Description of problem: QMF opcode _query_request does not authorize against ACL. That allows any user (that can publish to QMF exchange, create+consume from temp.queue,..) to get details about any broker object. Version-Release number of selected component (if applicable): qpid-cpp-0.22-40 How reproducible: 100% Steps to Reproduce: 1) Start broker with any ACL file you want, with trace+:acl logging 2) run this python script: #!/usr/bin/python from qpid.messaging import * conn = Connection("guest/guest@localhost:5672") try: conn.open() ssn = conn.session() snd = ssn.sender("qmf.default.direct/broker") reply_to = "reply-queue; {create:always, node:{x-declare:{auto-delete:true}}}" rcv = ssn.receiver(reply_to) content = { "_what": "OBJECT", "_object_id": {"_object_name": "org.apache.qpid.broker:broker:amqp-broker"} } request = Message(reply_to=reply_to, content=content) request.properties["x-amqp-0-10.app-id"] = "qmf2" request.properties["qmf.opcode"] = "_query_request" snd.send(request) try: response = rcv.fetch() print response except Exception, e: print e except ReceiverError, e: print e except KeyboardInterrupt: pass conn.close() (optionally, replace _object_id by whatever object you want to query for, i.e. a queue, exchange,..) Actual results: Broker provides the response and no ACL check (access queue, access method,..) is made Expected results: A new ACL object "request" similar to "method" to be added, or "method" to be applied to _query_request as well. Additional info: It would be nice if _query_request can differentiate based on object name or type to be requested. I.e. to have the ability to allow user A to request queue Q1 but not queue Q2 and allow user B to request only exchanges.
All opcodes are: const string protocol::HEADER_OPCODE_EXCEPTION = "_exception"; const string protocol::HEADER_OPCODE_AGENT_LOCATE_REQUEST = "_agent_locate_request"; const string protocol::HEADER_OPCODE_AGENT_LOCATE_RESPONSE = "_agent_locate_response"; const string protocol::HEADER_OPCODE_AGENT_HEARTBEAT_INDICATION = "_agent_heartbeat_indication"; const string protocol::HEADER_OPCODE_QUERY_REQUEST = "_query_request"; const string protocol::HEADER_OPCODE_QUERY_RESPONSE = "_query_response"; const string protocol::HEADER_OPCODE_SUBSCRIBE_REQUEST = "_subscribe_request"; const string protocol::HEADER_OPCODE_SUBSCRIBE_RESPONSE = "_subscribe_response"; const string protocol::HEADER_OPCODE_SUBSCRIBE_CANCEL_INDICATION = "_subscribe_cancel_indication"; const string protocol::HEADER_OPCODE_SUBSCRIBE_REFRESH_INDICATION = "_subscribe_refresh_indication"; const string protocol::HEADER_OPCODE_DATA_INDICATION = "_data_indication"; const string protocol::HEADER_OPCODE_METHOD_REQUEST = "_method_request"; const string protocol::HEADER_OPCODE_METHOD_RESPONSE = "_method_response"; Worth checking what others do as well.
Upstream review request: https://reviews.apache.org/r/22606/
Committed as r1603364.
Verified for qpid-cpp-0.30-7.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0805.html