* Jetty: Disable TRACE and OPTIONS in console and eepsite
This commit is contained in:
@ -117,6 +117,12 @@ public class I2PSnarkServlet extends Default {
|
||||
*/
|
||||
@Override
|
||||
public void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
||||
// since we are not overriding handle*(), do this here
|
||||
String method = req.getMethod();
|
||||
if (!(method.equals("GET") || method.equals("HEAD") || method.equals("POST"))) {
|
||||
resp.sendError(HttpResponse.__405_Method_Not_Allowed);
|
||||
return;
|
||||
}
|
||||
// this is the part after /i2psnark
|
||||
String path = req.getServletPath();
|
||||
boolean isConfigure = "/configure".equals(path);
|
||||
|
||||
@ -32,12 +32,20 @@ public class LocaleWebAppHandler extends WebApplicationHandler
|
||||
* or as specified in the routerconsole.lang property.
|
||||
* Unless language==="en".
|
||||
*/
|
||||
@Override
|
||||
public void handle(String pathInContext,
|
||||
String pathParams,
|
||||
HttpRequest httpRequest,
|
||||
HttpResponse httpResponse)
|
||||
throws IOException
|
||||
{
|
||||
// Handle OPTIONS (nothing to override)
|
||||
if (HttpRequest.__OPTIONS.equals(httpRequest.getMethod()))
|
||||
{
|
||||
handleOptions(httpRequest, httpResponse);
|
||||
return;
|
||||
}
|
||||
|
||||
//System.err.println("Path: " + pathInContext);
|
||||
String newPath = pathInContext;
|
||||
if (pathInContext.endsWith(".jsp")) {
|
||||
@ -66,4 +74,27 @@ public class LocaleWebAppHandler extends WebApplicationHandler
|
||||
super.handle(newPath, pathParams, httpRequest, httpResponse);
|
||||
//System.err.println("Was handled? " + httpRequest.isHandled());
|
||||
}
|
||||
|
||||
/**
|
||||
* Overrides method in ServletHandler
|
||||
* @since 0.8
|
||||
*/
|
||||
@Override
|
||||
public void handleTrace(HttpRequest request,
|
||||
HttpResponse response)
|
||||
throws IOException
|
||||
{
|
||||
response.sendError(HttpResponse.__405_Method_Not_Allowed);
|
||||
}
|
||||
|
||||
/**
|
||||
* Not an override
|
||||
* @since 0.8
|
||||
*/
|
||||
public void handleOptions(HttpRequest request,
|
||||
HttpResponse response)
|
||||
throws IOException
|
||||
{
|
||||
response.sendError(HttpResponse.__405_Method_Not_Allowed);
|
||||
}
|
||||
}
|
||||
|
||||
@ -213,6 +213,22 @@ public class RouterConsoleRunner {
|
||||
constraint.setAuthenticate(true);
|
||||
context.addSecurityConstraint("/", constraint);
|
||||
}
|
||||
|
||||
// This forces a '403 Forbidden' response for TRACE and OPTIONS unless the
|
||||
// WAC handler handles it.
|
||||
// (LocaleWebAppHandler returns a '405 Method Not Allowed')
|
||||
// TRACE and OPTIONS aren't really security issues...
|
||||
// TRACE doesn't echo stuff unless you call setTrace(true)
|
||||
// But it might bug some people
|
||||
// The other strange methods - PUT, DELETE, MOVE - are disabled by default
|
||||
// See also:
|
||||
// http://old.nabble.com/Disable-HTTP-TRACE-in-Jetty-5.x-td12412607.html
|
||||
SecurityConstraint sc = new SecurityConstraint();
|
||||
sc.setName("No trace or options");
|
||||
sc.addMethod("TRACE");
|
||||
sc.addMethod("OPTIONS");
|
||||
sc.setAuthenticate(true);
|
||||
context.addSecurityConstraint("/*", sc) ;
|
||||
}
|
||||
|
||||
static String getPassword() {
|
||||
|
||||
@ -176,6 +176,14 @@
|
||||
<Arg>
|
||||
<New class="org.mortbay.http.handler.ResourceHandler">
|
||||
<Set name="redirectWelcome">FALSE</Set>
|
||||
<!-- disable TRACE and OPTIONS ref: http://osdir.com/ml/java.jetty.support/2003-11/msg00014.html -->
|
||||
<Set name="AllowedMethods">
|
||||
<Array type="String">
|
||||
<Item>GET</Item>
|
||||
<Item>HEAD</Item>
|
||||
<Item>POST</Item>
|
||||
</Array>
|
||||
</Set>
|
||||
</New>
|
||||
</Arg>
|
||||
</Call>
|
||||
|
||||
Reference in New Issue
Block a user