packages/trafficserver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
trafficserver/CVE-2022-47184.patch
starlet-dx b06b827864 Fix CVE-2022-47184 and CVE-2023-33933 
(cherry picked from commit 83bd21b8a6b6c119e1164c87d0e9c94f59ffdd82)
2023-12-19 16:07:10 +08:00

106 lines
4.1 KiB
Diff
Raw Blame History

From c371b7b21a7e774f852af86b85c87d5d877a14bd Mon Sep 17 00:00:00 2001
From: Bryan Call <bcall@apache.org>
Date: Tue, 6 Jun 2023 15:23:04 -0700
Subject: [PATCH] Deny the TRACE method by default (#9788)
(cherry picked from commit 105af3ca30e59fbb89013e83a484a04559b4cf25)
---
configs/ip_allow.yaml.default | 4 +++-
doc/admin-guide/files/ip_allow.yaml.en.rst | 9 ++++++---
tests/gold_tests/autest-site/min_cfg/ip_allow.yaml | 4 +++-
3 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/configs/ip_allow.yaml.default b/configs/ip_allow.yaml.default
index ff3627d23e8..16db1d2845a 100644
--- a/configs/ip_allow.yaml.default
+++ b/configs/ip_allow.yaml.default
@@ -24,7 +24,7 @@
# Rules are applied in the order listed starting from the top.
# That means you generally want to append your rules after the ones listed here.
#
-# Allow anything on localhost, limit destructive methods elsewhere.
+# Allow anything on localhost, limit destructive and debug methods elsewhere.
ip_allow:
- apply: in
ip_addrs: 127.0.0.1
@@ -41,6 +41,7 @@ ip_allow:
- PURGE
- PUSH
- DELETE
+ - TRACE
- apply: in
ip_addrs: ::/0
action: deny
@@ -48,3 +49,4 @@ ip_allow:
- PURGE
- PUSH
- DELETE
+ - TRACE
diff --git a/doc/admin-guide/files/ip_allow.yaml.en.rst b/doc/admin-guide/files/ip_allow.yaml.en.rst
index 1f1843e21ac..db2e58dfa46 100644
--- a/doc/admin-guide/files/ip_allow.yaml.en.rst
+++ b/doc/admin-guide/files/ip_allow.yaml.en.rst
@@ -60,6 +60,7 @@ Format
- PURGE
- PUSH
- DELETE
+ - TRACE
- apply: in
ip_addrs: ::/0
action: deny
@@ -67,6 +68,7 @@ Format
- PURGE
- PUSH
- DELETE
+ - TRACE
Each rule is a mapping. The YAML data must have a top level key of "ip_allow" and its value must
be a mapping or a sequence of mappings, each of those being one rule.
@@ -106,7 +108,8 @@ the specified methods are denied and all other methods are allowed.
For example, from the default configuration, the rule for ``127.0.0.1`` is ``allow`` with all
methods. Therefore an inbound connection from the loopback address (127.0.0.1) is allowed to use any
method. The general IPv4 rule, covering all IPv4 address, is a ``deny`` rule and therefore when it
-matches the methods "PURGE", "PUSH", and "DELETE", these methods are denied and any other method is allowed.
+matches the methods "PURGE", "PUSH", "DELETE", and "TRACE", these methods are denied and any other method
+is allowed.
The rules are matched in order, by IP address, therefore the general IPv4 rule does not apply to the
loopback address because the latter is matched first.
@@ -224,8 +227,8 @@ As a final example, here is the default configuration in compact form::
ip_allow: [
{ apply: in, ip_addrs: 127.0.0.1, action: allow },
{ apply: in, ip_addrs: "::1", action: allow },
- { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE ] },
- { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE ] }
+ { apply: in, ip_addrs: 0/0, action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] },
+ { apply: in, ip_addrs: "::/0", action: deny, methods: [ PURGE, PUSH, DELETE, TRACE ] }
]
.. note::
diff --git a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
index d13c27516ac..841286477cb 100644
--- a/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
+++ b/tests/gold_tests/autest-site/min_cfg/ip_allow.yaml
@@ -13,7 +13,7 @@
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
-# Allow anything on localhost, limit destructive methods elsewhere.
+# Allow anything on localhost, limit destructive and debug methods elsewhere.
ip_allow:
- apply: in
ip_addrs: 127.0.0.1
@@ -34,6 +34,7 @@ ip_allow:
- PURGE
- PUSH
- DELETE
+ - TRACE
- apply: in
ip_addrs: ::/0
action: deny
@@ -41,3 +42,4 @@ ip_allow:
- PURGE
- PUSH
- DELETE
+ - TRACE
Reference in New Issue View Git Blame Copy Permalink