hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ka...@apache.org
Subject hadoop git commit: HADOOP-13299. JMXJsonServlet is vulnerable to TRACE. (Haibo Chen via kasha)
Date Tue, 09 Aug 2016 20:47:29 GMT
Repository: hadoop
Updated Branches:
  refs/heads/branch-2 7f1879abe -> 2df34ab6e


HADOOP-13299. JMXJsonServlet is vulnerable to TRACE. (Haibo Chen via kasha)

(cherry picked from commit 85422bb7c5d3e70a49f620ba1c8800e0ba4b64f2)


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/2df34ab6
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/2df34ab6
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/2df34ab6

Branch: refs/heads/branch-2
Commit: 2df34ab6e261613526bc7b8e4ef303617f89c758
Parents: 7f1879a
Author: Karthik Kambatla <kasha@cloudera.com>
Authored: Tue Aug 9 13:42:25 2016 -0700
Committer: Karthik Kambatla <kasha@cloudera.com>
Committed: Tue Aug 9 13:47:19 2016 -0700

----------------------------------------------------------------------
 .../java/org/apache/hadoop/jmx/JMXJsonServlet.java     |  9 +++++++++
 .../java/org/apache/hadoop/jmx/TestJMXJsonServlet.java | 13 +++++++++++++
 2 files changed, 22 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/2df34ab6/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
index 1764ecc..f59b64c 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
@@ -145,6 +145,15 @@ public class JMXJsonServlet extends HttpServlet {
   }
 
   /**
+   * Disable TRACE method to avoid TRACE vulnerability.
+   */
+  @Override
+  protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
+      throws ServletException, IOException {
+    resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+  }
+
+  /**
    * Process a GET request for the specified resource.
    * 
    * @param request

http://git-wip-us.apache.org/repos/asf/hadoop/blob/2df34ab6/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
index eb67642..4fab1f7 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
@@ -24,6 +24,8 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.util.regex.Matcher;
@@ -81,4 +83,15 @@ public class TestJMXJsonServlet extends HttpServerFunctionalTest {
     assertEquals("GET", conn.getHeaderField(ACCESS_CONTROL_ALLOW_METHODS));
     assertNotNull(conn.getHeaderField(ACCESS_CONTROL_ALLOW_ORIGIN));
   }
+
+  @Test
+  public void testTraceRequest() throws IOException {
+    URL url = new URL(baseUrl, "/jmx");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    conn.setRequestMethod("TRACE");
+
+    assertEquals("Unexpected response code",
+        HttpServletResponse.SC_METHOD_NOT_ALLOWED, conn.getResponseCode());
+  }
+
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org


Mime
View raw message