der shouldn't
> contain TRACE method
> ---
>
> Key: SLING-4800
> URL: https://issues.apache.org/jira/browse/SLING-4800
> Project: Sling
>
://codereview.appspot.com/247970043
If SlingMainServlet has allowTrace = false, default Allow header shouldn't
contain TRACE method
---
Key: SLING-4800
URL: https://issues.apache.org/jira
On 2 Feb 2010, at 02:59, Roy T. Fielding wrote:
On Jan 28, 2010, at 7:49 AM, Ian Boston wrote:
One of our QA people is reporting that Sling servlets support the TRACE
method, which can be used for XXS attacks.
No, it can't, or it least it doesn't make any difference whether
TRACE
On 2 Feb 2010, at 09:11, Felix Meschberger wrote:
btw, SlingSafeMethodsServlet.doTrace looks like it might be vulnerable to
Response splitting, it echos headers back to the response stream without
making them safe.
Agreed with Bertrand, lets create an issue and fix this in the
On 2 Feb 2010, at 08:51, Bertrand Delacretaz wrote:
Hi,
On Tue, Feb 2, 2010 at 9:47 AM, Ian Boston i...@tfd.co.uk wrote:
...The report was from a QA team running through a battery of known
vulnerabilities
I am sure your right, Should I revert the patch, which, IIUC copies the
On Jan 28, 2010, at 7:49 AM, Ian Boston wrote:
One of our QA people is reporting that Sling servlets support the TRACE
method, which can be used for XXS attacks.
No, it can't, or it least it doesn't make any difference whether
TRACE is supported or not because the security leak is allowing
Hi,
One of our QA people is reporting that Sling servlets support the TRACE method,
which can be used for XXS attacks.
I had thought that this was a Jetty misconfiguration issues, but I notice that
SlingSafeMethodsServlet explicitly supports doTrace.
Not knowing anything about this sort
On Thu, Jan 28, 2010 at 16:49, Ian Boston i...@tfd.co.uk wrote:
One of our QA people is reporting that Sling servlets support the TRACE
method, which can be used for XXS attacks.
I had thought that this was a Jetty misconfiguration issues, but I notice
that SlingSafeMethodsServlet explicitly
On 28 Jan 2010, at 15:58, Alexander Klimetschek wrote:
On Thu, Jan 28, 2010 at 16:49, Ian Boston i...@tfd.co.uk wrote:
One of our QA people is reporting that Sling servlets support the TRACE
method, which can be used for XXS attacks.
I had thought that this was a Jetty misconfiguration
On Thu, Jan 28, 2010 at 17:19, Ian Boston i...@tfd.co.uk wrote:
For the sling main servlet I think this is relatively easy to achieve.
Yes.
Should anything be done for other servlets that might be registered directly
with the OSGi Http Service.
No, because that is outside the scope of
On 28 Jan 2010, at 17:36, Alexander Klimetschek wrote:
On Thu, Jan 28, 2010 at 17:19, Ian Boston i...@tfd.co.uk wrote:
For the sling main servlet I think this is relatively easy to achieve.
Yes.
Should anything be done for other servlets that might be registered directly
with the OSGi
Hi,
The TRACE method is not actually handled by Sling or any of the default
servlets. By default it gets through to the SimplerWebDavServlet which
we have installed to do WebDAV on root.
If TRACE is really a problem, I think it is probably a good idea adding
a configuration switch
12 matches
Mail list logo
