Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8593

[Broker-J] Header validation in management-http plugin

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • qpid-java-broker-8.0.6
    • None
    • Broker-J
    • None

    Description

      The method accept() in RestServlet.java (HTTP management plugin) includes unvalidated data in an HTTP response header. This enables attacks such as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.

      Same issue affects method setContentDispositionHeaderIfNecessary() in AbstractServlet.java.

      Appropriate validation should be added.

      Attachments

        Activity

          People

            Unassigned Unassigned
            daniel.kirilyuk Daniil Kirilyuk
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: