Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPARK-5983 [WEBUI] Don't respond to HTTP TRACE in HTTP-based UIs #4765

Closed
wants to merge 1 commit into from
Closed

SPARK-5983 [WEBUI] Don't respond to HTTP TRACE in HTTP-based UIs #4765

wants to merge 1 commit into from

Conversation

srowen
Copy link
Member

@srowen srowen commented Feb 25, 2015

Disallow TRACE HTTP method in servlets

@SparkQA
Copy link

SparkQA commented Feb 25, 2015

Test build #27949 has finished for PR 4765 at commit 421b25b.

  • This patch passes all tests.
  • This patch merges cleanly.
  • This patch adds no public classes.

@srowen
Copy link
Member Author

srowen commented Feb 26, 2015

@kayousterhout can I get your second opinion on this? I know you've worked on a lot of the UI code.
It's a tiny bit of extra code for a quite theoretical low-priority security issue, but one that was reported by a customer's pen testing tool.

@vanzin
Copy link
Contributor

vanzin commented Feb 26, 2015

Looks ok, but rather verbose (and new servlets might forget it)... wonder if there's an easy way to disable it in the org.eclipse.jetty.server.Server instance itself.

@srowen
Copy link
Member Author

srowen commented Feb 26, 2015

Yeah I picked at this for a while, but didn't see a way. It's not really a server-level, or HTTP connector-level issue, but a web-app-level policy issue. I found a way to specify security constraints positively (e.g. list the methods you want to support) but it would require refactoring the code to use the one createServlet method, and the two instances that don't use it seem to do so because they can't fit neatly into the same paradigm. Basically everything else looked uglier.

I'd still like to keep this open for a while in case anyone knows of a simple way to do this in Jetty.

@srowen
Copy link
Member Author

srowen commented Feb 27, 2015

Going once going twice... I'd love to hear a slightly tidier way to handle this across the board, although, the code is just 3 lines duplicated in 3 clear places, so not a great mess nor one that couldn't be refactored later if someone had a bright-er idea.

@asfgit asfgit closed this in f91298e Feb 28, 2015
@srowen srowen deleted the SPARK-5983 branch February 28, 2015 18:43
vanzin pushed a commit to vanzin/spark that referenced this pull request Apr 20, 2015
@srowen
SPARK-5983 [WEBUI] Don't respond to HTTP TRACE in HTTP-based UIs
806144d 
Disallow TRACE HTTP method in servlets

Author: Sean Owen <[email protected]>

Closes apache#4765 from srowen/SPARK-5983 and squashes the following commits:

421b25b [Sean Owen] Disallow TRACE HTTP method in servlets

(cherry picked from commit f91298e)
kazuyukitanimura pushed a commit to kazuyukitanimura/spark that referenced this pull request Aug 10, 2022
@RussellSpitzer
rdar://93678395 Updates ADT to 1.1.7 (apache#1423)
05fb117 
Iceberg 0.13.0.3 - ADT 1.1.7

2022-05-20

PRs Merged

* Internal: Parquet bloom filter support (apache#594 (https://github.pie.apple.com/IPR/apache-incubator-iceberg/pull/594))
* Internal: AWS Kms Client (apache#630 (https://github.pie.apple.com/IPR/apache-incubator-iceberg/pull/630))
* Internal: Core: Add client-side check of encryption properties (apache#626 (https://github.pie.apple.com/IPR/apache-incubator-iceberg/pull/626))
* Core: Align snapshot summary property names for delete files (apache#4766 (apache/iceberg#4766))
* Core: Add eq and pos delete file counts to snapshot summary (apache#4677 (apache/iceberg#4677))
* Spark 3.2: Clean static vars in SparkTableUtil (apache#4765 (apache/iceberg#4765))
* Spark 3.2: Avoid reflection to load metadata tables in SparkTableUtil (apache#4758 (apache/iceberg#4758))
* Core: Fix query failure when using projection on top of partitions metadata table (apache#4720) (apache#619 (https://github.pie.apple.com/IPR/apache-incubator-iceberg/pull/619))

Key Notes

Bloom filter support and Client Side Encryption Features can be used in this release. Both features are only enabled with explicit flags and will not effect existing tables or jobs.
@AakarshitAgarwal
Copy link

AakarshitAgarwal commented Aug 28, 2024
edited
Loading

I am using spark-2.4.3, and still see HTTP TRACE / TRACK Methods Allowed, over which version was it disabled? @srowen @vanzin @kazuyukitanimura

@srowen
Copy link
Member Author

srowen commented Aug 28, 2024

1.4.0 (see the JIRA)
2.x is long since out of support.
Do you see this on 3.5? if so where?
In practice it shouldn't be a security problem, but is supposed to be disabled in HTTP endpoints that are exposed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@srowen @SparkQA @vanzin @AakarshitAgarwal