* Jetty: Disable TRACE and OPTIONS in console and eepsite
This commit is contained in:
@ -117,6 +117,12 @@ public class I2PSnarkServlet extends Default {
|
|||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
public void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
||||||
|
// since we are not overriding handle*(), do this here
|
||||||
|
String method = req.getMethod();
|
||||||
|
if (!(method.equals("GET") || method.equals("HEAD") || method.equals("POST"))) {
|
||||||
|
resp.sendError(HttpResponse.__405_Method_Not_Allowed);
|
||||||
|
return;
|
||||||
|
}
|
||||||
// this is the part after /i2psnark
|
// this is the part after /i2psnark
|
||||||
String path = req.getServletPath();
|
String path = req.getServletPath();
|
||||||
boolean isConfigure = "/configure".equals(path);
|
boolean isConfigure = "/configure".equals(path);
|
||||||
|
|||||||
@ -32,12 +32,20 @@ public class LocaleWebAppHandler extends WebApplicationHandler
|
|||||||
* or as specified in the routerconsole.lang property.
|
* or as specified in the routerconsole.lang property.
|
||||||
* Unless language==="en".
|
* Unless language==="en".
|
||||||
*/
|
*/
|
||||||
|
@Override
|
||||||
public void handle(String pathInContext,
|
public void handle(String pathInContext,
|
||||||
String pathParams,
|
String pathParams,
|
||||||
HttpRequest httpRequest,
|
HttpRequest httpRequest,
|
||||||
HttpResponse httpResponse)
|
HttpResponse httpResponse)
|
||||||
throws IOException
|
throws IOException
|
||||||
{
|
{
|
||||||
|
// Handle OPTIONS (nothing to override)
|
||||||
|
if (HttpRequest.__OPTIONS.equals(httpRequest.getMethod()))
|
||||||
|
{
|
||||||
|
handleOptions(httpRequest, httpResponse);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
//System.err.println("Path: " + pathInContext);
|
//System.err.println("Path: " + pathInContext);
|
||||||
String newPath = pathInContext;
|
String newPath = pathInContext;
|
||||||
if (pathInContext.endsWith(".jsp")) {
|
if (pathInContext.endsWith(".jsp")) {
|
||||||
@ -66,4 +74,27 @@ public class LocaleWebAppHandler extends WebApplicationHandler
|
|||||||
super.handle(newPath, pathParams, httpRequest, httpResponse);
|
super.handle(newPath, pathParams, httpRequest, httpResponse);
|
||||||
//System.err.println("Was handled? " + httpRequest.isHandled());
|
//System.err.println("Was handled? " + httpRequest.isHandled());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Overrides method in ServletHandler
|
||||||
|
* @since 0.8
|
||||||
|
*/
|
||||||
|
@Override
|
||||||
|
public void handleTrace(HttpRequest request,
|
||||||
|
HttpResponse response)
|
||||||
|
throws IOException
|
||||||
|
{
|
||||||
|
response.sendError(HttpResponse.__405_Method_Not_Allowed);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Not an override
|
||||||
|
* @since 0.8
|
||||||
|
*/
|
||||||
|
public void handleOptions(HttpRequest request,
|
||||||
|
HttpResponse response)
|
||||||
|
throws IOException
|
||||||
|
{
|
||||||
|
response.sendError(HttpResponse.__405_Method_Not_Allowed);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -213,6 +213,22 @@ public class RouterConsoleRunner {
|
|||||||
constraint.setAuthenticate(true);
|
constraint.setAuthenticate(true);
|
||||||
context.addSecurityConstraint("/", constraint);
|
context.addSecurityConstraint("/", constraint);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// This forces a '403 Forbidden' response for TRACE and OPTIONS unless the
|
||||||
|
// WAC handler handles it.
|
||||||
|
// (LocaleWebAppHandler returns a '405 Method Not Allowed')
|
||||||
|
// TRACE and OPTIONS aren't really security issues...
|
||||||
|
// TRACE doesn't echo stuff unless you call setTrace(true)
|
||||||
|
// But it might bug some people
|
||||||
|
// The other strange methods - PUT, DELETE, MOVE - are disabled by default
|
||||||
|
// See also:
|
||||||
|
// http://old.nabble.com/Disable-HTTP-TRACE-in-Jetty-5.x-td12412607.html
|
||||||
|
SecurityConstraint sc = new SecurityConstraint();
|
||||||
|
sc.setName("No trace or options");
|
||||||
|
sc.addMethod("TRACE");
|
||||||
|
sc.addMethod("OPTIONS");
|
||||||
|
sc.setAuthenticate(true);
|
||||||
|
context.addSecurityConstraint("/*", sc) ;
|
||||||
}
|
}
|
||||||
|
|
||||||
static String getPassword() {
|
static String getPassword() {
|
||||||
|
|||||||
@ -176,6 +176,14 @@
|
|||||||
<Arg>
|
<Arg>
|
||||||
<New class="org.mortbay.http.handler.ResourceHandler">
|
<New class="org.mortbay.http.handler.ResourceHandler">
|
||||||
<Set name="redirectWelcome">FALSE</Set>
|
<Set name="redirectWelcome">FALSE</Set>
|
||||||
|
<!-- disable TRACE and OPTIONS ref: http://osdir.com/ml/java.jetty.support/2003-11/msg00014.html -->
|
||||||
|
<Set name="AllowedMethods">
|
||||||
|
<Array type="String">
|
||||||
|
<Item>GET</Item>
|
||||||
|
<Item>HEAD</Item>
|
||||||
|
<Item>POST</Item>
|
||||||
|
</Array>
|
||||||
|
</Set>
|
||||||
</New>
|
</New>
|
||||||
</Arg>
|
</Arg>
|
||||||
</Call>
|
</Call>
|
||||||
|
|||||||
Reference in New Issue
Block a user