This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch 9.2.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.2.x by this push:
new c371b7b21a Deny the TRACE method by default (#9788)
c371b7b21a is described below
commit c371b7b21a7e774f852af86b85c87d5d877a14bd
Author: Bryan Call <[email protected]>
AuthorDate: Tue Jun 6 15:23:04 2023 -0700
Deny the TRACE method by default (#9788)
(cherry picked from commit 105af3ca30e59fbb89013e83a484a04559b4cf25)
---
configs/ip_allow.yaml.default | 4 +++-
doc/admin-guide/files/ip_allow.yaml.en.rst | 9 ++++++---
tests/gold_tests/autest-site/min_cfg/ip_allow.yaml | 4 +++-
3 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/configs/ip_allow.yaml.default b/configs/ip_allow.yaml.default
index ff3627d23e..16db1d2845 100644
--- a/configs/ip_allow.yaml.default
+++ b/configs/ip_allow.yaml.default
@@ -24,7 +24,7 @@
# Rules are applied in the order listed starting from the top.
# That means you generally want to append your rules after the ones listed
here.
#
-# Allow anything on localhost, limit destructive methods elsewhere.
+# Allow anything on localhost, limit destructive and debug methods elsewhere.
ip_allow:
- apply: in
ip_addrs: 127.0.0.1
@@ -41,6 +41,7 @@ ip_allow:
- PURGE
- PUSH
- DELETE
+ - TRACE
- apply: in
ip_addrs: ::/0
action: deny
@@ -48,3 +49,4 @@ ip_allow:
- PURGE
- PUSH
- DELETE
+ - TRACE
diff --git a/doc/admin-guide/files/ip_allow.yaml.en.rst
b/doc/admin-guide/files/ip_allow.yaml.en.rst
index 1f1843e21a..db2e58dfa4 100644
--- a/doc/admin-guide/files/ip_allow.yaml.en.rst
+++ b/doc/admin-guide/files/ip_allow.yaml.en.rst
@@ -60,6 +60,7 @@ Format
- PURGE
- PUSH
- DELETE
+ - TRACE
- apply: in
ip_addrs: ::/0
action: deny
@@ -67,6 +68,7 @@ Format
- PURGE
- PUSH
- DELETE
+ - TRACE
Each rule is a mapping. The YAML data must have a top level key of "ip_allow"
and its value must
be a mapping or a sequence of mappings, each of those being one rule.
@@ -106,7 +108,8 @@ the specified methods are denied and all other methods are
allowed.
For example, from the default configuration, the rule for ``127.0.0.1`` is
``allow`` with all
methods. Therefore an inbound connection from the loopback address (127.0.0.1)
is allowed to use any
method. The general IPv4 rule, covering all IPv4 address, is a ``deny`` rule
and therefore when it
-matches the methods "PURGE", "PUSH", and "DELETE", these methods are denied
and any other method is allowed.
+matches the methods "PURGE", "PUSH", "DELETE", and "TRACE", these methods are
denied and any other method
+is allowed.
The rules are matched in order, by IP address, therefore the general IPv4 rule
does not apply to the
loopback address because the latter is matched first.
@@ -224,8 +227,8 @@ As a final example, here is the default configuration in
compact form::
ip_allow: [
{ apply: in, ip_addrs: 127.0.0.1, action: allow },
{ apply: in, ip_addrs: "::1", action: allow },
- { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE
] },
- { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH,
DELETE ] }
+ { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE,
TRACE ] },
+ { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH,
DELETE, TRACE ] }
]
.. note::
diff --git a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
index d13c27516a..841286477c 100644
--- a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
+++ b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
@@ -13,7 +13,7 @@
# or implied. See the License for the specific language governing permissions
and limitations under
# the License.
-# Allow anything on localhost, limit destructive methods elsewhere.
+# Allow anything on localhost, limit destructive and debug methods elsewhere.
ip_allow:
- apply: in
ip_addrs: 127.0.0.1
@@ -34,6 +34,7 @@ ip_allow:
- PURGE
- PUSH
- DELETE
+ - TRACE
- apply: in
ip_addrs: ::/0
action: deny
@@ -41,3 +42,4 @@ ip_allow:
- PURGE
- PUSH
- DELETE
+ - TRACE
