| Description: | The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging. |
| Code with Misuse: |
class AMQPConnection_0_8 {
@Override
public void receiveConnectionOpen(AMQShortString virtualHostName,
AMQShortString capabilities,
boolean insist)
{
if(_logger.isDebugEnabled())
{
_logger.debug("RECV ConnectionOpen[" +" virtualHost: " + virtualHostName + " capabilities: " + capabilities + " insist: " + insist + " ]");
}
String virtualHostStr = AMQShortString.toString(virtualHostName);
if ((virtualHostStr != null) && virtualHostStr.charAt(0) == '/')
{
virtualHostStr = virtualHostStr.substring(1);
}
VirtualHostImpl<?,?,?> virtualHost = ((AmqpPort)getPort()).getVirtualHost(virtualHostStr);
if (virtualHost == null)
{
sendConnectionClose(AMQConstant.NOT_FOUND,
"Unknown virtual host: '" + virtualHostName + "'", 0);
}
else
{
// Check virtualhost access
if (virtualHost.getState() != State.ACTIVE)
{
String redirectHost = virtualHost.getRedirectHost(getPort());
if(redirectHost != null)
{
sendConnectionClose(0, new AMQFrame(0, new ConnectionRedirectBody(getProtocolVersion(), AMQShortString.valueOf(redirectHost), null)));
}
else
{
sendConnectionClose(AMQConstant.CONNECTION_FORCED,
"Virtual host '" + virtualHost.getName() + "' is not active", 0);
}
}
else
{
setVirtualHost(virtualHost);
try
{
if(virtualHost.authoriseCreateConnection(this))
{
MethodRegistry methodRegistry = getMethodRegistry();
AMQMethodBody responseBody = methodRegistry.createConnectionOpenOkBody(virtualHostName);
writeFrame(responseBody.generateFrame(0));
_state = ConnectionState.OPEN;
}
else
{
sendConnectionClose(AMQConstant.ACCESS_REFUSED, "Connection refused", 0);
}
}
catch (AccessControlException e)
{
sendConnectionClose(AMQConstant.ACCESS_REFUSED, e.getMessage(), 0);
}
}
}
}
}
|
