https://bz.apache.org/bugzilla/show_bug.cgi?id=65357
Bug ID: 65357
Summary: TraceEnable Off Returns Empty Allow to TRACE request
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Core
Assignee: bugs@httpd.apache.org
Reporter: seth.kooi...@hpe.com
Target Milestone: ---
Context:
Currently when setting TraceEnable Off, the server returns a 405 with various
headers. One such header being the Allow header. This is required by rfc2616
and correctly implemented under that standard but not newer standards.
Issue:
rfc7231 obsoletes 2616 and clarifies that the Allow header must contain all
valid/Allowed methods -
https://datatracker.ietf.org/doc/html/rfc7231#section-6.5.5
6.5.5. 405 Method Not Allowed
The 405 (Method Not Allowed) status code indicates that the method
received in the request-line is known by the origin server but not
supported by the target resource. The origin server MUST generate an
Allow header field in a 405 response containing a list of the target
resource's currently supported methods.
This is not the case currently. When using the TraceEnable Off option, the
server returns a 405 but the response does not match the RFC requirements.
Possible Solution:
Respond with {Allow: "Everything except TRACE" or "TRACE disabled"} ,
increasing discoverability where the user would run another request (i.e GET to
the same URI) and see a correct list for that URI
or
When TraceEnable Off - respond to TRACE with 501 with the same rationale as the
previous
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
