hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14908) CrossOriginFilter should trigger regex on more input
Date Tue, 26 Sep 2017 20:48:01 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181541#comment-16181541

Allen Wittenauer commented on HADOOP-14908:

There are likely a bunch of ways to solve this one.  Off the top, I can think of three:

#1: always treat it as a regex

This is backwards incompatible, in the sense that periods are now wildcards and opens up the
namespace on existing installations.

#2: Add additional triggers

It might simpler to just check for ? and [, but this will prevent character classes, boundary
matches, and other "exotics" from being used.

#3: flag/config that says whether everything/always/etc should be used as a regex.

Personally, I'm leaning towards #1.

> CrossOriginFilter should trigger regex on more input
> ----------------------------------------------------
>                 Key: HADOOP-14908
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14908
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: common, security
>    Affects Versions: 3.0.0-beta1
>            Reporter: Allen Wittenauer
> Currently,  CrossOriginFilter.java limits regex matching only if there is an asterisk
(\*) in the config.
> {code}
> if (allowedOrigin.contains("*")) {
> {code}
> This means that entries such as:
> {code}
> http?://foo.example.com
> https://[a-z][0-9].example.com
> {code}
> ... and other patterns that succinctly limit the input space need to either be fully
expanded or dramatically have their space increased by using an asterisk in order to pass
through the filter.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message