From abf72017b5e41ab9bd9929169567e7469a760e52 Mon Sep 17 00:00:00 2001
From: Vidar Langseid <vl@ibexa.co>
Date: Wed, 13 Jul 2022 16:45:22 +0200
Subject: [PATCH 1/2] IBX-2921: Disabled TRACE/TRACK in Apache/Nginx

---
 doc/apache2/vhost.template | 4 ++++
 doc/nginx/vhost.template   | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/doc/apache2/vhost.template b/doc/apache2/vhost.template
index 25348bde41..44c6bfa28a 100644
--- a/doc/apache2/vhost.template
+++ b/doc/apache2/vhost.template
@@ -73,6 +73,10 @@
     <IfModule mod_rewrite.c>
         RewriteEngine On
 
+        # Make sure TRACE and TRACK methods are denied
+        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
+        RewriteRule .* - [F]
+
         # For FastCGI mode or when using PHP-FPM, to get basic auth working.
         RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 
diff --git a/doc/nginx/vhost.template b/doc/nginx/vhost.template
index a1d47665d6..df1e50fdbe 100644
--- a/doc/nginx/vhost.template
+++ b/doc/nginx/vhost.template
@@ -6,6 +6,10 @@ server {
 
     root %BASEDIR%/web;
 
+    if ($request_method ~ ^(TRACE|TRACK)$) {
+        return 405;
+    }
+
     # Additional Assetic rules
     ## Don't forget to run php bin/console assetic:dump --env=prod
     ## and make sure to comment these out in DEV environment.

From a43195d3312758a5b88ba07287bab29f080616cf Mon Sep 17 00:00:00 2001
From: Gunnstein Lye <289744+glye@users.noreply.github.com>
Date: Wed, 13 Jul 2022 17:05:29 +0200
Subject: [PATCH 2/2] Case insensitive matching. Added doc for Nginx.

---
 doc/apache2/vhost.template | 2 +-
 doc/nginx/vhost.template   | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/apache2/vhost.template b/doc/apache2/vhost.template
index 44c6bfa28a..be6777a0f3 100644
--- a/doc/apache2/vhost.template
+++ b/doc/apache2/vhost.template
@@ -74,7 +74,7 @@
         RewriteEngine On
 
         # Make sure TRACE and TRACK methods are denied
-        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
+        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC]
         RewriteRule .* - [F]
 
         # For FastCGI mode or when using PHP-FPM, to get basic auth working.
diff --git a/doc/nginx/vhost.template b/doc/nginx/vhost.template
index df1e50fdbe..e73073ab1c 100644
--- a/doc/nginx/vhost.template
+++ b/doc/nginx/vhost.template
@@ -6,7 +6,8 @@ server {
 
     root %BASEDIR%/web;
 
-    if ($request_method ~ ^(TRACE|TRACK)$) {
+    # Make sure TRACE and TRACK methods are denied
+    if ($request_method ~* ^(TRACE|TRACK)$) {
         return 405;
     }