From c371b7b21a7e774f852af86b85c87d5d877a14bd Mon Sep 17 00:00:00 2001 From: Bryan Call Date: Tue, 6 Jun 2023 15:23:04 -0700 Subject: [PATCH] Deny the TRACE method by default (#9788) (cherry picked from commit 105af3ca30e59fbb89013e83a484a04559b4cf25) --- configs/ip_allow.yaml.default | 4 +++- doc/admin-guide/files/ip_allow.yaml.en.rst | 9 ++++++--- tests/gold_tests/autest-site/min_cfg/ip_allow.yaml | 4 +++- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/configs/ip_allow.yaml.default b/configs/ip_allow.yaml.default index ff3627d23e8..16db1d2845a 100644 --- a/configs/ip_allow.yaml.default +++ b/configs/ip_allow.yaml.default @@ -24,7 +24,7 @@ # Rules are applied in the order listed starting from the top. # That means you generally want to append your rules after the ones listed here. # -# Allow anything on localhost, limit destructive methods elsewhere. +# Allow anything on localhost, limit destructive and debug methods elsewhere. ip_allow: - apply: in ip_addrs: 127.0.0.1 @@ -41,6 +41,7 @@ ip_allow: - PURGE - PUSH - DELETE + - TRACE - apply: in ip_addrs: ::/0 action: deny @@ -48,3 +49,4 @@ ip_allow: - PURGE - PUSH - DELETE + - TRACE diff --git a/doc/admin-guide/files/ip_allow.yaml.en.rst b/doc/admin-guide/files/ip_allow.yaml.en.rst index 1f1843e21ac..db2e58dfa46 100644 --- a/doc/admin-guide/files/ip_allow.yaml.en.rst +++ b/doc/admin-guide/files/ip_allow.yaml.en.rst @@ -60,6 +60,7 @@ Format - PURGE - PUSH - DELETE + - TRACE - apply: in ip_addrs: ::/0 action: deny @@ -67,6 +68,7 @@ Format - PURGE - PUSH - DELETE + - TRACE Each rule is a mapping. The YAML data must have a top level key of "ip_allow" and its value must be a mapping or a sequence of mappings, each of those being one rule. @@ -106,7 +108,8 @@ the specified methods are denied and all other methods are allowed. For example, from the default configuration, the rule for ``127.0.0.1`` is ``allow`` with all methods. Therefore an inbound connection from the loopback address (127.0.0.1) is allowed to use any method. The general IPv4 rule, covering all IPv4 address, is a ``deny`` rule and therefore when it -matches the methods "PURGE", "PUSH", and "DELETE", these methods are denied and any other method is allowed. +matches the methods "PURGE", "PUSH", "DELETE", and "TRACE", these methods are denied and any other method +is allowed. The rules are matched in order, by IP address, therefore the general IPv4 rule does not apply to the loopback address because the latter is matched first. @@ -224,8 +227,8 @@ As a final example, here is the default configuration in compact form:: ip_allow: [ { apply: in, ip_addrs: 127.0.0.1, action: allow }, { apply: in, ip_addrs: "::1", action: allow }, - { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE ] }, - { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE ] } + { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] }, + { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] } ] .. note:: diff --git a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml index d13c27516ac..841286477cb 100644 --- a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml +++ b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml @@ -13,7 +13,7 @@ # or implied. See the License for the specific language governing permissions and limitations under # the License. -# Allow anything on localhost, limit destructive methods elsewhere. +# Allow anything on localhost, limit destructive and debug methods elsewhere. ip_allow: - apply: in ip_addrs: 127.0.0.1 @@ -34,6 +34,7 @@ ip_allow: - PURGE - PUSH - DELETE + - TRACE - apply: in ip_addrs: ::/0 action: deny @@ -41,3 +42,4 @@ ip_allow: - PURGE - PUSH - DELETE + - TRACE