zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hanm <...@git.apache.org>
Subject [GitHub] zookeeper pull request #179: ZOOKEEPER-2693: DOS attack on wchp/wchc four le...
Date Wed, 15 Feb 2017 00:38:45 GMT
GitHub user hanm opened a pull request:


    ZOOKEEPER-2693: DOS attack on wchp/wchc four letter words (4lw)

    This is for master / branch-3.5:
    * Introduce a new configuration option that by default turn off 4lw.
    * Update docs that explicitly states ZooKeeper should not be deployed open to world for
access and deprecating 4lw in favor of Jetty.
    With these combined, the attack described in ZOOKEEPER-2693 is not possible if ZooKeeper
is put behind a firewall where Jetty AdminServer is not publicly accessible.
    Note for tests: I did not add any unit tests to test 4lw disabling because it is fairly
obvious (though I have to update a place to prevent existing test broken, because we are using
4lw extensively to query test server states. We could query AdminServer instead but I consider
that's a future work item - and even if we use AdminServer exclusively we can't dump 4lw completely
because AdminServer test depends on 4lw - chicken egg problem.). 

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/hanm/zookeeper ZOOKEEPER-2693

Alternatively you can review and apply these changes as the patch at:


To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #179
commit b70e19ecdcd8f78bb8ac2d380a07968cbb683b3b
Author: Michael Han <hanm@apache.org>
Date:   2017-02-14T22:24:05Z

    Initial commit that turns four letter words off by default for 3.5.x branch.
    Pending test cases and doc changes.

commit 7f3420573774a23dafc8fcbbe3873392d0c9090a
Author: Michael Han <hanm@apache.org>
Date:   2017-02-14T22:41:01Z

    Update Admin Doc source for 4lw changes.

commit b808940d5aed3c707b50df417a558123df4a03cd
Author: Michael Han <hanm@apache.org>
Date:   2017-02-15T00:02:35Z

    Update doc with security guideline.

commit f296225793dcf7bc289b63b2ff9ca7d30291fb69
Author: Michael Han <hanm@apache.org>
Date:   2017-02-15T00:06:07Z

    Fix broken tests.


If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.

View raw message