Commits

Erik Romijn committed 0b949ac

improving TRACE check

  • Participants
  • Parent commits bb677e2

Comments (0)

Files changed (3)

File .idea/workspace.xml

           </provider>
         </entry>
       </file>
-      <file leaf-file-name="checker.py" pinned="false" current="true" current-in-tab="true">
+      <file leaf-file-name="checker.py" pinned="false" current="false" current-in-tab="false">
         <entry file="file://$PROJECT_DIR$/ponycheckup/check/checker.py">
           <provider selected="true" editor-type-id="text-editor">
-            <state line="89" column="0" selection-start="3266" selection-end="3266" vertical-scroll-proportion="0.73836607">
+            <state line="24" column="0" selection-start="926" selection-end="926" vertical-scroll-proportion="0.0">
+              <folding />
+            </state>
+          </provider>
+        </entry>
+      </file>
+      <file leaf-file-name="models.py" pinned="false" current="true" current-in-tab="true">
+        <entry file="file://$PROJECT_DIR$/ponycheckup/check/models.py">
+          <provider selected="true" editor-type-id="text-editor">
+            <state line="22" column="0" selection-start="710" selection-end="710" vertical-scroll-proportion="0.34746638">
               <folding />
             </state>
           </provider>
         </state>
       </provider>
     </entry>
-    <entry file="file://$PROJECT_DIR$/ponycheckup/check/models.py">
-      <provider selected="true" editor-type-id="text-editor">
-        <state line="52" column="105" selection-start="2255" selection-end="2255" vertical-scroll-proportion="0.843847">
-          <folding />
-        </state>
-      </provider>
-    </entry>
     <entry file="file://$PROJECT_DIR$/ponycheckup/check/templates/check/result.html">
       <provider selected="true" editor-type-id="text-editor">
         <state line="56" column="14" selection-start="3576" selection-end="3576" vertical-scroll-proportion="-17.28">
     </entry>
     <entry file="file://$PROJECT_DIR$/ponycheckup/check/checker.py">
       <provider selected="true" editor-type-id="text-editor">
-        <state line="89" column="0" selection-start="3266" selection-end="3266" vertical-scroll-proportion="0.73836607">
+        <state line="24" column="0" selection-start="926" selection-end="926" vertical-scroll-proportion="0.0">
+          <folding />
+        </state>
+      </provider>
+    </entry>
+    <entry file="file://$PROJECT_DIR$/ponycheckup/check/models.py">
+      <provider selected="true" editor-type-id="text-editor">
+        <state line="22" column="0" selection-start="710" selection-end="710" vertical-scroll-proportion="0.34746638">
           <folding />
         </state>
       </provider>

File ponycheckup/check/checker.py

         request = urllib2.Request(url)
         request.get_method = lambda: 'TRACE'
         try:
-            opener.open(request, None, 7)
+            data = opener.open(request, None, 7)
         except urllib2.HTTPError:
             return False
-        return True
+        return data.info().get('Content-Type') == "message/http"
 
 
     def check_admin(self, url):

File ponycheckup/check/templates/check/result.html

                 <div class="alert alert-error">
                     <h4 class="alert-heading"><i class="icon-remove"></i> Web server allows TRACE</h4>
                     Your web server allows the TRACE method. This is not good, as it rarely serves a purpose,
-                    and can be used in cross-site scripting attacks. We are currently aware of a potential false
-                    positive where some web servers pretend to allow TRACE, but actually treat it as a GET request.
-                    This violates the HTTP specification, but does not cause a security risk.
+                    and can be used in cross-site scripting attacks. 
                 </div>
             {% endif %}
             <p>The TRACE method is a rarely used HTTP request method. Basically, it asks the webserver
         </div>
 
     {% endif %}
-{% endblock %}
+{% endblock %}