mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benjamin Mahler (JIRA)" <>
Subject [jira] [Commented] (MESOS-8182) Mesos endpoint handler allows for non-existent paths to resolve
Date Wed, 08 Nov 2017 00:24:00 GMT


Benjamin Mahler commented on MESOS-8182:

This is the design of routing in libprocess, but it probably should be updated so that endpoints
that want to handle sub-paths opt-in to this behavior.

> Mesos endpoint handler allows for non-existent paths to resolve
> ---------------------------------------------------------------
>                 Key: MESOS-8182
>                 URL:
>             Project: Mesos
>          Issue Type: Bug
>          Components: HTTP API, libprocess
>    Affects Versions: 1.3.1, 1.4.0
>            Reporter: Andrew Shahan
>            Priority: Minor
> I stumbled on something interesting and I want to make sure there is not a security implication.
I can append anything to `/mesos/*/` endpoints and still have them resolve. The Mesos team
suggested that this is something that should be addressed.
> To reproduce:
> 1. Spin up a Mesos cluster, any environment is fine as this is a web UI issue.
> 2. Append `/mesos/slaves/<any string you want including /, and .>` to your Mesos
master's address in the browser and it still resolves `/mesos/slaves`. The same applies to
anything after `/mesos/state` and I would assume all the other Mesos endpoints following this
URL pattern.
> Example URLs that resolve when they probably should not:
> https://<master-ip>/mesos/state/1/2/3/4/5/6/7/8/9
> or https://<master-ip>/mesos/slaves/1/2/3/thisresolves/whenIt/should/not
> Benno Evers from the Mesos team let me know this behavior is due to this section of code
> Thanks and let me know if you need anything else from me.

This message was sent by Atlassian JIRA

View raw message