[activemq] branch activemq-5.15.x updated: AMQ-7339 - Fix possible XSS attack in the HttpTunnelServlet

Fri, 08 Nov 2019 05:46:11 -0800 

This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch activemq-5.15.x
in repository https://gitbox.apache.org/repos/asf/activemq.git


The following commit(s) were added to refs/heads/activemq-5.15.x by this push:
     new 6675ddf  AMQ-7339 - Fix possible XSS attack in the HttpTunnelServlet
6675ddf is described below

commit 6675ddfe289f2fa617dcfc960a9f88ea48cba028
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Fri Nov 8 12:04:57 2019 +0000

    AMQ-7339 - Fix possible XSS attack in the HttpTunnelServlet
    
    (cherry picked from commit 7441c6b6035e4a86d6a32b39445d75a33802ec3e)
---
 .../java/org/apache/activemq/transport/http/HttpTunnelServlet.java    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git 
a/activemq-http/src/main/java/org/apache/activemq/transport/http/HttpTunnelServlet.java
 
b/activemq-http/src/main/java/org/apache/activemq/transport/http/HttpTunnelServlet.java
index e6dc7c9..193003f 100644
--- 
a/activemq-http/src/main/java/org/apache/activemq/transport/http/HttpTunnelServlet.java
+++ 
b/activemq-http/src/main/java/org/apache/activemq/transport/http/HttpTunnelServlet.java
@@ -197,7 +197,7 @@ public class HttpTunnelServlet extends HttpServlet {
         // Record the client's transport and ensure that it has not already 
registered; this is thread-safe and only allows one
         // thread to register the client
         if (clients.putIfAbsent(clientID, answer) != null) {
-            response.sendError(HttpServletResponse.SC_BAD_REQUEST, "A session 
for clientID '" + clientID + "' has already been established");
+            response.sendError(HttpServletResponse.SC_BAD_REQUEST, "A session 
for the given clientID has already been established");
             LOG.warn("A session for clientID '" + clientID + "' has already 
been established");
             return null;
         }
@@ -237,7 +237,7 @@ public class HttpTunnelServlet extends HttpServlet {
 
         // Ensure that the transport was not prematurely disposed.
         if (transport.isDisposed()) {
-            response.sendError(HttpServletResponse.SC_BAD_REQUEST, "The 
session for clientID '" + clientID + "' was prematurely disposed");
+            response.sendError(HttpServletResponse.SC_BAD_REQUEST, "The 
session for the given clientID was prematurely disposed");
             LOG.warn("The session for clientID '" + clientID + "' was 
prematurely disposed");
             return null;
         }

Reply via email to