Return-Path: <common-issues-return-141796-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id C1C29200D0E
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 26 Sep 2017 22:48:05 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id C03C31609EB; Tue, 26 Sep 2017 20:48:05 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 137431609C4
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 26 Sep 2017 22:48:04 +0200 (CEST)
Received: (qmail 31913 invoked by uid 500); 26 Sep 2017 20:48:04 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 31894 invoked by uid 99); 26 Sep 2017 20:48:04 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Sep 2017 20:48:04 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id B5171C8303
	for <common-issues@hadoop.apache.org>; Tue, 26 Sep 2017 20:48:03 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.202
X-Spam-Level: 
X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id mnwhKJ6RhF6C for <common-issues@hadoop.apache.org>;
	Tue, 26 Sep 2017 20:48:03 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 7340D60CEB
	for <common-issues@hadoop.apache.org>; Tue, 26 Sep 2017 20:48:02 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id B94C6E0EC4
	for <common-issues@hadoop.apache.org>; Tue, 26 Sep 2017 20:48:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 6DB9E2425A
	for <common-issues@hadoop.apache.org>; Tue, 26 Sep 2017 20:48:01 +0000 (UTC)
Date: Tue, 26 Sep 2017 20:48:01 +0000 (UTC)
From: "Allen Wittenauer (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.13105233.1506458401000.208842.1506458881440@Atlassian.JIRA>
In-Reply-To: <JIRA.13105233.1506458401000@Atlassian.JIRA>
References: <JIRA.13105233.1506458401000@Atlassian.JIRA> <JIRA.13105233.1506458401555@jira-lw-us.apache.org>
Subject: [jira] [Commented] (HADOOP-14908) CrossOriginFilter should trigger
 regex on more input
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Tue, 26 Sep 2017 20:48:05 -0000


    [ https://issues.apache.org/jira/browse/HADOOP-14908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181541#comment-16181541 ] 

Allen Wittenauer commented on HADOOP-14908:
-------------------------------------------

There are likely a bunch of ways to solve this one.  Off the top, I can think of three:

#1: always treat it as a regex

This is backwards incompatible, in the sense that periods are now wildcards and opens up the namespace on existing installations.

#2: Add additional triggers

It might simpler to just check for ? and [, but this will prevent character classes, boundary matches, and other "exotics" from being used.

#3: flag/config that says whether everything/always/etc should be used as a regex.

Personally, I'm leaning towards #1.

> CrossOriginFilter should trigger regex on more input
> ----------------------------------------------------
>
>                 Key: HADOOP-14908
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14908
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: common, security
>    Affects Versions: 3.0.0-beta1
>            Reporter: Allen Wittenauer
>
> Currently,  CrossOriginFilter.java limits regex matching only if there is an asterisk (\*) in the config.
> {code}
> if (allowedOrigin.contains("*")) {
> {code}
> This means that entries such as:
> {code}
> http?://foo.example.com
> https://[a-z][0-9].example.com
> {code}
> ... and other patterns that succinctly limit the input space need to either be fully expanded or dramatically have their space increased by using an asterisk in order to pass through the filter.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org