You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Sergey Beryozkin (JIRA)" <ji...@apache.org> on 2016/11/03 16:34:59 UTC
[jira] [Resolved] (CXF-7114) Disable HTTP TRACE method on CXF
http-jetty transport
[ https://issues.apache.org/jira/browse/CXF-7114?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin resolved CXF-7114.
-----------------------------------
Resolution: Fixed
Assignee: Sergey Beryozkin
Fix Version/s: 3.0.12
3.1.9
3.2.0
Thanks for the patch. I guess a property to optionally support it can be introduced in the future if it will be ever needed
> Disable HTTP TRACE method on CXF http-jetty transport
> -----------------------------------------------------
>
> Key: CXF-7114
> URL: https://issues.apache.org/jira/browse/CXF-7114
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 3.0.4
> Reporter: Joe Luo
> Assignee: Sergey Beryozkin
> Priority: Minor
> Fix For: 3.2.0, 3.1.9, 3.0.12
>
> Attachments: patch.txt
>
>
> We had a security scan and found that standalone CXF endpoint using http-jetty transport still had HTTP TRACE method enabled. It is considered as a security risk.
> It's not a problem if the CXF http-jetty transport is used with Pax Web as Pax Web had already had it's embedded Jetty engine's HTTP TRACE method disabled by default.
> So we should disable HTTP TRACE method in JettyHTTPHandler. Please find attached patch.txt for more detail.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)