David Lovely created QPID-6217:
----------------------------------
Summary: Java broker should not accept HTTP TRACE requests
Key: QPID-6217
URL: https://issues.apache.org/jira/browse/QPID-6217
Project: Qpid
Issue Type: Bug
Components: Java Broker
Affects Versions: 0.30
Reporter: David Lovely
Attachments: TRACE.patch
The QPID Java broker responds to HTTP TRACE requests with a response code of
200. A common practice for better security is to return a 403 or 405 code for
TRACE requests. By default Jetty version 6.1 and greater disable this but the
embedded Jetty server in the QPID broker is allowing TRACE requests to be
processed. Attached is a patch that returns 403 when TRACE is used. For
example,
Current reponse from a TRACE command:
curl -v -X TRACE localhost:8080
> TRACE / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0
> zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< Set-Cookie: JSESSIONID_8080=1uynrboshethkwzejaau1wq52;Path=/
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Type: message/http
< Content-Length: 169
< Server: Jetty(8.1.14.v20131031)
After the attached patch was applied:
curl -v -X TRACE localhost:8080
> TRACE / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0
> zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 1267
< Server: Jetty(8.1.14.v20131031)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
