[GitHub] [tomcat] panchenko commented on issue #233: if TRACE is not allowed skip error page for such requests

[GitBox <gi...@apache.org>]

panchenko commented on issue #233: if TRACE is not allowed skip error page for such requests
URL: https://github.com/apache/tomcat/pull/233#issuecomment-573042875
 
 
   Surely I understand what you mean, but the Servlet specification says nothing about `Connector.getAllowTrace()`, which is checked in `CoyoteAdapter`. 
   
   ```java
           // Filter trace method
           if (!connector.getAllowTrace()
                   && req.method().equalsIgnoreCase("TRACE")) {
   ...
               response.sendError(405, "TRACE method is not allowed");
               // Safe to skip the remainder of this method.
               return true;
           }
   ```
   
   I would say this happens **before** entering into the area covered by the Servlet specification.
   If TRACE is not allowed, then the most obvious behaviour would be not leaking it into an error page.
   IMHO, If application is interested in handling TRACE requests - it shoud configure Connector accordingly.
   
   Some puople consider the enabled TYACE method as a security vulrerability. Currently in Tomcat it becomes unexpectedly exposed via an error page path.
   
   I agree that check I added to skip the error page lookup does not directly reference this condition from CoyoteAdapter and that causes confusion. I guess it can be improved.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org