Re: [Active4d-dev] Disable HTTP Trace
You'll have to trap TRACE in 4D's On Web Connection method, it isn't supported by Active4D. > On Aug 8, 2017, at 2:41 PM, Michael Larue <m_la...@gmx.net> wrote: > > Tuesday, August 8, 2017 at 10:05:24 PM > > Hi John, > > Thank you very much for your reply! > > Just the answer I was looking for! > > Until... I just realized that the R releases are NOT available in the dot > releases, but are "rolled up" into the next version (16). > > And, looking at the docs for 15.4 for this command, in fact it is not > supported: > > http://livedoc.4d.com/4D-Language-Reference-15.4/Web-Server/WEB-SET-OPTION.301-3275012.en.html > > Bummer! > > Anyway, I'm looking for a way to do this without upgrading (if possible); > looks like I'm going to have to somehow intercept this in 4D, as I'm guessing > it will be executed by the 4D Web Server prior to getting to Active4D. > > It may be, however, that 4D executes this before any code is executed > anywhere, in which case upgrading is the only option. Just checking, however, > to see if anybody has run into this and knows a simple way to disable it. > > (I'm looking through On Web Connection, but it's not clear that the TRACE > command triggers anything there; does anybody know?) > > I did check the following on the 4D v15.4 web server: > >> curl -v -X OPTIONS http://www.4Dwebsite.com >> * About to connect() to www.4Dwebsite.com port 80 (#0) >> * Trying XXX.XXX.XXX.XXX... >> * connected >> * Connected to www.4Dwebsite.com (XXX.XXX.XXX.XXX) port 80 (#0) >>> OPTIONS / HTTP/1.1 >>> User-Agent: curl/7.28.0 >>> Host: www.p5events.com >>> Accept: */* >>> >> < HTTP/1.1 200 OK >> < Accept-Ranges: bytes >> < Allow: GET, POST, OPTIONS, HEAD >> < Connection: keep-alive >> < Content-Length: 0 >> < Content-Type: text/html; charset=utf-8 >> < Date: Tue, 08 Aug 2017 19:48:07 GMT >> < Expires: Tue, 08 Aug 2017 19:48:07 GMT >> < Server: 4D/15.0.4 >> < >> * Connection #0 to host www.4Dwebsite.com left intact >> * Closing connection #0 > > and from the above (the ALLOW line), supposedly TRACE isn't allowed. However, > when running the following: > >> curl -v -X TRACE http://www.4Dwebsite.com >> * About to connect() to www.4Dwebsite.com port 80 (#0) >> * Trying XXX.XXX.XXX.XXX... >> * connected >> * Connected to www.4Dwebsite.com (XXX.XXX.XXX.XXX) port 80 (#0) >>> TRACE / HTTP/1.1 >>> User-Agent: curl/7.28.0 >>> Host: www.p5events.com >>> Accept: */* >>> >> < HTTP/1.1 200 OK >> < Accept-Ranges: bytes >> < Connection: keep-alive >> < Content-Length: 82 >> < Content-Type: message/http >> < Date: Tue, 08 Aug 2017 19:47:28 GMT >> < Expires: Tue, 08 Aug 2017 19:47:28 GMT >> < Pragma: no-cache >> < Server: 4D/15.0.4 >> < >> TRACE / HTTP/1.1 >> Accept: */* >> Host: www.4Dwebsite.com >> User-Agent: curl/7.28.0 >> >> * Connection #0 to host www.4Dwebsite.com left intact >> * Closing connection #0 > > sadly, it's not giving an 403 Forbidden error, but happily responding with a > 200 code... :-( > > (not sure if this is the way it's supposed to work, but you'd think OPTIONS > would reflect the options available...) > > Anyway, again, if anybody has any advice on how to solve this issue (disable > the HTTP TRACE command in 4D v15.4), would be greatly appreciated! > > Cheers! > > --Mike-- > > - > > On Aug 8, 2017, at 9:31 PM, Bellos, John <john-bel...@idexx.com> wrote: > >> Hi Michael, >> >> This is likely controlled through 4D in your application, not Active4D. Take >> a look at this KB Document. If you're on v15.4 it can be disabled: >> http://kb.4d.com/assetid=77374 >> >> >> - >> John Bellos >> >> >> From: Active4D-dev [active4d-dev-boun...