On 2 Feb 2010, at 08:51, Bertrand Delacretaz wrote: > Hi, > > On Tue, Feb 2, 2010 at 9:47 AM, Ian Boston <i...@tfd.co.uk> wrote: >> ...The report was from a QA team running through a battery of known >> "vulnerabilities" >> >> I am sure your right, Should I revert the patch, which, IIUC copies the >> behaviour in Apache Httpd and allows configuration?... > > I haven't followed the details of this conversation but I'm fine with > TRACE being disabled by default. > >> >> ...btw, SlingSafeMethodsServlet.doTrace looks like it might be vulnerable to >> Response splitting, it echos headers >> back to the response stream without making them safe.... > > This would warrant a fix and an integration test...but if we agree to > disable TRACE by default that wouldn't be urgent ;-)
https://issues.apache.org/jira/browse/SLING-1344 Question: URI encoding for the name and the value or just the value ? if Just the value, remove \n & \r from the name just in case someone manages to get that through ? Ian > > -Bertrand
