This is an automated email from the ASF dual-hosted git repository.

ggal pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-livy.git


The following commit(s) were added to refs/heads/master by this push:
     new 7a6b1945 LIVY-974: Remove verbose output on Livy UI error pages (#404)
7a6b1945 is described below

commit 7a6b194583946d618b827293368544c1f2abb578
Author: Asif Khatri <[email protected]>
AuthorDate: Tue May 9 12:42:59 2023 +0530

    LIVY-974: Remove verbose output on Livy UI error pages (#404)
    
    ## What changes were proposed in this pull request?
    
    On error, the Livy UI shows verbose output on error pages including the 
Jetty version number. This could be considered as a security vulnerability. We 
can make it configurable and avoid sending server version details. The Jetty 
version is there in every response header as well.
    
    ## How was this patch tested?
    
    Verified manually by calling get sessions via REST API call in a local Yarn 
cluster.
---
 conf/livy.conf.template                                      | 3 +++
 server/src/main/scala/org/apache/livy/LivyConf.scala         | 2 ++
 server/src/main/scala/org/apache/livy/server/WebServer.scala | 2 ++
 3 files changed, 7 insertions(+)

diff --git a/conf/livy.conf.template b/conf/livy.conf.template
index 456bec74..edec95a0 100644
--- a/conf/livy.conf.template
+++ b/conf/livy.conf.template
@@ -48,6 +48,9 @@
 # livy.server.request-header.size = 131072
 # livy.server.response-header.size = 131072
 
+# Whether or not to send server version in http response.
+# livy.server.send-server-version = false
+
 # Enabled to check whether timeout Livy sessions should be stopped.
 # livy.server.session.timeout-check = true
 #
diff --git a/server/src/main/scala/org/apache/livy/LivyConf.scala 
b/server/src/main/scala/org/apache/livy/LivyConf.scala
index 1b06fdeb..5808ba46 100644
--- a/server/src/main/scala/org/apache/livy/LivyConf.scala
+++ b/server/src/main/scala/org/apache/livy/LivyConf.scala
@@ -67,6 +67,8 @@ object LivyConf {
   val REQUEST_HEADER_SIZE = Entry("livy.server.request-header.size", 131072)
   val RESPONSE_HEADER_SIZE = Entry("livy.server.response-header.size", 131072)
 
+  val SEND_SERVER_VERSION = Entry("livy.server.send-server-version", false)
+
   val CSRF_PROTECTION = Entry("livy.server.csrf-protection.enabled", false)
 
   val IMPERSONATION_ENABLED = Entry("livy.impersonation.enabled", false)
diff --git a/server/src/main/scala/org/apache/livy/server/WebServer.scala 
b/server/src/main/scala/org/apache/livy/server/WebServer.scala
index 19559748..8bab4dd9 100644
--- a/server/src/main/scala/org/apache/livy/server/WebServer.scala
+++ b/server/src/main/scala/org/apache/livy/server/WebServer.scala
@@ -39,12 +39,14 @@ class WebServer(livyConf: LivyConf, var host: String, var 
port: Int) extends Log
       val http = new HttpConfiguration()
       http.setRequestHeaderSize(livyConf.getInt(LivyConf.REQUEST_HEADER_SIZE))
       
http.setResponseHeaderSize(livyConf.getInt(LivyConf.RESPONSE_HEADER_SIZE))
+      
http.setSendServerVersion(livyConf.getBoolean(LivyConf.SEND_SERVER_VERSION))
       (new ServerConnector(server, new HttpConnectionFactory(http)), "http")
 
     case Some(keystore) =>
       val https = new HttpConfiguration()
       https.setRequestHeaderSize(livyConf.getInt(LivyConf.REQUEST_HEADER_SIZE))
       
https.setResponseHeaderSize(livyConf.getInt(LivyConf.RESPONSE_HEADER_SIZE))
+      
https.setSendServerVersion(livyConf.getBoolean(LivyConf.SEND_SERVER_VERSION))
       https.addCustomizer(new SecureRequestCustomizer())
 
       val sslContextFactory = new SslContextFactory()

Reply via email to