Deny the TRACE method by default (#9788)

apache · Jun 6, 2023 · 105af3c · 105af3c
1 parent 8d1ad1d
commit 105af3c
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 5 deletions.
diff --git a/configs/ip_allow.yaml.default b/configs/ip_allow.yaml.default
@@ -24,7 +24,7 @@
 # Rules are applied in the order listed starting from the top.
 # That means you generally want to append your rules after the ones listed here.
 #
-# Allow anything on localhost, limit destructive methods elsewhere.
+# Allow anything on localhost, limit destructive and debug methods elsewhere.
 ip_allow:
   - apply: in
     ip_addrs: 127.0.0.1
@@ -41,10 +41,12 @@ ip_allow:
       - PURGE
       - PUSH
       - DELETE
+      - TRACE
   - apply: in
     ip_addrs: ::/0
     action: deny
     methods:
       - PURGE
       - PUSH
       - DELETE
+      - TRACE
diff --git a/doc/admin-guide/files/ip_allow.yaml.en.rst b/doc/admin-guide/files/ip_allow.yaml.en.rst
@@ -60,13 +60,15 @@ Format
          - PURGE
          - PUSH
          - DELETE
+         - TRACE
      - apply: in
        ip_addrs: ::/0
        action: deny
        methods:
          - PURGE
          - PUSH
          - DELETE
+         - TRACE
 
 Each rule is a mapping. The YAML data must have a top level key of "ip_allow" and its value must
 be a mapping or a sequence of mappings, each of those being one rule.
@@ -106,7 +108,8 @@ the specified methods are denied and all other methods are allowed.
 For example, from the default configuration, the rule for ``127.0.0.1`` is ``allow`` with all
 methods. Therefore an inbound connection from the loopback address (127.0.0.1) is allowed to use any
 method. The general IPv4 rule, covering all IPv4 address, is a ``deny`` rule and therefore when it
-matches the methods "PURGE", "PUSH", and "DELETE", these methods are denied and any other method is allowed.
+matches the methods "PURGE", "PUSH", "DELETE", and "TRACE", these methods are denied and any other method
+is allowed.
 
 The rules are matched in order, by IP address, therefore the general IPv4 rule does not apply to the
 loopback address because the latter is matched first.
@@ -224,8 +227,8 @@ As a final example, here is the default configuration in compact form::
    ip_allow: [
      { apply: in, ip_addrs: 127.0.0.1, action: allow },
      { apply: in, ip_addrs: "::1", action: allow },
-     { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE ] },
-     { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE ] }
+     { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] },
+     { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] }
      ]
 
 .. note::

diff --git a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
@@ -13,7 +13,7 @@
 #  or implied. See the License for the specific language governing permissions and limitations under
 #  the License.
 
-# Allow anything on localhost, limit destructive methods elsewhere.
+# Allow anything on localhost, limit destructive and debug methods elsewhere.
 ip_allow:
   - apply: in
     ip_addrs: 127.0.0.1
@@ -34,10 +34,12 @@ ip_allow:
       - PURGE
       - PUSH
       - DELETE
+      - TRACE
   - apply: in
     ip_addrs: ::/0
     action: deny
     methods:
       - PURGE
       - PUSH
       - DELETE
+      - TRACE