Hi, On 02.02.2010 09:47, Ian Boston wrote: > > On 2 Feb 2010, at 02:59, Roy T. Fielding wrote: > >> On Jan 28, 2010, at 7:49 AM, Ian Boston wrote: >> >>> One of our QA people is reporting that Sling servlets support the TRACE >>> method, which can be used for XXS attacks. >> >> No, it can't, or it least it doesn't make any difference whether >> TRACE is supported or not because the security leak is allowing >> javascript to send cookies and credentials with TRACE. The original >> report that TRACE was at fault is ridiculous, and just keeps getting >> repeated because "security" reports never die. >> >> The only reason to disable TRACE is to satisfy MIS managers who don't >> actually understand security but want to disable it anyway. > > The report was from a QA team running through a battery of known > "vulnerabilities" > > I am sure your right, Should I revert the patch, which, IIUC copies the > behaviour in Apache Httpd and allows configuration?
I would keep it (as Roy said "to satisfy MIS managers who don't ...") > > btw, SlingSafeMethodsServlet.doTrace looks like it might be vulnerable to > Response splitting, it echos headers back to the response stream without > making them safe. Agreed with Bertrand, lets create an issue and fix this in the SlingSafeMethodsServlet.doTrace method (probably just omitting any known security relevant headers like Set-Cookie and Authorization). Regards Felix