Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make disabling TRACE method usable in a .htaccess file #169

Merged
merged 3 commits into from
Aug 7, 2019
Merged

Make disabling TRACE method usable in a .htaccess file #169

merged 3 commits into from
Aug 7, 2019

Conversation

Malvoz
Copy link
Contributor

@Malvoz Malvoz commented Nov 25, 2018

For consistency - similarly to ServerTokens Prod which is only available from the main server config file, the TraceEnable directive shouldn't be enabled by default.

This PR adds an alternative method for disallowing TRACE from .htaccess instead, which is enabled by default.

@XhmikosR
Copy link
Member

I can't comment on this being I have no experience with this specific case.

@Malvoz
Copy link
Contributor Author

Malvoz commented Nov 30, 2018
edited
Loading

This is merely a PR to remain consistent (hence the reference to the ServerTokens Prod implementation) in not assuming the developer has access to the main server config file. The TraceEnable directive is not available in the context of .htaccess.

@LeoColomb
Copy link
Member

Thanks for your PR, @Malvoz!

the reference to the ServerTokens Prod

Well, that's not exactly the same since ServerTokens Prod & ServerSignature Off don't do the exact same thing.
Here, the two parts do the same thing, right?

alternative method for disallowing TRACE from .htaccess

Did you actually test it?

@Malvoz
Copy link
Contributor Author

Malvoz commented Dec 19, 2018
edited
Loading

A bit confusing to me is that TraceEnable is disabled (commented out) in the /dist version but not in /src whereas ServerTokens Prod is disabled in both places. So in the dist version both TraceEnable and ServerTokens Prod are disabled which makes sense (now that I realized it).

@Malvoz
Copy link
Contributor Author

Malvoz commented Dec 19, 2018

Did you actually test it?

I thought these things were also tested before implemented on your side. No I did not test the TRACE Method, however I did test the same snippet replacing TRACE with GET and successfully returned a 405 Method Not Allowed status for the GET request.

@LeoColomb
Copy link
Member

@Malvoz Ooops, sorry for late reply, I didn't see your reply.

A bit confusing to me is that TraceEnable is disabled

This is because building configuration:

server-configs-apache/htaccess.conf

Line 78 in 029d244

disable "src/security/trace_method.conf"

I thought these things were also tested before implemented on your side.

Yes, it is partly tested manually. But in this case I wonder if a request with TRACE method will even make Apache read the .htaccess. It seems to, but that's what lead to my question. 🙂

@LeoColomb LeoColomb added this to the v4.0.0 milestone May 6, 2019
@LeoColomb
Copy link
Member

Thanks, @Malvoz.
I'm moving the "conf" part in #188, making your suggestion as the preference for .htaccess files.

@LeoColomb LeoColomb merged commit 9ae931c into h5bp:master Aug 7, 2019
@LeoColomb LeoColomb changed the title Update trace_method.conf Make disabling TRACE method usable in a .htaccess file Aug 7, 2019
LeoColomb added a commit that referenced this pull request Aug 7, 2019
@LeoColomb
Add TraceEnable Off at root level
d61764f 
Ref #59, #167, #169
LeoColomb added a commit that referenced this pull request Aug 7, 2019
@LeoColomb
Add TraceEnable Off at root level
c2f8811 
Ref #59, #167, #169
LeoColomb added a commit that referenced this pull request Jan 3, 2020
@LeoColomb
Add TraceEnable Off at root level
fadd824 
Ref #59, #167, #169
LeoColomb added a commit that referenced this pull request Jan 3, 2020
@LeoColomb
Add TraceEnable Off at root level
a88f08f 
Ref #59, #167, #169
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LeoColomb LeoColomb LeoColomb approved these changes

@XhmikosR XhmikosR Awaiting requested review from XhmikosR

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v4.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@Malvoz @XhmikosR @LeoColomb