[
https://issues.apache.org/jira/browse/TS-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13715496#comment-13715496
]
Thach Tran commented on TS-1981:
--------------------------------
Thank you for the review and I am terribly sorry for the carelessness. What I
meant in that condition is
{noformat}
if (!(i >= 0 && i < ACL_FILTER_MAX_METHODS) || method_idx[i] != method)
{noformat}
> Url remap method filtering is broken with invalid method
> --------------------------------------------------------
>
> Key: TS-1981
> URL: https://issues.apache.org/jira/browse/TS-1981
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, Security
> Reporter: Thach Tran
> Assignee: Alan M. Carroll
> Fix For: 3.5.0
>
> Attachments:
> 0001-TS-1981-Fix-method-filtering-to-deny-invalid-methods.patch
>
>
> ACL filtering based on HTTP's method is ignored if method received from
> client is invalid.
> To reproduce, with the default 8080 {{server_ports}} configure the
> {{remap.conf}} as follows.
> {noformat}
> map http://localhost:8080/ http://www.google.com/ @method=GET
> {noformat}
> Then run the following curl command.
> {noformat}
> $ curl -v -X AAAAAA http://localhost:8080/
> {noformat}
> Notice that a 200 OK response is received by the client with some (empty)
> HTML from google.com.
> If the following curl command is issued instead
> {noformat}
> $ curl -v -X PUT http://localhost:8080/
> {noformat}
> One will see that TS sends back a 403 Access Denied as expected.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
