You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2005/09/09 20:25:32 UTC

One more 2.0.55 patch, needing some votes

Folks,

   http://people.apache.org/~wrowe/httpd-2.0-trace.patch

needs some more votes.  This patch adds the directive

   TraceEnable [ on | off | extended ]

-and- fixes an RFC 2616 violation, which is that TRACE does not accept a
request body.  The behavior with the patch defaults to TraceEnable on,
which varies from today's behavior by rejecting any proxy TRACE request
that includes a body (today, that body would be passed to the origin
server in violation of RFC 2616.)

TraceEnable extended is for testing purposes only, and allows a TRACE
body so that the results can be observed including the request body
echoed to the client.  It's not for production purposes.

TraceEnable off is a valid option according to the RFC2616, and although
it's for all the wrong reasons, it's one of the most common questions to
both security@ and users@, and we should stop wasting our time aruging
the point to our users.  When they have trouble tracing their http proxy
routing problems and can't determine why, we can just smuggly ignore
them, instead :)

Bill