Bug 65357 - TraceEnable Off Returns Empty Allow to TRACE request
Summary: TraceEnable Off Returns Empty Allow to TRACE request
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-04 16:22 UTC by Seth Kooiker
Modified: 2021-06-04 16:22 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Seth Kooiker 2021-06-04 16:22:54 UTC 
Context: 
Currently when setting TraceEnable Off, the server returns a 405 with various headers. One such header being the Allow header. This is required by rfc2616 and correctly implemented under that standard but not newer standards. 

Issue:
rfc7231 obsoletes 2616 and clarifies that the Allow header must contain all valid/Allowed methods - 

    https://datatracker.ietf.org/doc/html/rfc7231#section-6.5.5
    6.5.5.  405 Method Not Allowed
 
      The 405 (Method Not Allowed) status code indicates that the method
      received in the request-line is known by the origin server but not
      supported by the target resource.  The origin server MUST generate an
      Allow header field in a 405 response containing a list of the target
      resource's currently supported methods.

This is not the case currently. When using the TraceEnable Off option, the server returns a 405 but the response does not match the RFC requirements. 

Possible Solution:
Respond with {Allow: "Everything except TRACE" or "TRACE disabled"} , increasing discoverability where the user would run another request (i.e GET to the same URI) and see a correct list for that URI
or 
When TraceEnable Off - respond to TRACE with 501 with the same rationale as the previous