You'll have to trap TRACE in 4D's On Web Connection method, it isn't supported 
by Active4D.

> On Aug 8, 2017, at 2:41 PM, Michael Larue <m_la...@gmx.net> wrote:
> 
> Tuesday, August 8, 2017 at 10:05:24 PM
> 
> Hi John,
> 
> Thank you very much for your reply!
> 
> Just the answer I was looking for!
> 
> Until... I just realized that the R releases are NOT available in the dot 
> releases, but are "rolled up" into the next version (16).
> 
> And, looking at the docs for 15.4 for this command, in fact it is not 
> supported:
> 
> http://livedoc.4d.com/4D-Language-Reference-15.4/Web-Server/WEB-SET-OPTION.301-3275012.en.html
> 
> Bummer! 
> 
> Anyway, I'm looking for a way to do this without upgrading (if possible); 
> looks like I'm going to have to somehow intercept this in 4D, as I'm guessing 
> it will be executed by the 4D Web Server prior to getting to Active4D.
> 
> It may be, however, that 4D executes this before any code is executed 
> anywhere, in which case upgrading is the only option. Just checking, however, 
> to see if anybody has run into this and knows a simple way to disable it.
> 
> (I'm looking through On Web Connection, but it's not clear that the TRACE 
> command triggers anything there; does anybody know?)
> 
> I did check the following on the 4D v15.4 web server:
> 
>> curl -v -X OPTIONS http://www.4Dwebsite.com
>> * About to connect() to www.4Dwebsite.com port 80 (#0)
>> *   Trying XXX.XXX.XXX.XXX...
>> * connected
>> * Connected to www.4Dwebsite.com (XXX.XXX.XXX.XXX) port 80 (#0)
>>> OPTIONS / HTTP/1.1
>>> User-Agent: curl/7.28.0
>>> Host: www.p5events.com
>>> Accept: */*
>>> 
>> < HTTP/1.1 200 OK
>> < Accept-Ranges: bytes
>> < Allow: GET, POST, OPTIONS, HEAD
>> < Connection: keep-alive
>> < Content-Length: 0
>> < Content-Type: text/html; charset=utf-8
>> < Date: Tue, 08 Aug 2017 19:48:07 GMT
>> < Expires: Tue, 08 Aug 2017 19:48:07 GMT
>> < Server: 4D/15.0.4
>> < 
>> * Connection #0 to host www.4Dwebsite.com left intact
>> * Closing connection #0
> 
> and from the above (the ALLOW line), supposedly TRACE isn't allowed. However, 
> when running the following:
> 
>> curl -v -X TRACE http://www.4Dwebsite.com
>> * About to connect() to www.4Dwebsite.com port 80 (#0)
>> *   Trying XXX.XXX.XXX.XXX...
>> * connected
>> * Connected to www.4Dwebsite.com (XXX.XXX.XXX.XXX) port 80 (#0)
>>> TRACE / HTTP/1.1
>>> User-Agent: curl/7.28.0
>>> Host: www.p5events.com
>>> Accept: */*
>>> 
>> < HTTP/1.1 200 OK
>> < Accept-Ranges: bytes
>> < Connection: keep-alive
>> < Content-Length: 82
>> < Content-Type: message/http
>> < Date: Tue, 08 Aug 2017 19:47:28 GMT
>> < Expires: Tue, 08 Aug 2017 19:47:28 GMT
>> < Pragma: no-cache
>> < Server: 4D/15.0.4
>> < 
>> TRACE / HTTP/1.1
>> Accept: */*
>> Host: www.4Dwebsite.com
>> User-Agent: curl/7.28.0
>> 
>> * Connection #0 to host www.4Dwebsite.com left intact
>> * Closing connection #0
> 
> sadly, it's not giving an 403 Forbidden error, but happily responding with a 
> 200 code... :-(
> 
> (not sure if this is the way it's supposed to work, but you'd think OPTIONS 
> would reflect the options available...)
> 
> Anyway, again, if anybody has any advice on how to solve this issue (disable 
> the HTTP TRACE command in 4D v15.4), would be greatly appreciated! 
> 
> Cheers!
> 
> --Mike--
> 
> ---------------------
> 
> On Aug 8, 2017, at 9:31 PM, Bellos, John <john-bel...@idexx.com> wrote:
> 
>> Hi Michael,
>> 
>> This is likely controlled through 4D in your application, not Active4D. Take 
>> a look at this KB Document. If you're on v15.4 it can be disabled:
>> http://kb.4d.com/assetid=77374
>> 
>> 
>> -
>> John Bellos
>> 
>> ________________________________________
>> From: Active4D-dev [active4d-dev-boun...@aparajitaworld.com] on behalf of 
>> Michael Larue [m_la...@gmx.net]
>> Sent: Tuesday, August 08, 2017 3:28 PM
>> To: Active4D Developer Discussion List
>> Subject: [Active4d-dev] Disable HTTP Trace
>> 
>> Tuesday, August 8, 2017 at 9:25:46 PM
>> 
>> Hi!
>> 
>> Is there a way to capture and disable (or send a 403 Forbidden) command in 
>> response to a HTTP TRACE request in Active4D?
>> 
>> Or is this something handled by the 4D Web Server (before it gets to 
>> Active4D)?
>> 
>> And if it's handled by 4D, is there a way to do it there? I think 4D v16 has 
>> this disabled now, but am using 4D v15.4 at this time.
>> 
>> Trying to come up with a quick solution for a security scan issue...
>> 
>> Many thanks!
>> 
>> Michael Larue
>> Dimension IV Consulting
>> 
>> _______________________________________________
>> Active4D-dev mailing list
>> Active4D-dev@aparajitaworld.com
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__list.aparajitaworld.com_listinfo_active4d-2Ddev&d=DwIGaQ&c=2do6VJGs3LvEOe4OFFM1bA&r=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30&m=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE&s=ywVjDtRpeJPiKmF4vX2VA-jPaUH9TSKDkjyFey9o2nA&e=
>> Archives: 
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__active4d-2Dnabble.aparajitaworld.com_&d=DwIGaQ&c=2do6VJGs3LvEOe4OFFM1bA&r=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30&m=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE&s=qTs5tUTenPFukRUO3Mx1rHb-jVRDwCPbzsw8MwtsCl8&e=
>> _______________________________________________
>> Active4D-dev mailing list
>> Active4D-dev@aparajitaworld.com
>> http://list.aparajitaworld.com/listinfo/active4d-dev
>> Archives: http://active4d-nabble.aparajitaworld.com/
> 
> _______________________________________________
> Active4D-dev mailing list
> Active4D-dev@aparajitaworld.com
> http://list.aparajitaworld.com/listinfo/active4d-dev
> Archives: http://active4d-nabble.aparajitaworld.com/

_______________________________________________
Active4D-dev mailing list
Active4D-dev@aparajitaworld.com
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/

Reply via email to