You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@activemq.apache.org by "James Casey (JIRA)" <ji...@apache.org> on 2010/07/08 17:30:52 UTC

[jira] Created: (AMQ-2817) STOMP headers need sanitization

STOMP headers need sanitization
-------------------------------

                 Key: AMQ-2817
                 URL: https://issues.apache.org/activemq/browse/AMQ-2817
             Project: ActiveMQ
          Issue Type: Bug
          Components: Transport
    Affects Versions: 5.3.2
            Reporter: James Casey


Currently STOMP on a SEND extracts out the JMS headers and put the rest of the headers into the message properties.  If a STOMP consumer starts to consume the messages, the JMS fields are put into the header and the the properties are put in.  This can lead to a situation where if the client has provided a header that it shouldn't have (e.g. message-id) it overwrites the one provided by the broker.

This can lead to problems with e.g. ACKs where the wrong message-id is sent back.

This patch sanitizes all headers for a MESSAGE frame when they come into the broker so they never get set in the properties.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (AMQ-2817) STOMP headers need sanitization

Posted by "Dejan Bosanac (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/activemq/browse/AMQ-2817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dejan Bosanac resolved AMQ-2817.
--------------------------------

         Assignee: Dejan Bosanac
    Fix Version/s: 5.4.0
       Resolution: Fixed

Patch applied (svn revision 962512) with thanks!

> STOMP headers need sanitization
> -------------------------------
>
>                 Key: AMQ-2817
>                 URL: https://issues.apache.org/activemq/browse/AMQ-2817
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Transport
>    Affects Versions: 5.3.2
>            Reporter: James Casey
>            Assignee: Dejan Bosanac
>            Priority: Minor
>             Fix For: 5.4.0
>
>         Attachments: headers.patch
>
>
> Currently STOMP on a SEND extracts out the JMS headers and put the rest of the headers into the message properties.  If a STOMP consumer starts to consume the messages, the JMS fields are put into the header and the the properties are put in.  This can lead to a situation where if the client has provided a header that it shouldn't have (e.g. message-id) it overwrites the one provided by the broker.
> This can lead to problems with e.g. ACKs where the wrong message-id is sent back.
> This patch sanitizes all headers for a MESSAGE frame when they come into the broker so they never get set in the properties.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (AMQ-2817) STOMP headers need sanitization

Posted by "James Casey (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/activemq/browse/AMQ-2817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James Casey updated AMQ-2817:
-----------------------------

    Attachment: headers.patch

Patch against trunk to clean up the header along with a unit test

> STOMP headers need sanitization
> -------------------------------
>
>                 Key: AMQ-2817
>                 URL: https://issues.apache.org/activemq/browse/AMQ-2817
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Transport
>    Affects Versions: 5.3.2
>            Reporter: James Casey
>         Attachments: headers.patch
>
>
> Currently STOMP on a SEND extracts out the JMS headers and put the rest of the headers into the message properties.  If a STOMP consumer starts to consume the messages, the JMS fields are put into the header and the the properties are put in.  This can lead to a situation where if the client has provided a header that it shouldn't have (e.g. message-id) it overwrites the one provided by the broker.
> This can lead to problems with e.g. ACKs where the wrong message-id is sent back.
> This patch sanitizes all headers for a MESSAGE frame when they come into the broker so they never get set in the properties.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (AMQ-2817) STOMP headers need sanitization

Posted by "James Casey (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/activemq/browse/AMQ-2817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James Casey updated AMQ-2817:
-----------------------------

    Priority: Minor  (was: Major)

> STOMP headers need sanitization
> -------------------------------
>
>                 Key: AMQ-2817
>                 URL: https://issues.apache.org/activemq/browse/AMQ-2817
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Transport
>    Affects Versions: 5.3.2
>            Reporter: James Casey
>            Priority: Minor
>         Attachments: headers.patch
>
>
> Currently STOMP on a SEND extracts out the JMS headers and put the rest of the headers into the message properties.  If a STOMP consumer starts to consume the messages, the JMS fields are put into the header and the the properties are put in.  This can lead to a situation where if the client has provided a header that it shouldn't have (e.g. message-id) it overwrites the one provided by the broker.
> This can lead to problems with e.g. ACKs where the wrong message-id is sent back.
> This patch sanitizes all headers for a MESSAGE frame when they come into the broker so they never get set in the properties.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.