[jira] [Commented] (QPID-6217) Java broker should not accept HTTP TRACE requests

Thu, 06 Nov 2014 14:33:53 -0800 

    [ 
https://issues.apache.org/jira/browse/QPID-6217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14201072#comment-14201072
 ] 

Rob Godfrey commented on QPID-6217:
-----------------------------------

Hi David,

thanks for the patch.  I've applied to trunk and also taken the opportunity to 
remove the Server header identifying the Jetty version being sent in responses, 
and also any stack traces sent back in error pages to tighten things up a 
little more.

> Java broker should not accept HTTP TRACE requests 
> --------------------------------------------------
>
>                 Key: QPID-6217
>                 URL: https://issues.apache.org/jira/browse/QPID-6217
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker
>    Affects Versions: 0.30
>            Reporter: David Lovely
>            Assignee: Rob Godfrey
>         Attachments: TRACE.patch
>
>
> The QPID Java broker responds to HTTP TRACE requests with a response code of 
> 200.  A common practice for better security is to return a 403 or 405 code 
> for TRACE requests.  By default Jetty version 6.1 and greater disable this 
> but the embedded Jetty server in the QPID broker is allowing TRACE requests 
> to be processed. Attached is a patch that returns 403 when TRACE is used.  
> For example,
> Current reponse from a TRACE command: 
> curl -v -X TRACE localhost:8080
> > TRACE / HTTP/1.1
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 
> > NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > Host: localhost:8080
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Set-Cookie: JSESSIONID_8080=1uynrboshethkwzejaau1wq52;Path=/
> < Expires: Thu, 01 Jan 1970 00:00:00 GMT
> < Content-Type: message/http
> < Content-Length: 169
> < Server: Jetty(8.1.14.v20131031)
> After the attached patch was applied:
> curl -v -X TRACE localhost:8080
> > TRACE / HTTP/1.1
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 
> > NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > Host: localhost:8080
> > Accept: */*
> >
> < HTTP/1.1 403 Forbidden
> < Cache-Control: must-revalidate,no-cache,no-store
> < Content-Type: text/html;charset=ISO-8859-1
> < Content-Length: 1267
> < Server: Jetty(8.1.14.v20131031)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to