'[Server-cvs] protocol/http httpprot.cpp,1.80.2.29,1.80.2.30'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       helix-server-cvs
Subject:    [Server-cvs] protocol/http httpprot.cpp,1.80.2.29,1.80.2.30
From:       dcollins () helixcommunity ! org
Date:       2010-11-16 22:12:05
Message-ID: 201011162212.oAGMC4f8030129 () mailer ! progressive-comp ! com
[Download RAW message or body]

Update of /cvsroot/server/protocol/http
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv32699

Modified Files:
      Tag: SERVER_14_0
	httpprot.cpp 
Log Message:
Synopsis
========
Fixes PR 268849: Security: Server can reveal admin credentials via HTTP TRACE

Branches: SERVER_14_0_RN, SERVER_CURRENT_RN (HEAD)
Suggested Reviewer: Chytanya


Description
===========

This makes support of the HTTP/1.1 TRACE request configurable,
with the default disabled.

To re-enable for debugging, add <Var EnableHTTPTrace="1"> to your
server's config file.

If disabled, it will return a 405 Method Not Allowed response.



Files Affected
==============

server/protocol/http/httpprot.cpp


Testing Performed
=================

Unit Tests:
- N/A

Integration Tests:
- Used telnet to send HTTP/1.1 TRACE requests with this disabled
  to verify the error response.
- Verified that with the config setting in the config file the
  TRACE responds with what was sent to the server.

Leak Tests:
- N/A

Performance Tests:
- N/A

Platforms Tested: linux-rhel5-i686
Builds Verified: linux-rhel5-i686


QA Hints
========
- N/A


Index: httpprot.cpp
===================================================================
RCS file: /cvsroot/server/protocol/http/httpprot.cpp,v
retrieving revision 1.80.2.29
retrieving revision 1.80.2.30
diff -u -d -r1.80.2.29 -r1.80.2.30

--- httpprot.cpp	2 Sep 2010 18:31:04 -0000	1.80.2.29
+++ httpprot.cpp	16 Nov 2010 22:12:02 -0000	1.80.2.30
@@ -113,6 +113,7 @@
 #define MPEG2TS_TIMEOUT_DEF      120 //seconds
 #define MPEG2TS_CONSOLIDATED_LOGGING_CFG "config.MPEG2_Transport_Stream.ConsolidatedLogging"
 #define MPEG2TS_CONSOLIDATED_LOGGING_DEF FALSE
+#define HTTP_TRACE_CFG           "config.EnableHTTPTrace"
 
 // static defines
 const int HTTPProtocol::MAX_TIME_STRING_LEN = 80;
@@ -2520,13 +2521,31 @@
 HTTPProtocol::handleMsg(HTTPTraceMessage* pMsg)
 {
     DPRINTF(D_INFO, ("HTTP: TRACE msg handler, url: %s\n", pMsg->url()));
-    
+
     int res = 0;
     if ((res = init_request(pMsg)) != 0 || !m_pDemux)
     {
         return -1;
     }
 
+    //Is HTTP Trace allowed?  Default to *DISABLED* for security.
+    Client* pClient = m_pDemux->GetClient();
+    INT32 lTraceAllowed=0;
+    pClient->m_pProc->pc->registry->GetInt(HTTP_TRACE_CFG, &lTraceAllowed, pClient->m_pProc);
+    if (!lTraceAllowed)
+    {
+        HTTPResponseMessage* pResp = makeResponseMessage("405");
+        pResp->addHeader("Allow", HTTP11_REQUESTS_SUPPORTED);
+        DPRINTF(D_INFO, ("HTTP: 405 Method Not Allowed: %s\n", pMsg->tagStr()));
+        if (SUCCEEDED(sendResponse(pResp)))
+        {
+           SetStatus(405);
+       }
+        HX_DELETE(pResp);
+        LogRequest();
+        return -1;
+    }
+
     HTTPResponseMessage* pResp = new ServerHTTPResponseMessage;
     pResp->setErrorCode("200");
     pResp->setVersion(m_major_version, m_minor_version);


_______________________________________________
Server-cvs mailing list
Server-cvs@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/server-cvs
[prev in list] [next in list] [prev in thread] [next in thread] 
