-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
fuse-6.3-R18-GA
-
None
-
False
-
False
-
Low
-
%
-
-
Todo
-
The pax-web-jetty library disabled HTTP TRACE but incorrectly by throwing back an exception:
javax.servlet.ServletException: HTTP TRACE method is disabled
Therefore, the client side would get:
$ curl -verbose -X TRACE http://localhost:8181/cxf/greeter
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8181 (#0)
> TRACE /cxf/greeter HTTP/1.1
> Host: localhost:8181
> User-Agent: curl/7.64.1
> Accept: */*
> Referer: rbose
>
< HTTP/1.1 500 javax.servlet.ServletException: HTTP TRACE method is disabled
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html; charset=ISO-8859-1
< Content-Length: 341
< Connection: close
The "javax.servlet.ServletException" exposes Java platform on server side, which shouldn't happen through HTTP TRACE method.
Correct response should be:
< HTTP/1.1 405 Method Not Allowed
- is cloned by
-
ENTESB-17914 [7.x] The pax-web-jetty library disabled HTTP TRACE method by incorrectly exposing "javax.servlet.ServletException"
- Done