Disable Trace Method on Collector's Port
----------------------------------------
Key: CHUKWA-619
URL: https://issues.apache.org/jira/browse/CHUKWA-619
Project: Chukwa
Issue Type: Wish
Components: data collection
Affects Versions: 0.4.0
Environment: Debian 5.0, Hadoop 0.20
Reporter: Julio Conca
Priority: Trivial
After a safety auditory of our client. He notified us the next vulnerability at
port 8081 (Collector port).
HTTP TRACE / TRACK Methods Allowed
I think this is a good documentation over the vulnerability.
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf.
We add the following code to all the collector's servlets to solve the problem.
protected void doTrace(HttpServletRequest req, HttpServletResponse resp) throws
ServletException, IOException {
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
}
The collector's servlets we fixed are.
org.apache.hadoop.chukwa.datacollection.collector.servlet.CommitCheckServlet
org.apache.hadoop.chukwa.datacollection.collector.servlet.LogDisplayServlet
org.apache.hadoop.chukwa.datacollection.collector.servlet.ServletCollector
Another solution could be to extend from jetty's DefaultServlet, but we didn't
try. Our solution is good enough for us.
Regards.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
