Re: Http TRACE method headers in response body

2021-09-09 Thread Christopher Schultz
Mark, On 9/9/21 03:05, Mark Thomas wrote: On 08/09/2021 20:50, Christopher Schultz wrote: Mark, On 9/8/21 11:28, Mark Thomas wrote: On 08/09/2021 16:15, Gilles Robert wrote: My issue is that even though TRACE is disabled, we see the "malicious" header in the response. You need to talk to t

Re: Http TRACE method headers in response body

2021-09-09 Thread Mark Thomas
On 08/09/2021 20:50, Christopher Schultz wrote: Mark, On 9/8/21 11:28, Mark Thomas wrote: On 08/09/2021 16:15, Gilles Robert wrote: My issue is that even though TRACE is disabled, we see the "malicious" header in the response. You need to talk to the Spring folks then. Default Tomcat behavio

Re: Http TRACE method headers in response body

2021-09-08 Thread Christopher Schultz
Mark, On 9/8/21 11:28, Mark Thomas wrote: On 08/09/2021 16:15, Gilles Robert wrote: My issue is that even though TRACE is disabled, we see the "malicious" header in the response. You need to talk to the Spring folks then. Default Tomcat behaviour is to return a 405 with an error message in t

Re: Http TRACE method headers in response body

2021-09-08 Thread Mark Thomas
On 08/09/2021 16:15, Gilles Robert wrote: My issue is that even though TRACE is disabled, we see the "malicious" header in the response. You need to talk to the Spring folks then. Default Tomcat behaviour is to return a 405 with an error message in the response. I've just doubled checked this

Re: Http TRACE method headers in response body

2021-09-08 Thread Gilles Robert
My issue is that even though TRACE is disabled, we see the "malicious" header in the response. On Wed, 8 Sept 2021 at 17:01, Mark Thomas wrote: > > On 08/09/2021 14:14, Gilles Robert wrote: > > Hi, > > > > Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method > > is disabled by de

Re: Http TRACE method headers in response body

2021-09-08 Thread Mark Thomas
On 08/09/2021 14:14, Gilles Robert wrote: Hi, Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method is disabled by default and returns a 405 method not allowed, which is what I expect security-wise. My issue is that if one gives a malicious header: header: malicious: alert('mali

Http TRACE method headers in response body

2021-09-08 Thread Gilles Robert
Hi, Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method is disabled by default and returns a 405 method not allowed, which is what I expect security-wise. My issue is that if one gives a malicious header: header: malicious: alert('malicious call'); it's given back in the respon