From 22ea79a4ff3b3a090bc9d9cb485a05410552eae0 Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Tue, 29 Jun 2010 02:29:42 +0000
Subject: [PATCH]     * Jetty: Disable TRACE and OPTIONS in console and eepsite

---
 .../org/klomp/snark/web/I2PSnarkServlet.java  |  6 ++++
 .../i2p/router/web/LocaleWebAppHandler.java   | 31 +++++++++++++++++++
 .../i2p/router/web/RouterConsoleRunner.java   | 16 ++++++++++
 installer/resources/jetty.xml                 |  8 +++++
 4 files changed, 61 insertions(+)

diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 48dd4ffc0c..ea1325e188 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -117,6 +117,12 @@ public class I2PSnarkServlet extends Default {
      */
     @Override
     public void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        // since we are not overriding handle*(), do this here
+        String method = req.getMethod();
+        if (!(method.equals("GET") || method.equals("HEAD") || method.equals("POST"))) {
+            resp.sendError(HttpResponse.__405_Method_Not_Allowed);
+            return;
+        }
         // this is the part after /i2psnark
         String path = req.getServletPath();
         boolean isConfigure = "/configure".equals(path);
diff --git a/apps/routerconsole/java/src/net/i2p/router/web/LocaleWebAppHandler.java b/apps/routerconsole/java/src/net/i2p/router/web/LocaleWebAppHandler.java
index b7ac2b8f8f..a075fb62f2 100644
--- a/apps/routerconsole/java/src/net/i2p/router/web/LocaleWebAppHandler.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/LocaleWebAppHandler.java
@@ -32,12 +32,20 @@ public class LocaleWebAppHandler extends WebApplicationHandler
      *  or as specified in the routerconsole.lang property.
      *  Unless language==="en".
      */
+    @Override
     public void handle(String pathInContext,
                        String pathParams,
                        HttpRequest httpRequest,
                        HttpResponse httpResponse)
          throws IOException
     {
+        // Handle OPTIONS (nothing to override)
+        if (HttpRequest.__OPTIONS.equals(httpRequest.getMethod()))
+        {
+            handleOptions(httpRequest, httpResponse);
+            return;
+        }
+
         //System.err.println("Path: " + pathInContext);
         String newPath = pathInContext;
         if (pathInContext.endsWith(".jsp")) {
@@ -66,4 +74,27 @@ public class LocaleWebAppHandler extends WebApplicationHandler
         super.handle(newPath, pathParams, httpRequest, httpResponse);
         //System.err.println("Was handled? " + httpRequest.isHandled());
     }
+
+    /**
+     *  Overrides method in ServletHandler
+     *  @since 0.8
+     */
+    @Override
+    public void handleTrace(HttpRequest request,
+                            HttpResponse response)
+        throws IOException
+    {
+        response.sendError(HttpResponse.__405_Method_Not_Allowed);
+    }
+
+    /**
+     *  Not an override
+     *  @since 0.8
+     */
+    public void handleOptions(HttpRequest request,
+                              HttpResponse response)
+        throws IOException
+    {
+        response.sendError(HttpResponse.__405_Method_Not_Allowed);
+    }
 }
diff --git a/apps/routerconsole/java/src/net/i2p/router/web/RouterConsoleRunner.java b/apps/routerconsole/java/src/net/i2p/router/web/RouterConsoleRunner.java
index 58a6d5c964..05bedee374 100644
--- a/apps/routerconsole/java/src/net/i2p/router/web/RouterConsoleRunner.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/RouterConsoleRunner.java
@@ -213,6 +213,22 @@ public class RouterConsoleRunner {
             constraint.setAuthenticate(true);
             context.addSecurityConstraint("/", constraint);
         }
+
+        // This forces a '403 Forbidden' response for TRACE and OPTIONS unless the
+        // WAC handler handles it.
+        // (LocaleWebAppHandler returns a '405 Method Not Allowed')
+        // TRACE and OPTIONS aren't really security issues...
+        // TRACE doesn't echo stuff unless you call setTrace(true)
+        // But it might bug some people
+        // The other strange methods - PUT, DELETE, MOVE - are disabled by default
+        // See also:
+        // http://old.nabble.com/Disable-HTTP-TRACE-in-Jetty-5.x-td12412607.html
+        SecurityConstraint sc = new SecurityConstraint();
+        sc.setName("No trace or options");
+        sc.addMethod("TRACE");
+        sc.addMethod("OPTIONS");
+        sc.setAuthenticate(true);
+        context.addSecurityConstraint("/*", sc) ;
     }
     
     static String getPassword() {
diff --git a/installer/resources/jetty.xml b/installer/resources/jetty.xml
index 69909ef6bb..d82cf5580f 100644
--- a/installer/resources/jetty.xml
+++ b/installer/resources/jetty.xml
@@ -176,6 +176,14 @@
           <Arg>
             <New class="org.mortbay.http.handler.ResourceHandler">
               <Set name="redirectWelcome">FALSE</Set>
+              <!-- disable TRACE and OPTIONS ref: http://osdir.com/ml/java.jetty.support/2003-11/msg00014.html -->
+              <Set name="AllowedMethods">
+                <Array type="String">
+                  <Item>GET</Item>
+                  <Item>HEAD</Item>
+                  <Item>POST</Item>
+                </Array>
+              </Set>
 	    </New>
           </Arg>
         </Call>
-- 
GitLab