Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DSIP-37] Disable HTTP TRACE requests in jetty via configuration #15943

Open
2 tasks done
Tracked by #14102
jfifth opened this issue Apr 30, 2024 · 1 comment
Open
2 tasks done
Tracked by #14102

[DSIP-37] Disable HTTP TRACE requests in jetty via configuration #15943

jfifth opened this issue Apr 30, 2024 · 1 comment
Labels
DSIP help wanted Extra attention is needed

Comments

@jfifth
Copy link

jfifth commented Apr 30, 2024

Search before asking

  • I had searched in the DSIP and found no similar DSIP.

Motivation

DS was scanned for TRACE vulnerability。An attacker exploiting a TRACE request, in combination with other browser-side vulnerabilities, could potentially conduct a cross-site scripting attack to obtain sensitive information, such as authentication information in a cookie, which would be used in other types of attacks.

Design Detail

jetty TRACE requests can be disabled via a configuration option

Compatibility, Deprecation, and Migration Plan

No response

Test Plan

No response

Code of Conduct
@jfifth jfifth added DSIP Waiting for reply Waiting for reply labels Apr 30, 2024
@ruanwenjun ruanwenjun changed the title [DSIP-]How to disallow or disable HTTP TRACE requests in jetty via configuration [DSIP-37]How to disallow or disable HTTP TRACE requests in jetty via configuration May 8, 2024
@ruanwenjun ruanwenjun added 3.2.2 and removed Waiting for reply Waiting for reply labels May 8, 2024
@ruanwenjun ruanwenjun mentioned this issue May 8, 2024
Open
77 tasks
@ruanwenjun
Copy link
Member

ruanwenjun commented May 8, 2024
edited
Loading

+1, directly disable trace LGTM, we don't need to add a config to control this, are you willing to submit PR?

@ruanwenjun ruanwenjun changed the title [DSIP-37]How to disallow or disable HTTP TRACE requests in jetty via configuration [DSIP-37] Disable HTTP TRACE requests in jetty via configuration May 15, 2024
@SbloodyS SbloodyS added help wanted Extra attention is needed and removed 3.2.2 labels Sep 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
DSIP help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jfifth @SbloodyS @ruanwenjun