You'll have to trap TRACE in 4D's On Web Connection method, it isn't supported by Active4D.
> On Aug 8, 2017, at 2:41 PM, Michael Larue <[email protected]> wrote: > > Tuesday, August 8, 2017 at 10:05:24 PM > > Hi John, > > Thank you very much for your reply! > > Just the answer I was looking for! > > Until... I just realized that the R releases are NOT available in the dot > releases, but are "rolled up" into the next version (16). > > And, looking at the docs for 15.4 for this command, in fact it is not > supported: > > http://livedoc.4d.com/4D-Language-Reference-15.4/Web-Server/WEB-SET-OPTION.301-3275012.en.html > > Bummer! > > Anyway, I'm looking for a way to do this without upgrading (if possible); > looks like I'm going to have to somehow intercept this in 4D, as I'm guessing > it will be executed by the 4D Web Server prior to getting to Active4D. > > It may be, however, that 4D executes this before any code is executed > anywhere, in which case upgrading is the only option. Just checking, however, > to see if anybody has run into this and knows a simple way to disable it. > > (I'm looking through On Web Connection, but it's not clear that the TRACE > command triggers anything there; does anybody know?) > > I did check the following on the 4D v15.4 web server: > >> curl -v -X OPTIONS http://www.4Dwebsite.com >> * About to connect() to www.4Dwebsite.com port 80 (#0) >> * Trying XXX.XXX.XXX.XXX... >> * connected >> * Connected to www.4Dwebsite.com (XXX.XXX.XXX.XXX) port 80 (#0) >>> OPTIONS / HTTP/1.1 >>> User-Agent: curl/7.28.0 >>> Host: www.p5events.com >>> Accept: */* >>> >> < HTTP/1.1 200 OK >> < Accept-Ranges: bytes >> < Allow: GET, POST, OPTIONS, HEAD >> < Connection: keep-alive >> < Content-Length: 0 >> < Content-Type: text/html; charset=utf-8 >> < Date: Tue, 08 Aug 2017 19:48:07 GMT >> < Expires: Tue, 08 Aug 2017 19:48:07 GMT >> < Server: 4D/15.0.4 >> < >> * Connection #0 to host www.4Dwebsite.com left intact >> * Closing connection #0 > > and from the above (the ALLOW line), supposedly TRACE isn't allowed. However, > when running the following: > >> curl -v -X TRACE http://www.4Dwebsite.com >> * About to connect() to www.4Dwebsite.com port 80 (#0) >> * Trying XXX.XXX.XXX.XXX... >> * connected >> * Connected to www.4Dwebsite.com (XXX.XXX.XXX.XXX) port 80 (#0) >>> TRACE / HTTP/1.1 >>> User-Agent: curl/7.28.0 >>> Host: www.p5events.com >>> Accept: */* >>> >> < HTTP/1.1 200 OK >> < Accept-Ranges: bytes >> < Connection: keep-alive >> < Content-Length: 82 >> < Content-Type: message/http >> < Date: Tue, 08 Aug 2017 19:47:28 GMT >> < Expires: Tue, 08 Aug 2017 19:47:28 GMT >> < Pragma: no-cache >> < Server: 4D/15.0.4 >> < >> TRACE / HTTP/1.1 >> Accept: */* >> Host: www.4Dwebsite.com >> User-Agent: curl/7.28.0 >> >> * Connection #0 to host www.4Dwebsite.com left intact >> * Closing connection #0 > > sadly, it's not giving an 403 Forbidden error, but happily responding with a > 200 code... :-( > > (not sure if this is the way it's supposed to work, but you'd think OPTIONS > would reflect the options available...) > > Anyway, again, if anybody has any advice on how to solve this issue (disable > the HTTP TRACE command in 4D v15.4), would be greatly appreciated! > > Cheers! > > --Mike-- > > --------------------- > > On Aug 8, 2017, at 9:31 PM, Bellos, John <[email protected]> wrote: > >> Hi Michael, >> >> This is likely controlled through 4D in your application, not Active4D. Take >> a look at this KB Document. If you're on v15.4 it can be disabled: >> http://kb.4d.com/assetid=77374 >> >> >> - >> John Bellos >> >> ________________________________________ >> From: Active4D-dev [[email protected]] on behalf of >> Michael Larue [[email protected]] >> Sent: Tuesday, August 08, 2017 3:28 PM >> To: Active4D Developer Discussion List >> Subject: [Active4d-dev] Disable HTTP Trace >> >> Tuesday, August 8, 2017 at 9:25:46 PM >> >> Hi! >> >> Is there a way to capture and disable (or send a 403 Forbidden) command in >> response to a HTTP TRACE request in Active4D? >> >> Or is this something handled by the 4D Web Server (before it gets to >> Active4D)? >> >> And if it's handled by 4D, is there a way to do it there? I think 4D v16 has >> this disabled now, but am using 4D v15.4 at this time. >> >> Trying to come up with a quick solution for a security scan issue... >> >> Many thanks! >> >> Michael Larue >> Dimension IV Consulting >> >> _______________________________________________ >> Active4D-dev mailing list >> [email protected] >> https://urldefense.proofpoint.com/v2/url?u=http-3A__list.aparajitaworld.com_listinfo_active4d-2Ddev&d=DwIGaQ&c=2do6VJGs3LvEOe4OFFM1bA&r=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30&m=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE&s=ywVjDtRpeJPiKmF4vX2VA-jPaUH9TSKDkjyFey9o2nA&e= >> Archives: >> https://urldefense.proofpoint.com/v2/url?u=http-3A__active4d-2Dnabble.aparajitaworld.com_&d=DwIGaQ&c=2do6VJGs3LvEOe4OFFM1bA&r=wwtjVRq8UQmO8P5M3-rwSBmptOUUgRJNGBQlLDclI30&m=sY9dODeRQseqMPkMYKDP5w3k3WMKopkmKQjNuE0nMoE&s=qTs5tUTenPFukRUO3Mx1rHb-jVRDwCPbzsw8MwtsCl8&e= >> _______________________________________________ >> Active4D-dev mailing list >> [email protected] >> http://list.aparajitaworld.com/listinfo/active4d-dev >> Archives: http://active4d-nabble.aparajitaworld.com/ > > _______________________________________________ > Active4D-dev mailing list > [email protected] > http://list.aparajitaworld.com/listinfo/active4d-dev > Archives: http://active4d-nabble.aparajitaworld.com/ _______________________________________________ Active4D-dev mailing list [email protected] http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/
