From 4dff2e9974c2e934c2f4a6fd380e37b5404f7c6b Mon Sep 17 00:00:00 2001
From: Michael McMahon <michaelm@openjdk.org>
Date: Thu, 16 Sep 2010 08:08:06 -0700
Subject: [PATCH] 6981426: limit use of TRACE method in HttpURLConnection

Reviewed-by: chegar
---
 .../classes/java/net/HttpURLConnection.java   |   8 ++
 .../share/classes/java/net/NetPermission.java | 130 +++++++++---------
 2 files changed, 76 insertions(+), 62 deletions(-)

diff --git a/jdk/src/share/classes/java/net/HttpURLConnection.java b/jdk/src/share/classes/java/net/HttpURLConnection.java
index c6b1ffab6c9..0b3e578022c 100644
--- a/jdk/src/share/classes/java/net/HttpURLConnection.java
+++ b/jdk/src/share/classes/java/net/HttpURLConnection.java
@@ -399,6 +399,8 @@ abstract public class HttpURLConnection extends URLConnection {
      * @param method the HTTP method
      * @exception ProtocolException if the method cannot be reset or if
      *              the requested method isn't valid for HTTP.
+     * @exception SecurityException if a security manager is set and the
+     *              "allowHttpTrace" NetPermission is not granted.
      * @see #getRequestMethod()
      */
     public void setRequestMethod(String method) throws ProtocolException {
@@ -412,6 +414,12 @@ abstract public class HttpURLConnection extends URLConnection {
 
