On 14/01/2010 11:16, iainmac wrote:
Sorry, not sure what you want an example of, and not sure what you mean when
you ask what connectors I am using (not really an expert)
The Connectors are defined in the server.xml file. Either HTTP or AJP,
it should be clear which.
Using Tomcat 5.0.16.
Tomcat 5.0 is now unsupported, you should upgrade to (at least) the
latest 5.5 at the first opportunity.
Version .16 is old, there have been many bug fixes since it was released
and probably a couple of security issues fixed too.
p
My workaround did pass the security scan. Strangely I had the same version
of Tomcat on a different box where the allowTrace="false" did what it was
supposed to. I was flummoxed when it didn't work n the new box.
Iain
Christopher Schultz-2 wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ian,
On 1/13/2010 12:37 PM, iainmac wrote:
I need to disable TRACE to pass a security scan, so I added
allowTrace="false" to all my connectors, but its still allowing TRACE!
Can you give us an example?
Recently, someone complained that the JSPServlet will allow /any/ HTTP
method, even methods that are not defined like:
FOO /path/to/my.jsp HTTP/1.1
Teh FOO method ist allowed!!111!!!ELEVEN!!
For whatever reason, the JSPServlet specifically allows any method,
including TRACE.
I've never used allowTrace="false", though it /is/ the default.
I had to work around with urlrewrite and a jsp with 1 line which was
response.sendError(response.SC_NOT_IMPLEMENTED , "NOT IMPLEMENTED");
And does this pass your security audit?
However I would prefer the allowTrace="false" to work properly!
Agreed, though the documentation doesn't state what happens when
allowTrace="true" versus allowTrace="false": it just says "enabled or
disables the TRACE method" without describing the expected behavior.
Any ideas as to why its not working?
Not without looking at the code. You are welcome to check it out. Which
connector(s) are you using? What version of Tomcat are you running?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAktOK8AACgkQ9CaO5/Lv0PAYowCeIjb1OC3GuXl2FkrYUknvOPBP
aV0AmwdVlFQSfuSONNlgu0ga04/Qq82Z
=8Ku1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
