On 28 Jan 2010, at 15:58, Alexander Klimetschek wrote: > On Thu, Jan 28, 2010 at 16:49, Ian Boston <i...@tfd.co.uk> wrote: >> One of our QA people is reporting that Sling servlets support the TRACE >> method, which can be used for XXS attacks. >> I had thought that this was a Jetty misconfiguration issues, but I notice >> that SlingSafeMethodsServlet explicitly supports doTrace. > > Interesting, I didn't know of either TRACE nor that attack ;-). But a > quick Google found this plain description: > http://www.kb.cert.org/vuls/id/867593 > > I think, just to be in line with Apache httpd, we should offer a > simple config option for support of TRACE, being disabled by default. > > Regards, > Alex
For the sling main servlet I think this is relatively easy to achieve. Should anything be done for other servlets that might be registered directly with the OSGi Http Service. IIUC, that bypasses all the normal Jetty config which is why TRACE gets through in the first instance. Ian > > -- > Alexander Klimetschek > alexander.klimetsc...@day.com
