[prev in list] [next in list] [prev in thread] [next in thread]
List: helix-server-cvs
Subject: [Server-cvs] protocol/http httpprot.cpp,1.80.2.29,1.80.2.30
From: dcollins () helixcommunity ! org
Date: 2010-11-16 22:12:05
Message-ID: 201011162212.oAGMC4f8030129 () mailer ! progressive-comp ! com
[Download RAW message or body]
Update of /cvsroot/server/protocol/http
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv32699
Modified Files:
Tag: SERVER_14_0
httpprot.cpp
Log Message:
Synopsis
========
Fixes PR 268849: Security: Server can reveal admin credentials via HTTP TRACE
Branches: SERVER_14_0_RN, SERVER_CURRENT_RN (HEAD)
Suggested Reviewer: Chytanya
Description
===========
This makes support of the HTTP/1.1 TRACE request configurable,
with the default disabled.
To re-enable for debugging, add <Var EnableHTTPTrace="1"> to your
server's config file.
If disabled, it will return a 405 Method Not Allowed response.
Files Affected
==============
server/protocol/http/httpprot.cpp
Testing Performed
=================
Unit Tests:
- N/A
Integration Tests:
- Used telnet to send HTTP/1.1 TRACE requests with this disabled
to verify the error response.
- Verified that with the config setting in the config file the
TRACE responds with what was sent to the server.
Leak Tests:
- N/A
Performance Tests:
- N/A
Platforms Tested: linux-rhel5-i686
Builds Verified: linux-rhel5-i686
QA Hints
========
- N/A
Index: httpprot.cpp
===================================================================
RCS file: /cvsroot/server/protocol/http/httpprot.cpp,v
retrieving revision 1.80.2.29
retrieving revision 1.80.2.30
diff -u -d -r1.80.2.29 -r1.80.2.30
--- httpprot.cpp 2 Sep 2010 18:31:04 -0000 1.80.2.29
+++ httpprot.cpp 16 Nov 2010 22:12:02 -0000 1.80.2.30
@@ -113,6 +113,7 @@
#define MPEG2TS_TIMEOUT_DEF 120 //seconds
#define MPEG2TS_CONSOLIDATED_LOGGING_CFG "config.MPEG2_Transport_Stream.ConsolidatedLogging"
#define MPEG2TS_CONSOLIDATED_LOGGING_DEF FALSE
+#define HTTP_TRACE_CFG "config.EnableHTTPTrace"
// static defines
const int HTTPProtocol::MAX_TIME_STRING_LEN = 80;
@@ -2520,13 +2521,31 @@
HTTPProtocol::handleMsg(HTTPTraceMessage* pMsg)
{
DPRINTF(D_INFO, ("HTTP: TRACE msg handler, url: %s\n", pMsg->url()));
-
+
int res = 0;
if ((res = init_request(pMsg)) != 0 || !m_pDemux)
{
return -1;
}
+ //Is HTTP Trace allowed? Default to *DISABLED* for security.
+ Client* pClient = m_pDemux->GetClient();
+ INT32 lTraceAllowed=0;
+ pClient->m_pProc->pc->registry->GetInt(HTTP_TRACE_CFG, &lTraceAllowed, pClient->m_pProc);
+ if (!lTraceAllowed)
+ {
+ HTTPResponseMessage* pResp = makeResponseMessage("405");
+ pResp->addHeader("Allow", HTTP11_REQUESTS_SUPPORTED);
+ DPRINTF(D_INFO, ("HTTP: 405 Method Not Allowed: %s\n", pMsg->tagStr()));
+ if (SUCCEEDED(sendResponse(pResp)))
+ {
+ SetStatus(405);
+ }
+ HX_DELETE(pResp);
+ LogRequest();
+ return -1;
+ }
+
HTTPResponseMessage* pResp = new ServerHTTPResponseMessage;
pResp->setErrorCode("200");
pResp->setVersion(m_major_version, m_minor_version);
_______________________________________________
Server-cvs mailing list
Server-cvs@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/server-cvs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic