Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8552

[Broker-J] Http management interface should ignore OPTIONS command

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: qpid-java-broker-8.0.5
    • Fix Version/s: qpid-java-broker-8.0.6
    • Component/s: Broker-J
    • Labels:
      None
    • Flags:
      Patch

      Description

      Many security scanning tools flag HTTP ports that respond to the OPTIONS command.

      Broker-J already blocks the TRACE command, it should also block the OPTIONS command.

      There are various ways of configuring Jetty to do this, but I have attached a patch that mirrors the filter that blocks TRACE.

       

        Attachments

        1. forbid-options.patch
          5 kB
          Tom Jordahl

          Activity

            People

            • Assignee:
              orudyy Alex Rudyy
              Reporter:
              tomj Tom Jordahl
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: