Return-Path: 
 <common-issues-return-103102-apmail-hadoop-common-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 62601186A3
	for <apmail-hadoop-common-issues-archive@minotaur.apache.org>;
 Wed,  3 Feb 2016 18:54:41 +0000 (UTC)
Received: (qmail 59112 invoked by uid 500); 3 Feb 2016 18:54:40 -0000
Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org
Received: (qmail 58961 invoked by uid 500); 3 Feb 2016 18:54:40 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Reply-To: common-issues@hadoop.apache.org
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 58515 invoked by uid 99); 3 Feb 2016 18:54:40 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Feb 2016 18:54:40 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 04A262C0AFA
	for <common-issues@hadoop.apache.org>; Wed,  3 Feb 2016 18:54:40 +0000 (UTC)
Date: Wed, 3 Feb 2016 18:54:40 +0000 (UTC)
From: "Vinod Kumar Vavilapalli (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.12935963.1454420339000.290907.1454525680015@Atlassian.JIRA>
In-Reply-To: <JIRA.12935963.1454420339000@Atlassian.JIRA>
References: <JIRA.12935963.1454420339000@Atlassian.JIRA>
 <JIRA.12935963.1454420339909@arcas>
Subject: [jira] [Updated] (HADOOP-12758) Extend CSRF Filter with UserAgent
 Checks
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/HADOOP-12758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vinod Kumar Vavilapalli updated HADOOP-12758:
---------------------------------------------
    Fix Version/s:     (was: 2.8.0)

> Extend CSRF Filter with UserAgent Checks
> ----------------------------------------
>
>                 Key: HADOOP-12758
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12758
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>         Attachments: HADOOP-12758-001.patch, HADOOP-12758-002.patch
>
>
> To protect against CSRF attacks, HADOOP-12691 introduces a CSRF filter that will require a specific HTTP header to be sent with every REST API call. This will affect all API consumers from web apps to CLIs and curl. 
> Since CSRF is primarily a browser based attack we can try and minimize the impact on non-browser clients.
> This enhancement will provide additional configuration for identifying non-browser useragents and skipping the enforcement of the header requirement for anything identified as a non-browser. This will largely limit the impact to browser based PUT and POST calls when configured appropriately.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)