#26146: django responds to obscure non-standard HTTP verb TRACK?
-------------------------------------+-------------------------------------
Reporter: finetype | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: HTTP handling | Version: 1.8
Severity: Normal | Keywords: trace, track, csrf,
| error, page
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Not sure if this is desired behavior or not, but we had a security audit
on our website. They found that when a TRACK request was made, they hit a
django error page. TRACK seems to be an obscure variant of TRACE unique to
some Microsoft systems. In our case, they were hitting a CSRF failure
page. We don't want people to see anything about us using csrf tokens, or
about the fact that we're using django (or anything else about our
security measures or server environment), so we've just overridden our
CSRF_FAILURE_VIEW to be a simple plain text 401 in our settings when DEBUG
is False.
I can't help but wonder, though... Why does Django respond to this verb in
the first place? It's a non-standard verb. TRACE is all that is needed to
comply with HTTP standards. It really is more of a minor nuisance that it
introduces a (tiny) security issue, with dubious gain. Most developers
have never heard of TRACK and wouldn't know to do something about it.
Thoughts?
--
Ticket URL: <https://code.djangoproject.com/ticket/26146>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/051.75d6c2311d4a899a48b8cd05a7934461%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
