You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2005/06/23 08:20:06 UTC

Rev 1: [PATCH] 1.3 TraceEnable [on|off|extended]

The attached patch resolved the issue I noted below,


10.4.6 405 Method Not Allowed


requires an Allow header (I would presume, even if empty),
while 


10.5.2 501 Not Implemented states


   This is the appropriate response when the server does not
   recognize the request method and is not capable of supporting 
   it for any resource.

If 'ProxyEnable off' is set for a given host, the setting is
url-impotent, and does not vary.




At 12:52 PM 6/22/2005, William A. Rowe, Jr. wrote:

>FYI there is one small issue still.  The resulting Allow: <null>
>response to denied TRACE request.  TRACE doesn't go through the
>normal processing, so methods aren't added.  And since TRACE is
>denied, it's removed too.

At 08:56 AM 6/22/2005, William A. Rowe, Jr. wrote:
>I've spent a large number of cycles investigating the Watchfire report 
>(http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf) and
>come up with a genuine reason to adopt the attached patch.
>...
>So the attached patch introduces the per-host directive
>
>TraceEnable on|off|extended
>
>where extended permits a message body, up to 64kb at the target server,
>and of an unlimited size through a proxy server.  The default remains
>'on', of course, denying a TRACE body request even via proxy.
>
>Following the semantics of TRACE, the request body is returned to the
>host verbatim as part of the response, following the headers, exactly
>as sent.