[QPID-8593] [Broker-J] Header validation in management-http plugin - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Implemented
Affects Version/s: qpid-java-broker-8.0.6
Fix Version/s: qpid-java-broker-9.0.0
Component/s: Broker-J
Labels:
None

Description

The method accept() in RestServlet.java (HTTP management plugin) includes unvalidated data in an HTTP response header. This enables attacks such as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.

Same issue affects method setContentDispositionHeaderIfNecessary() in AbstractServlet.java.

Appropriate validation should be added.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Daniil Kirilyuk

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 11/Jul/22 06:09

Updated:: 11/Nov/22 12:25

Resolved:: 27/Oct/22 13:26