@aparajitaworld.com] on behalf of >> Michael Larue [m_la...@gmx.net] >> Sent: Tuesday, August 08, 2017 3:28 PM >> To: Active4D Developer Discussion List >> Subject: [Active4d-dev] Disable HTTP Trace >> >> Tuesday, August 8, 2017 at 9:25:46 PM >> >> Hi! >> >> Is there a way to capture and disable (or send a 403 Forbidden) command in >> response to a HTTP TRACE request in Active4D? >> >> Or is this something handled by the 4D Web Server (before it gets to >> Active4D)? >> >> And if it's handled by 4D, is there a w
Re: [Active4d-dev] Disable HTTP Trace
Tuesday, August 8, 2017 at 10:05:24 PM Hi John, Thank you very much for your reply! Just the answer I was looking for! Until... I just realized that the R releases are NOT available in the dot releases, but are "rolled up" into the next version (16). And, looking at the docs for 15.4 for this command, in fact it is not supported: http://livedoc.4d.com/4D-Language-Reference-15.4/Web-Server/WEB-SET-OPTION.301-3275012.en.html Bummer! Anyway, I'm looking for a way to do this without upgrading (if possible); looks like I'm going to have to somehow intercept this in 4D, as I'm guessing it will be executed by the 4D Web Server prior to getting to Active4D. It may be, however, that 4D executes this before any code is executed anywhere, in which case upgrading is the only option. Just checking, however, to see if anybody has run into this and knows a simple way to disable it. (I'm looking through On Web Connection, but it's not clear that the TRACE command triggers anything there; does anybody know?) I did check the following on the 4D v15.4 web server: > curl -v -X OPTIONS http://www.4Dwebsite.com > * About to connect() to www.4Dwebsite.com port 80 (#0) > * Trying XXX.XXX.XXX.XXX... > * connected > * Connected to www.4Dwebsite.com (XXX.XXX.XXX.XXX) port 80 (#0) > > OPTIONS / HTTP/1.1 > > User-Agent: curl/7.28.0 > > Host: www.p5events.com > > Accept: */* > > > < HTTP/1.1 200 OK > < Accept-Ranges: bytes > < Allow: GET, POST, OPTIONS, HEAD > < Connection: keep-alive > < Content-Length: 0 > < Content-Type: text/html; charset=utf-8 > < Date: Tue, 08 Aug 2017 19:48:07 GMT > < Expires: Tue, 08 Aug 2017 19:48:07 GMT > < Server: 4D/15.0.4 > < > * Connection #0 to host www.4Dwebsite.com left intact > * Closing connection #0 and from the above (the ALLOW line), supposedly TRACE isn't allowed. However, when running the following: > curl -v -X TRACE http://www.4Dwebsite.com > * About to connect() to www.4Dwebsite.com port 80 (#0) > * Trying XXX.XXX.XXX.XXX... > * connected > * Connected to www.4Dwebsite.com (XXX.XXX.XXX.XXX) port 80 (#0) > > TRACE / HTTP/1.1 > > User-Agent: curl/7.28.0 > > Host: www.p5events.com > > Accept: */* > > > < HTTP/1.1 200 OK > < Accept-Ranges: bytes > < Connection: keep-alive > < Content-Length: 82 > < Content-Type: message/http > < Date: Tue, 08 Aug 2017 19:47:28 GMT > < Expires: Tue, 08 Aug 2017 19:47:28 GMT > < Pragma: no-cache > < Server: 4D/15.0.4 > < > TRACE / HTTP/1.1 > Accept: */* > Host: www.4Dwebsite.com > User-Agent: curl/7.28.0 > > * Connection #0 to host www.4Dwebsite.com left intact > * Closing connection #0 sadly, it's not giving an 403 Forbidden error, but happily responding with a 200 code... :-( (not sure if this is the way it's supposed to work, but you'd think OPTIONS would reflect the options available...) Anyway, again, if anybody has any advice on how to solve this issue (disable the HTTP TRACE command in 4D v15.4), would be greatly appreciated! Cheers! --Mike-- - On Aug 8, 2017, at 9:31 PM, Bellos, John <john-bel...