Bug 65357 - TraceEnable Off Returns Empty Allow to TRACE request
Summary: TraceEnable Off Returns Empty Allow to TRACE request
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2021-06-04 16:22 UTC by Seth Kooiker
Modified: 2021-06-04 16:22 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Seth Kooiker 2021-06-04 16:22:54 UTC
Currently when setting TraceEnable Off, the server returns a 405 with various headers. One such header being the Allow header. This is required by rfc2616 and correctly implemented under that standard but not newer standards. 

rfc7231 obsoletes 2616 and clarifies that the Allow header must contain all valid/Allowed methods - 

    6.5.5.  405 Method Not Allowed
      The 405 (Method Not Allowed) status code indicates that the method
      received in the request-line is known by the origin server but not
      supported by the target resource.  The origin server MUST generate an
      Allow header field in a 405 response containing a list of the target
      resource's currently supported methods.

This is not the case currently. When using the TraceEnable Off option, the server returns a 405 but the response does not match the RFC requirements. 

Possible Solution:
Respond with {Allow: "Everything except TRACE" or "TRACE disabled"} , increasing discoverability where the user would run another request (i.e GET to the same URI) and see a correct list for that URI
When TraceEnable Off - respond to TRACE with 501 with the same rationale as the previous