* Jetty: Disable TRACE and OPTIONS in console and eepsite

2010-06-29 02:29:42 +00:00
parent 2025fe7c20
commit 22ea79a4ff
4 changed files with 61 additions and 0 deletions
--- a/apps/routerconsole/java/src/net/i2p/router/web/RouterConsoleRunner.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/RouterConsoleRunner.java
@@ -213,6 +213,22 @@ public class RouterConsoleRunner {
            constraint.setAuthenticate(true);
            context.addSecurityConstraint("/", constraint);
        }
+
+        // This forces a '403 Forbidden' response for TRACE and OPTIONS unless the
+        // WAC handler handles it.
+        // (LocaleWebAppHandler returns a '405 Method Not Allowed')
+        // TRACE and OPTIONS aren't really security issues...
+        // TRACE doesn't echo stuff unless you call setTrace(true)
+        // But it might bug some people
+        // The other strange methods - PUT, DELETE, MOVE - are disabled by default
+        // See also:
+        // http://old.nabble.com/Disable-HTTP-TRACE-in-Jetty-5.x-td12412607.html
+        SecurityConstraint sc = new SecurityConstraint();
+        sc.setName("No trace or options");
+        sc.addMethod("TRACE");
+        sc.addMethod("OPTIONS");
+        sc.setAuthenticate(true);
+        context.addSecurityConstraint("/*", sc) ;
    }
    
    static String getPassword() {