You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "David Lovely (JIRA)" <ji...@apache.org> on 2014/11/06 22:42:33 UTC
[jira] [Created] (QPID-6217) Java broker should not accept HTTP
TRACE requests
David Lovely created QPID-6217:
----------------------------------
Summary: Java broker should not accept HTTP TRACE requests
Key: QPID-6217
URL: https://issues.apache.org/jira/browse/QPID-6217
Project: Qpid
Issue Type: Bug
Components: Java Broker
Affects Versions: 0.30
Reporter: David Lovely
Attachments: TRACE.patch
The QPID Java broker responds to HTTP TRACE requests with a response code of 200. A common practice for better security is to return a 403 or 405 code for TRACE requests. By default Jetty version 6.1 and greater disable this but the embedded Jetty server in the QPID broker is allowing TRACE requests to be processed. Attached is a patch that returns 403 when TRACE is used. For example,
Current reponse from a TRACE command:
curl -v -X TRACE localhost:8080
> TRACE / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< Set-Cookie: JSESSIONID_8080=1uynrboshethkwzejaau1wq52;Path=/
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Type: message/http
< Content-Length: 169
< Server: Jetty(8.1.14.v20131031)
After the attached patch was applied:
curl -v -X TRACE localhost:8080
> TRACE / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 1267
< Server: Jetty(8.1.14.v20131031)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org