umgeher/cowboy
0
Fork 0
mirror of https://github.com/ninenines/cowboy.git synced 2025-07-14 20:30:23 +00:00
Code Issues Wiki Activity

Also disable the TRACE method entirely

Browse source
This commit is contained in:
Loïc Hoguin 2017-12-06 10:54:23 +01:00
parent dd002b8141
commit 2eb3e3f994
No known key found for this signature in database
GPG key ID: 8A9DF795F6FED764
3 changed files with 15 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/cowboy_http.erl
View file

@ -350,6 +350,9 @@ parse_request(Buffer, State=#state{opts=Opts, in_streamid=InStreamID}, EmptyLine
<<"CONNECT ", _/bits>> ->
error_terminate(501, State, {connection_error, no_error,
'The CONNECT method is currently not implemented. (RFC7231 4.3.6)'});
<<"TRACE ", _/bits>> ->
error_terminate(501, State, {connection_error, no_error,
'The TRACE method is currently not implemented. (RFC7231 4.3.8)'});
%% Accept direct HTTP/2 only at the beginning of the connection.
<< "PRI * HTTP/2.0\r\n", _/bits >> when InStreamID =:= 1 ->
%% @todo Might be worth throwing to get a clean stacktrace.

6
src/cowboy_http2.erl
View file

@ -842,10 +842,12 @@ stream_decode_init(State=#state{decode_state=DecodeState0}, StreamID, IsFin, Hea
stream_pseudo_headers_init(State, StreamID, IsFin, Headers0) ->
case pseudo_headers(Headers0, #{}) of
%% @todo Add clause for CONNECT requests (no scheme/path).
{ok, PseudoHeaders=#{method := Method}, _}
when Method =:= <<"CONNECT">> ->
{ok, PseudoHeaders=#{method := <<"CONNECT">>}, _} ->
stream_early_error(State, StreamID, 501, PseudoHeaders,
'The CONNECT method is currently not implemented. (RFC7231 4.3.6)');
{ok, PseudoHeaders=#{method := <<"TRACE">>}, _} ->
stream_early_error(State, StreamID, 501, PseudoHeaders,
'The TRACE method is currently not implemented. (RFC7231 4.3.8)');
{ok, PseudoHeaders=#{method := _, scheme := _, authority := _, path := _}, Headers} ->
stream_regular_headers_init(State, StreamID, IsFin, Headers, PseudoHeaders);
{ok, _, _} ->

10
test/rfc7231_SUITE.erl
View file

@ -151,8 +151,14 @@ method_options(Config) ->
%method_options_asterisk(Config) ->
%method_options_content_length_0(Config) ->
%% @todo Should probably disable TRACE entirely until they're implemented.
%method_trace(Config) ->
method_trace(Config) ->
doc("The TRACE method is currently not implemented. (RFC7231 4.3.8)"),
ConnPid = gun_open(Config),
Ref = gun:request(ConnPid, <<"TRACE">>, "/", [
{<<"accept-encoding">>, <<"gzip">>}
]),
{response, fin, 501, _} = gun:await(ConnPid, Ref),
ok.
%% Request headers.