Hi, On Tue, Feb 2, 2010 at 9:47 AM, Ian Boston <i...@tfd.co.uk> wrote: > ...The report was from a QA team running through a battery of known > "vulnerabilities" > > I am sure your right, Should I revert the patch, which, IIUC copies the > behaviour in Apache Httpd and allows configuration?...
I haven't followed the details of this conversation but I'm fine with TRACE being disabled by default. > > ...btw, SlingSafeMethodsServlet.doTrace looks like it might be vulnerable to > Response splitting, it echos headers > back to the response stream without making them safe.... This would warrant a fix and an integration test...but if we agree to disable TRACE by default that wouldn't be urgent ;-) -Bertrand
