chukwa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CHUKWA-619) Disable Trace Method on Collector's Port
Date Wed, 14 Dec 2011 21:01:31 GMT

     [ https://issues.apache.org/jira/browse/CHUKWA-619?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eric Yang updated CHUKWA-619:
-----------------------------

    Fix Version/s: 0.5.0
    
> Disable Trace Method on Collector's Port
> ----------------------------------------
>
>                 Key: CHUKWA-619
>                 URL: https://issues.apache.org/jira/browse/CHUKWA-619
>             Project: Chukwa
>          Issue Type: Wish
>          Components: data collection
>    Affects Versions: 0.4.0
>         Environment: Debian 5.0, Hadoop 0.20
>            Reporter: Julio Conca
>            Priority: Trivial
>             Fix For: 0.5.0
>
>
> After a safety auditory of our client. He notified us the next vulnerability at port
8081 (Collector port).
> HTTP TRACE / TRACK Methods Allowed
> I think this is a good documentation over the vulnerability.
> http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf.
> We add the following code to all the collector's servlets to solve the problem.
> protected void doTrace(HttpServletRequest req, HttpServletResponse resp) throws ServletException,
IOException {
>     resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
> }
> The collector's servlets we fixed are.
> org.apache.hadoop.chukwa.datacollection.collector.servlet.CommitCheckServlet
> org.apache.hadoop.chukwa.datacollection.collector.servlet.LogDisplayServlet
> org.apache.hadoop.chukwa.datacollection.collector.servlet.ServletCollector
> Another solution could be to extend from jetty's DefaultServlet, but we didn't try. Our
solution is good enough for us.
> Regards.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message