[jira] [Updated] (QPID-6217) Java broker should not accept HTTP TRACE requests

Thu, 06 Nov 2014 13:43:17 -0800 

     [ 
https://issues.apache.org/jira/browse/QPID-6217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

David Lovely updated QPID-6217:
-------------------------------
    Attachment: TRACE.patch

> Java broker should not accept HTTP TRACE requests 
> --------------------------------------------------
>
>                 Key: QPID-6217
>                 URL: https://issues.apache.org/jira/browse/QPID-6217
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker
>    Affects Versions: 0.30
>            Reporter: David Lovely
>         Attachments: TRACE.patch
>
>
> The QPID Java broker responds to HTTP TRACE requests with a response code of 
> 200.  A common practice for better security is to return a 403 or 405 code 
> for TRACE requests.  By default Jetty version 6.1 and greater disable this 
> but the embedded Jetty server in the QPID broker is allowing TRACE requests 
> to be processed. Attached is a patch that returns 403 when TRACE is used.  
> For example,
> Current reponse from a TRACE command: 
> curl -v -X TRACE localhost:8080
> > TRACE / HTTP/1.1
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 
> > NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > Host: localhost:8080
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Set-Cookie: JSESSIONID_8080=1uynrboshethkwzejaau1wq52;Path=/
> < Expires: Thu, 01 Jan 1970 00:00:00 GMT
> < Content-Type: message/http
> < Content-Length: 169
> < Server: Jetty(8.1.14.v20131031)
> After the attached patch was applied:
> curl -v -X TRACE localhost:8080
> > TRACE / HTTP/1.1
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 
> > NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > Host: localhost:8080
> > Accept: */*
> >
> < HTTP/1.1 403 Forbidden
> < Cache-Control: must-revalidate,no-cache,no-store
> < Content-Type: text/html;charset=ISO-8859-1
> < Content-Length: 1267
> < Server: Jetty(8.1.14.v20131031)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to