         for (int i = 0; i < methods.length; i++) {
             if (methods[i].equals(method)) {
+                if (method.equals("TRACE")) {
+                    SecurityManager s = System.getSecurityManager();
+                    if (s != null) {
+                        s.checkPermission(new NetPermission("allowHttpTrace"));
+                    }
+                }
                 this.method = method;
                 return;
             }
diff --git a/jdk/src/share/classes/java/net/NetPermission.java b/jdk/src/share/classes/java/net/NetPermission.java
index 5083a40fb34..1cff4a87676 100644
--- a/jdk/src/share/classes/java/net/NetPermission.java
+++ b/jdk/src/share/classes/java/net/NetPermission.java
@@ -54,62 +54,12 @@ import java.util.StringTokenizer;
  * <th>What the Permission Allows</th>
  * <th>Risks of Allowing this Permission</th>
  * </tr>
- *
  * <tr>
- *   <td>setDefaultAuthenticator</td>
- *   <td>The ability to set the
- * way authentication information is retrieved when
- * a proxy or HTTP server asks for authentication</td>
- *   <td>Malicious
- * code can set an authenticator that monitors and steals user
- * authentication input as it retrieves the input from the user.</td>
- * </tr>
- *
- * <tr>
- *   <td>requestPasswordAuthentication</td>
- *   <td>The ability
- * to ask the authenticator registered with the system for
- * a password</td>
- *   <td>Malicious code may steal this password.</td>
- * </tr>
- *
- * <tr>
- *   <td>specifyStreamHandler</td>
- *   <td>The ability
- * to specify a stream handler when constructing a URL</td>
- *   <td>Malicious code may create a URL with resources that it would
-normally not have access to (like file:/foo/fum/), specifying a
-stream handler that gets the actual bytes from someplace it does
-have access to. Thus it might be able to trick the system into
-creating a ProtectionDomain/CodeSource for a class even though
-that class really didn't come from that location.</td>
- * </tr>
- *
- * <tr>
- *   <td>setProxySelector</td>
- *   <td>The ability to set the proxy selector used to make decisions
- *   on which proxies to use when making network connections.</td>
- *   <td>Malicious code can set a ProxySelector that directs network
- *   traffic to an arbitrary network host.</td>
- * </tr>
- *
- * <tr>
- *   <td>getProxySelector</td>
- *   <td>The ability to get the proxy selector used to make decisions
- *   on which proxies to use when making network connections.</td>
- *   <td>Malicious code can get a ProxySelector to discover proxy
- *   hosts and ports on internal networks, which could then become
- *   targets for attack.</td>
- * </tr>
- *
- * <tr>
- *   <td>setCookieHandler</td>
- *   <td>The ability to set the cookie handler that processes highly
- *   security sensitive cookie information for an Http session.</td>
- *   <td>Malicious code can set a cookie handler to obtain access to
- *   highly security sensitive cookie information. Some web servers
- *   use cookies to save user private information such as access
- *   control information, or to track user browsing habit.</td>
+ *   <td>allowHttpTrace</td>
+ *   <td>The ability to use the HTTP TRACE method in HttpURLConnection.</td>
+ *   <td>Malicious code using HTTP TRACE could get access to security sensitive
+ *   information in the HTTP headers (such as cookies) that it might not
+ *   otherwise have access to.</td>
  *   </tr>
  *
  * <tr>
@@ -123,13 +73,13 @@ that class really didn't come from that location.</td>
  *   </tr>
  *
  * <tr>
- *   <td>setResponseCache</td>
- *   <td>The ability to set the response cache that provides access to
- *   a local response cache.</td>
- *   <td>Malicious code getting access to the local response cache
- *   could access security sensitive information, or create false
- *   entries in the response cache.</td>
- *   </tr>
+ *   <td>getProxySelector</td>
+ *   <td>The ability to get the proxy selector used to make decisions
+ *   on which proxies to use when making network connections.</td>
+ *   <td>Malicious code can get a ProxySelector to discover proxy
+ *   hosts and ports on internal networks, which could then become
+ *   targets for attack.</td>
+ * </tr>
  *
  * <tr>
  *   <td>getResponseCache</td>
@@ -139,6 +89,62 @@ that class really didn't come from that location.</td>
  *   could access security sensitive information.</td>
  *   </tr>
  *
+ * <tr>
+ *   <td>requestPasswordAuthentication</td>
+ *   <td>The ability
+ * to ask the authenticator registered with the system for
+ * a password</td>
+ *   <td>Malicious code may steal this password.</td>
+ * </tr>
+ *
+ * <tr>
+ *   <td>setCookieHandler</td>
+ *   <td>The ability to set the cookie handler that processes highly
+ *   security sensitive cookie information for an Http session.</td>
+ *   <td>Malicious code can set a cookie handler to obtain access to
+ *   highly security sensitive cookie information. Some web servers
+ *   use cookies to save user private information such as access
+ *   control information, or to track user browsing habit.</td>
+ *   </tr>
+ *
+ * <tr>
+ *   <td>setDefaultAuthenticator</td>
+ *   <td>The ability to set the
+ * way authentication information is retrieved when
+ * a proxy or HTTP server asks for authentication</td>
+ *   <td>Malicious
+ * code can set an authenticator that monitors and steals user
+ * authentication input as it retrieves the input from the user.</td>
+ * </tr>
+ *
+ * <tr>
+ *   <td>setProxySelector</td>
+ *   <td>The ability to set the proxy selector used to make decisions
+ *   on which proxies to use when making network connections.</td>
+ *   <td>Malicious code can set a ProxySelector that directs network
+ *   traffic to an arbitrary network host.</td>
+ * </tr>
+ *
+ * <tr>
+ *   <td>setResponseCache</td>
+ *   <td>The ability to set the response cache that provides access to
+ *   a local response cache.</td>
+ *   <td>Malicious code getting access to the local response cache
+ *   could access security sensitive information, or create false
+ *   entries in the response cache.</td>
+ *   </tr>
+ *
+ * <tr>
+ *   <td>specifyStreamHandler</td>
+ *   <td>The ability
+ * to specify a stream handler when constructing a URL</td>
+ *   <td>Malicious code may create a URL with resources that it would
+normally not have access to (like file:/foo/fum/), specifying a
+stream handler that gets the actual bytes from someplace it does
+have access to. Thus it might be able to trick the system into
+creating a ProtectionDomain/CodeSource for a class even though
+that class really didn't come from that location.</td>
+ * </tr>
  * </table>
  *
  * @see java.security.BasicPermission