern. It is probably worth while to make this configurable for servlets in webdefaults.xml, so I'll have a look to see if I can implement something like your patch as well. cheers Nash wrote: > I know this is fairly small nit to be picking, but we > got knocked about for it in a recent security review > of one of our applications.... > > The TRACE method can't be disabled through the > webdefault.xml configuration file. TRACE can, > potentially, expose a web appliation to cross-site > scripting, even when other countermeasures > have been employed. There's a decent write-up on > how this works here: > > http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf > > Attached is a patch to the 4.2.14 version of > org.mortbay.jetty.servlet.Default that uses the > webdefault.xml to set a traceAllowed flag similarly > to dirAllowed. > > The 5.0 version of Default.java appears to be pretty > similar and the patch applies and appears to compile > into 5.0 cleanly. YMMV. > > -nash > > P.S. submitted a bug to sourceforge, and attached the patch: > http://sourceforge.net/tracker/index.php?func=detail&aid=842795&group_id=7322&atid=107322 > > P.P.S. patch can also be gotten here: > http://www.solace.net/nash/Jetty-org.mortbay.jetty.servlet.Default-TRACE.patch > > > > ------------------------------------------------------- > This SF. Net email is sponsored by: GoToMyPC > GoToMyPC is the fast, easy and secure way to access your computer from > any Web browser or wireless device. Click here to Try it Free! > https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl > _______________________________________________ > jetty-discuss mailing list > jet...@li... > https://lists.sourceforge.net/lists/listinfo/jetty-discuss > |