You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ie...@apache.org on 2010/02/02 02:02:30 UTC
svn commit: r905485 - in /sling/trunk/bundles/engine/src/main:
java/org/apache/sling/engine/impl/SlingMainServlet.java
resources/OSGI-INF/metatype/metatype.properties
Author: ieb
Date: Tue Feb 2 01:02:30 2010
New Revision: 905485
URL: http://svn.apache.org/viewvc?rev=905485&view=rev
Log:
SLING-1340 Fixed, reject the TRACE method by default with a status of 405 and the appropriate headers.
Added configuration setting, and documentation, TRACE disabled by default.
Modified:
sling/trunk/bundles/engine/src/main/java/org/apache/sling/engine/impl/SlingMainServlet.java
sling/trunk/bundles/engine/src/main/resources/OSGI-INF/metatype/metatype.properties
Modified: sling/trunk/bundles/engine/src/main/java/org/apache/sling/engine/impl/SlingMainServlet.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/engine/src/main/java/org/apache/sling/engine/impl/SlingMainServlet.java?rev=905485&r1=905484&r2=905485&view=diff
==============================================================================
--- sling/trunk/bundles/engine/src/main/java/org/apache/sling/engine/impl/SlingMainServlet.java (original)
+++ sling/trunk/bundles/engine/src/main/java/org/apache/sling/engine/impl/SlingMainServlet.java Tue Feb 2 01:02:30 2010
@@ -104,6 +104,11 @@
/** @scr.property valueRef="RequestData.DEFAULT_MAX_INCLUSION_COUNTER" */
public static final String PROP_MAX_INCLUSION_COUNTER = "sling.max.inclusions";
+ /** @scr.property valueRef="DEFAULT_ALLOW_TRACE" */
+ public static final String PROP_ALLOW_TRACE = "sling.trace.allow";
+
+ public static final boolean DEFAULT_ALLOW_TRACE = false;
+
/** default log */
private static final Logger log = LoggerFactory.getLogger(SlingMainServlet.class);
@@ -175,6 +180,8 @@
private SlingFilterChainHelper innerFilterChain = new SlingFilterChainHelper();
+ private boolean allowTrace = DEFAULT_ALLOW_TRACE;
+
// ---------- Servlet API -------------------------------------------------
public void service(ServletRequest req, ServletResponse res)
@@ -189,6 +196,12 @@
String threadName = setThreadName(request);
try {
+ if (!allowTrace && "TRACE".equals(request.getMethod())) {
+ HttpServletResponse response = (HttpServletResponse) res;
+ response.sendError(405);
+ response.setHeader("Allow", "GET, HEAD, POST, PUT, DELETE, OPTIONS");
+ return;
+ }
// real request handling for HTTP requests
service(request, (HttpServletResponse) res);
@@ -584,6 +597,10 @@
configuration.put("servlet-name", PRODUCT_NAME + " "
+ productVersion);
}
+
+ // configure method filter
+ allowTrace = OsgiUtil.toBoolean(componentConfig.get(PROP_ALLOW_TRACE),
+ DEFAULT_ALLOW_TRACE);
// configure the request limits
RequestData.setMaxIncludeCounter(OsgiUtil.toInteger(
Modified: sling/trunk/bundles/engine/src/main/resources/OSGI-INF/metatype/metatype.properties
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/engine/src/main/resources/OSGI-INF/metatype/metatype.properties?rev=905485&r1=905484&r2=905485&view=diff
==============================================================================
--- sling/trunk/bundles/engine/src/main/resources/OSGI-INF/metatype/metatype.properties (original)
+++ sling/trunk/bundles/engine/src/main/resources/OSGI-INF/metatype/metatype.properties Tue Feb 2 01:02:30 2010
@@ -40,8 +40,12 @@
sling.max.inclusions.description = The maximum number of recursive Servlet and \
Script calls while processing a single client request. This number should not \
be too high, otherwise StackOverflowErrors may occurr in case of erroneous \
- scripts and servlets. The default value is 50.
-
+ scripts and servlets. The default value is 50.
+sling.trace.allow.name = Allow the HTTP TRACE method
+sling.trace.allow.description = If set to true, the HTTP TRACE method will be \
+ enabled. By default the HTTP TRACE methods is disabled as it can be used in \
+ Cross Site Scripting attacks on HTTP servers.
+
#
# Request Loggger Filter
request.log.name = Apache Sling Request Logger