........

老哥，我也这边也有类似的漏洞报告，有解决办法吗

@JFinal 请问这个HTTP TRACE怎么关闭

在看这个帖子，貌似有思路https://blog.csdn.net/nklinsirui/article/details/108540403

@JFinal 成功了！！詹总牛逼！在undertow.start();前加入如下代码

undertow.onDeploy((classLoader, deploymentInfo) -> {
deploymentInfo.addInitialHandlerChainWrapper(new HandlerWrapper() {

@Override
public HttpHandler wrap(HttpHandler handler) {
HttpString[] disallowedHttpMethods = { HttpString.tryFromString("TRACE"),
HttpString.tryFromString("TRACK") };
return new DisallowedMethodsHandler(handler, disallowedHttpMethods);
}
});
});

C:\WINDOWS\system32>curl -v -X TRACE http://localhost/check/captcha
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> TRACE /check/captcha HTTP/1.1
> Host: localhost
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Cache-Control: no-cache
< Set-Cookie: JSESSIONID=4-YBgJ5YFXMSSVkquALBZ1m3lMO9L-ynaPGJ601D; path=/
< Server: JFinal
< Pragma: no-cache
< Date: Fri, 18 Sep 2020 08:45:44 GMT
< Connection: keep-alive
< Transfer-Encoding: chunked
< Content-Type: image/jpeg
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: " to save to a file.
* Failed writing body (0 != 1365)
* Failed writing data
* Closing connection 0

↓修改后↓

C:\WINDOWS\system32>curl -v -X TRACE http://localhost/check/captcha
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> TRACE /check/captcha HTTP/1.1
> Host: localhost
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Connection: keep-alive
< Server: JFinal
< Content-Length: 0
< Date: Fri, 18 Sep 2020 09:05:24 GMT
<
* Connection #0 to host localhost left intact

@zeroabc 我用上面的代码还是不能解决，具体该如何解决这个漏洞问题？

@zeroabc 请问“在undertow.start();前加入如下代码"这个如何具体实现的，能稍微具体点吗？