You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/11/06 23:24:34 UTC

[jira] [Commented] (QPID-6217) Java broker should not accept HTTP TRACE requests

    [ https://issues.apache.org/jira/browse/QPID-6217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14201064#comment-14201064 ] 

ASF subversion and git services commented on QPID-6217:
-------------------------------------------------------

Commit 1637246 from [~godfrer] in branch 'qpid/trunk'
[ https://svn.apache.org/r1637246 ]

QPID-6217 : [Java Broker] disable HTTP TRACE requests, also hide server implementation details and stack traces from output

> Java broker should not accept HTTP TRACE requests 
> --------------------------------------------------
>
>                 Key: QPID-6217
>                 URL: https://issues.apache.org/jira/browse/QPID-6217
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker
>    Affects Versions: 0.30
>            Reporter: David Lovely
>            Assignee: Rob Godfrey
>         Attachments: TRACE.patch
>
>
> The QPID Java broker responds to HTTP TRACE requests with a response code of 200.  A common practice for better security is to return a 403 or 405 code for TRACE requests.  By default Jetty version 6.1 and greater disable this but the embedded Jetty server in the QPID broker is allowing TRACE requests to be processed. Attached is a patch that returns 403 when TRACE is used.  For example,
> Current reponse from a TRACE command: 
> curl -v -X TRACE localhost:8080
> > TRACE / HTTP/1.1
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > Host: localhost:8080
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Set-Cookie: JSESSIONID_8080=1uynrboshethkwzejaau1wq52;Path=/
> < Expires: Thu, 01 Jan 1970 00:00:00 GMT
> < Content-Type: message/http
> < Content-Length: 169
> < Server: Jetty(8.1.14.v20131031)
> After the attached patch was applied:
> curl -v -X TRACE localhost:8080
> > TRACE / HTTP/1.1
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > Host: localhost:8080
> > Accept: */*
> >
> < HTTP/1.1 403 Forbidden
> < Cache-Control: must-revalidate,no-cache,no-store
> < Content-Type: text/html;charset=ISO-8859-1
> < Content-Length: 1267
> < Server: Jetty(8.1.14.v20131031)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org