#include "nsapi.h"	/* NSAPI definitions */

/*
	PW-strip-trace.so

   NSAPI SAF to prevent the TRACE method from echoing Authorization
   or Cookie headers back to the HTTP client to prevent possible
   session hijacking or other XST information theft; see
    http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf 

   Usage:
   At the beginning of obj.conf:
      Init fn=load-modules shlib=PW_strip_trace.so funcs=PW-strip-trace
   Inside an object in obj.conf (before other NameTrans calls, preferably
   at the top of the Default object stanza)
      NameTrans fn=PW-strip-trace
 */
 
NSAPI_PUBLIC int PW_strip_trace(pblock *pb, Session *sn, Request *rq)
{
    /* working variables */
    char *requestMethod = pblock_findval("method", rq->reqpb);

    /* bail out if we've got nothing to work with */ 
    if (!requestMethod) {
        return REQ_NOACTION;
    }

    if (strcmp(requestMethod,"TRACE") == 0 ) {
        /* remove the cookie & authorization headers so we don't echo them */
        param_free(pblock_remove("cookie", rq->headers));
        param_free(pblock_remove("authorization", rq->headers));
    }

    /* all done */
    return REQ_NOACTION;
}