You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by GitBox <gi...@apache.org> on 2020/01/10 10:04:47 UTC
[GitHub] [tomcat] panchenko opened a new pull request #233: if TRACE is not
allowed skip erorr page for such requests
panchenko opened a new pull request #233: if TRACE is not allowed skip erorr page for such requests
URL: https://github.com/apache/tomcat/pull/233
I have a Spring Boot application, and Spring Boot by default configures an erorr page.
The TTACE method is not alloed (default configuration).
When a TRACE request happens it tries to return 405, which is then sent to the error page which is not expecting to handle it and finally request is served by `HttpServlet.doTrace()`, response status is 405, but headers are returned back.
I thinkit should be fixed in Tomcat - if TRACE is not allowed, then application should never receive such requests.
Please see the suggested change and tests.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat] panchenko commented on issue #233: if TRACE is not allowed
skip error page for such requests
Posted by GitBox <gi...@apache.org>.
panchenko commented on issue #233: if TRACE is not allowed skip error page for such requests
URL: https://github.com/apache/tomcat/pull/233#issuecomment-573042875
Surely I understand what you mean, but the Servlet specification says nothing about `Connector.getAllowTrace()`, which is checked in `CoyoteAdapter`.
```java
// Filter trace method
if (!connector.getAllowTrace()
&& req.method().equalsIgnoreCase("TRACE")) {
...
response.sendError(405, "TRACE method is not allowed");
// Safe to skip the remainder of this method.
return true;
}
```
I would say this happens **before** entering into the area covered by the Servlet specification.
If TRACE is not allowed, then the most obvious behaviour would be not leaking it into an error page.
IMHO, If application is interested in handling TRACE requests - it shoud configure Connector accordingly.
Some puople consider the enabled TYACE method as a security vulrerability. Currently in Tomcat it becomes unexpectedly exposed via an error page path.
I agree that check I added to skip the error page lookup does not directly reference this condition from CoyoteAdapter and that causes confusion. I guess it can be improved.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat] markt-asf closed pull request #233: if TRACE is not
allowed skip error page for such requests
Posted by GitBox <gi...@apache.org>.
markt-asf closed pull request #233: if TRACE is not allowed skip error page for such requests
URL: https://github.com/apache/tomcat/pull/233
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on issue #233: if TRACE is not allowed
skip error page for such requests
Posted by GitBox <gi...@apache.org>.
markt-asf commented on issue #233: if TRACE is not allowed skip error page for such requests
URL: https://github.com/apache/tomcat/pull/233#issuecomment-573001161
The Servlet specification requires that applications are given the opportunity to handle errors. There are no exceptions to this. Further, the Servlet specification requires that the original request and response are forwarded to the error page.
It is the responsibility of any application error handler to ensure that it correctly handles a forwarded request with a method other than GET.
This is an application version of CVE-2017-5664 and needs to be handled in the application.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org