qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-6217) Java broker should not accept HTTP TRACE requests
Date Thu, 06 Nov 2014 22:24:34 GMT

    [ https://issues.apache.org/jira/browse/QPID-6217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14201064#comment-14201064
] 

ASF subversion and git services commented on QPID-6217:
-------------------------------------------------------

Commit 1637246 from [~godfrer] in branch 'qpid/trunk'
[ https://svn.apache.org/r1637246 ]

QPID-6217 : [Java Broker] disable HTTP TRACE requests, also hide server implementation details
and stack traces from output

> Java broker should not accept HTTP TRACE requests 
> --------------------------------------------------
>
>                 Key: QPID-6217
>                 URL: https://issues.apache.org/jira/browse/QPID-6217
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker
>    Affects Versions: 0.30
>            Reporter: David Lovely
>            Assignee: Rob Godfrey
>         Attachments: TRACE.patch
>
>
> The QPID Java broker responds to HTTP TRACE requests with a response code of 200.  A
common practice for better security is to return a 403 or 405 code for TRACE requests.  By
default Jetty version 6.1 and greater disable this but the embedded Jetty server in the QPID
broker is allowing TRACE requests to be processed. Attached is a patch that returns 403 when
TRACE is used.  For example,
> Current reponse from a TRACE command: 
> curl -v -X TRACE localhost:8080
> > TRACE / HTTP/1.1
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3
libidn/1.18 libssh2/1.4.2
> > Host: localhost:8080
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Set-Cookie: JSESSIONID_8080=1uynrboshethkwzejaau1wq52;Path=/
> < Expires: Thu, 01 Jan 1970 00:00:00 GMT
> < Content-Type: message/http
> < Content-Length: 169
> < Server: Jetty(8.1.14.v20131031)
> After the attached patch was applied:
> curl -v -X TRACE localhost:8080
> > TRACE / HTTP/1.1
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3
libidn/1.18 libssh2/1.4.2
> > Host: localhost:8080
> > Accept: */*
> >
> < HTTP/1.1 403 Forbidden
> < Cache-Control: must-revalidate,no-cache,no-store
> < Content-Type: text/html;charset=ISO-8859-1
> < Content-Length: 1267
> < Server: Jetty(8.1.14.v20131031)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message