David Lovely created QPID-6217: ---------------------------------- Summary: Java broker should not accept HTTP TRACE requests Key: QPID-6217 URL: https://issues.apache.org/jira/browse/QPID-6217 Project: Qpid Issue Type: Bug Components: Java Broker Affects Versions: 0.30 Reporter: David Lovely Attachments: TRACE.patch
The QPID Java broker responds to HTTP TRACE requests with a response code of 200. A common practice for better security is to return a 403 or 405 code for TRACE requests. By default Jetty version 6.1 and greater disable this but the embedded Jetty server in the QPID broker is allowing TRACE requests to be processed. Attached is a patch that returns 403 when TRACE is used. For example, Current reponse from a TRACE command: curl -v -X TRACE localhost:8080 > TRACE / HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 > zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 200 OK < Set-Cookie: JSESSIONID_8080=1uynrboshethkwzejaau1wq52;Path=/ < Expires: Thu, 01 Jan 1970 00:00:00 GMT < Content-Type: message/http < Content-Length: 169 < Server: Jetty(8.1.14.v20131031) After the attached patch was applied: curl -v -X TRACE localhost:8080 > TRACE / HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 > zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 403 Forbidden < Cache-Control: must-revalidate,no-cache,no-store < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 1267 < Server: Jetty(8.1.14.v20131031) -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org