* Jetty: Disable TRACE and OPTIONS in console and eepsite

2010-06-29 02:29:42 +00:00
parent 2025fe7c20
commit 22ea79a4ff
4 changed files with 61 additions and 0 deletions
--- a/apps/routerconsole/java/src/net/i2p/router/web/LocaleWebAppHandler.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/LocaleWebAppHandler.java
@ -32,12 +32,20 @@ public class LocaleWebAppHandler extends WebApplicationHandler
     *  or as specified in the routerconsole.lang property.
     *  Unless language==="en".
     */
+    @Override
    public void handle(String pathInContext,
                       String pathParams,
                       HttpRequest httpRequest,
                       HttpResponse httpResponse)
         throws IOException
    {
+        // Handle OPTIONS (nothing to override)
+        if (HttpRequest.__OPTIONS.equals(httpRequest.getMethod()))
+        {
+            handleOptions(httpRequest, httpResponse);
+            return;
+        }
+
        //System.err.println("Path: " + pathInContext);
        String newPath = pathInContext;
        if (pathInContext.endsWith(".jsp")) {
@ -66,4 +74,27 @@ public class LocaleWebAppHandler extends WebApplicationHandler
        super.handle(newPath, pathParams, httpRequest, httpResponse);
        //System.err.println("Was handled? " + httpRequest.isHandled());
    }
+
+    /**
+     *  Overrides method in ServletHandler
+     *  @since 0.8
+     */
+    @Override
+    public void handleTrace(HttpRequest request,
+                            HttpResponse response)
+        throws IOException
+    {
+        response.sendError(HttpResponse.__405_Method_Not_Allowed);
+    }
+
+    /**
+     *  Not an override
+     *  @since 0.8
+     */
+    public void handleOptions(HttpRequest request,
+                              HttpResponse response)
+        throws IOException
+    {
+        response.sendError(HttpResponse.__405_Method_Not_Allowed);
+    }
 }
--- a/apps/routerconsole/java/src/net/i2p/router/web/RouterConsoleRunner.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/RouterConsoleRunner.java
@ -213,6 +213,22 @@ public class RouterConsoleRunner {
            constraint.setAuthenticate(true);
            context.addSecurityConstraint("/", constraint);
        }
+
+        // This forces a '403 Forbidden' response for TRACE and OPTIONS unless the
+        // WAC handler handles it.
+        // (LocaleWebAppHandler returns a '405 Method Not Allowed')
+        // TRACE and OPTIONS aren't really security issues...
+        // TRACE doesn't echo stuff unless you call setTrace(true)
+        // But it might bug some people
+        // The other strange methods - PUT, DELETE, MOVE - are disabled by default
+        // See also:
+        // http://old.nabble.com/Disable-HTTP-TRACE-in-Jetty-5.x-td12412607.html
+        SecurityConstraint sc = new SecurityConstraint();
+        sc.setName("No trace or options");
+        sc.addMethod("TRACE");
+        sc.addMethod("OPTIONS");
+        sc.setAuthenticate(true);
+        context.addSecurityConstraint("/*", sc) ;
    }
    
    static String getPassword() {