@idexx.com> wrote: > Hi Michael, > > This is likely controlled through 4D in your application, not Active4D. Take > a look at this KB Document. If you're on v15.4 it can be disabled: > http://kb.4d.com/assetid=77374 > > > - > John Bellos > > > From: Active4D-dev [active4d-dev-boun...@aparajitaworld.com] on behalf of > Michael Larue [m_la...@gmx.net] > Sent: Tuesday, August 08, 2017 3:28 PM > To: Active4D Developer Discussion List > Subject: [Active4d-dev] Disable HTTP Trace > > Tuesday, August 8, 2017 at 9:25:46 PM > > Hi! > > Is there a way to capture and disable (or send a 403 Forbidden) command in > response to a HTTP TRACE request in Active4D? > > Or is this something handled by the 4D Web Server (before it gets to > Active4D)? > > And if it's handled by 4D, is there a way to do it there? I think 4D v16 has > this disabled now, but am using 4D v15.4 at this time. > > Trying to come up with a quick solution for a security scan issue... > > Many thanks! > > Michael Larue > Dimension IV Consulting > > ___ > Active4D-dev mailing list > Active4D-dev@aparajitaworld.com > https://urldefense.proofpoint.com/v2/url?u=http-3A__list.aparajitaworld.com_listinfo_active4d-2Ddev=DwIGaQ=2do6VJGs3LvEOe4OFFM1bA=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE=ywVjDtRpeJPiKmF4vX2VA-jPaUH9TSKDkjyFey9o2nA= > Archives: > https://urldefense.proofpoint.com/v2/url?u=http-3A__active4d-2Dna
Re: [Active4d-dev] Disable HTTP Trace
Hi Michael, This is likely controlled through 4D in your application, not Active4D. Take a look at this KB Document. If you're on v15.4 it can be disabled: http://kb.4d.com/assetid=77374 - John Bellos From: Active4D-dev [active4d-dev-boun...@aparajitaworld.com] on behalf of Michael Larue [m_la...@gmx.net] Sent: Tuesday, August 08, 2017 3:28 PM To: Active4D Developer Discussion List Subject: [Active4d-dev] Disable HTTP Trace Tuesday, August 8, 2017 at 9:25:46 PM Hi! Is there a way to capture and disable (or send a 403 Forbidden) command in response to a HTTP TRACE request in Active4D? Or is this something handled by the 4D Web Server (before it gets to Active4D)? And if it's handled by 4D, is there a way to do it there? I think 4D v16 has this disabled now, but am using 4D v15.4 at this time. Trying to come up with a quick solution for a security scan issue... Many thanks! Michael Larue Dimension IV Consulting ___ Active4D-dev mailing list Active4D-dev@aparajitaworld.com https://urldefense.proofpoint.com/v2/url?u=http-3A__list.aparajitaworld.com_listinfo_active4d-2Ddev=DwIGaQ=2do6VJGs3LvEOe4OFFM1bA=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE=ywVjDtRpeJPiKmF4vX2VA-jPaUH9TSKDkjyFey9o2nA= Archives: https://urldefense.proofpoint.com/v2/url?u=http-3A__active4d-2Dnabble.aparajitaworld.com_=DwIGaQ=2do6VJGs3LvEOe4OFFM1bA=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE=qTs5tUTenPFukRUO3Mx1rHb-jVRDwCPbzsw8MwtsCl8= ___ Active4D-dev mailing list Active4D-dev@aparajitaworld.com http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/
[Active4d-dev] Disable HTTP Trace
Tuesday, August 8, 2017 at 9:25:46 PM Hi! Is there a way to capture and disable (or send a 403 Forbidden) command in response to a HTTP TRACE request in Active4D? Or is this something handled by the 4D Web Server (before it gets to Active4D)? And if it's handled by 4D, is there a way to do it there? I think 4D v16 has this disabled now, but am using 4D v15.4 at this time. Trying to come up with a quick solution for a security scan issue... Many thanks! Michael Larue Dimension IV Consulting ___ Active4D-dev mailing list Active4D-dev@aparajitaworld.com http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/
