TRACE Method still allowed in Jetty

[nunofernandes]

Description:

jitsi/jitsi-meet#3712 was reverted

Steps to reproduce:

1. nmap -sV -Pn --script http-trace -p 9090 <IP_OF_JVB>

Expected behavior:

Don't have trace available

Actual behavior:

$ nmap -sV -Pn --script http-trace  -p 9090 172.17.0.4
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-27 09:38 WEST
Nmap scan report for 172.17.0.4
Host is up (0.00047s latency).

PORT     STATE SERVICE VERSION
9090/tcp open  http    Jetty 9.4.40.v20210413
|_http-server-header: Jetty(9.4.40.v20210413)
|_http-trace: TRACE is enabled

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.32 seconds

Server information:

• Jitsi Meet version: jitsi/jvb:stable-5963
• Operating System: Docker version

Client information:

• Browser / app version: n/a
• Operating System: n/a

Additional information:

This issue was already fixed by @damencho at a1eda28 but got lost at some point later.

[bgrozev]

I don't understand it fully, but:

1. TRACE is not allowed on port 8080 (or jicofo's 8888 for that matter)
2. Any GET or POST request on 9090 returns 404/405, we only use 9090 for websockets.
3. TRACE requests on 9090 are accepted

[nunofernandes]

Yep.. The issue here is the 3. At some point jitsi wasn't allowing TRACE (patch done by @damencho in the ticket description). But at some point later, that was removed and TRACE was back and allowed.

[tizianosartori]

The issue still exsist in Jetty(11.0.10)