You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/06/19 01:53:26 UTC

[jira] [Commented] (TS-1981) Url remap method filtering is broken with invalid method

    [ https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14036673#comment-14036673 ] 

ASF subversion and git services commented on TS-1981:
-----------------------------------------------------

Commit ee8a4b18ea78e9bb9c2da3d1d7f92860dc7c8b28 in trafficserver's branch refs/heads/4.2.x from [~briang]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=ee8a4b1 ]

[TS-1981] Adding arbitrary methods to url remap, and fix the same problem in IpAllow (not cherrypicked, applied via patch built for 4.2.x)


> Url remap method filtering is broken with invalid method
> --------------------------------------------------------
>
>                 Key: TS-1981
>                 URL: https://issues.apache.org/jira/browse/TS-1981
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Configuration, Security
>            Reporter: Thach Tran
>            Assignee: Brian Geffon
>              Labels: review
>             Fix For: 5.0.0
>
>         Attachments: 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch, updated-TS-1981.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AAAAAA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty) HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.



--
This message was sent by Atlassian JIRA
(v6.2#6252)