[ https://issues.apache.org/jira/browse/QPID-6217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rob Godfrey reassigned QPID-6217: --------------------------------- Assignee: Rob Godfrey > Java broker should not accept HTTP TRACE requests > -------------------------------------------------- > > Key: QPID-6217 > URL: https://issues.apache.org/jira/browse/QPID-6217 > Project: Qpid > Issue Type: Bug > Components: Java Broker > Affects Versions: 0.30 > Reporter: David Lovely > Assignee: Rob Godfrey > Attachments: TRACE.patch > > > The QPID Java broker responds to HTTP TRACE requests with a response code of > 200. A common practice for better security is to return a 403 or 405 code > for TRACE requests. By default Jetty version 6.1 and greater disable this > but the embedded Jetty server in the QPID broker is allowing TRACE requests > to be processed. Attached is a patch that returns 403 when TRACE is used. > For example, > Current reponse from a TRACE command: > curl -v -X TRACE localhost:8080 > > TRACE / HTTP/1.1 > > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 > > NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > > Host: localhost:8080 > > Accept: */* > > > < HTTP/1.1 200 OK > < Set-Cookie: JSESSIONID_8080=1uynrboshethkwzejaau1wq52;Path=/ > < Expires: Thu, 01 Jan 1970 00:00:00 GMT > < Content-Type: message/http > < Content-Length: 169 > < Server: Jetty(8.1.14.v20131031) > After the attached patch was applied: > curl -v -X TRACE localhost:8080 > > TRACE / HTTP/1.1 > > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 > > NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > > Host: localhost:8080 > > Accept: */* > > > < HTTP/1.1 403 Forbidden > < Cache-Control: must-revalidate,no-cache,no-store > < Content-Type: text/html;charset=ISO-8859-1 > < Content-Length: 1267 > < Server: Jetty(8.1.14.v20131031) -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org