This is an automated email from the ASF dual-hosted git repository. gurwls223 pushed a commit to branch branch-3.0 in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/branch-3.0 by this push: new d089c0e [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218 d089c0e is described below commit d089c0eedb5d839e27fa83b29812d0ce720a1207 Author: Kousuke Saruta <saru...@oss.nttdata.com> AuthorDate: Thu Feb 18 18:02:34 2021 +0900 [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218 This PR upgrades Jetty from `9.4.34` to `9.4.36`. CVE-2020-27218 affects currently used Jetty 9.4.34. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27218 No. Modified existing test and new test which comply with the new version of Jetty. Closes #31574 from sarutak/upgrade-jetty-9.4.36. Authored-by: Kousuke Saruta <saru...@oss.nttdata.com> Signed-off-by: HyukjinKwon <gurwls...@apache.org> (cherry picked from commit 51672281728164db731f3f607818bffea0334eb0) Signed-off-by: HyukjinKwon <gurwls...@apache.org> --- .../test/scala/org/apache/spark/ui/UISuite.scala | 37 +++++++++++++++------- pom.xml | 2 +- 2 files changed, 26 insertions(+), 13 deletions(-) diff --git a/core/src/test/scala/org/apache/spark/ui/UISuite.scala b/core/src/test/scala/org/apache/spark/ui/UISuite.scala index fb3015e..45a2ce0 100644 --- a/core/src/test/scala/org/apache/spark/ui/UISuite.scala +++ b/core/src/test/scala/org/apache/spark/ui/UISuite.scala @@ -356,20 +356,9 @@ class UISuite extends SparkFunSuite { try { val serverAddr = s"http://localhost:${serverInfo.boundPort}" - val (_, ctx) = newContext("/ctx1") - serverInfo.addHandler(ctx, securityMgr) - val redirect = JettyUtils.createRedirectHandler("/src", "/dst") serverInfo.addHandler(redirect, securityMgr) - // Test Jetty's built-in redirect to add the trailing slash to the context path. - TestUtils.withHttpConnection(new URL(s"$serverAddr/ctx1")) { conn => - assert(conn.getResponseCode() === HttpServletResponse.SC_FOUND) - val location = Option(conn.getHeaderFields().get("Location")) - .map(_.get(0)).orNull - assert(location === s"$proxyRoot/ctx1/") - } - // Test with a URL handled by the added redirect handler, and also including a path prefix. val headers = Seq("X-Forwarded-Context" -> "/prefix") TestUtils.withHttpConnection( @@ -395,6 +384,28 @@ class UISuite extends SparkFunSuite { } } + test("SPARK-34449: Jetty 9.4.35.v20201120 and later no longer return status code 302 " + + " and handle internally when request URL ends with a context path without trailing '/'") { + val proxyRoot = "https://proxy.example.com:443/prefix" + val (conf, securityMgr, sslOptions) = sslDisabledConf() + conf.set(UI.PROXY_REDIRECT_URI, proxyRoot) + val serverInfo = JettyUtils.startJettyServer("0.0.0.0", 0, sslOptions, conf) + + try { + val (_, ctx) = newContext("/ctx") + serverInfo.addHandler(ctx, securityMgr) + val urlStr = s"http://localhost:${serverInfo.boundPort}/ctx" + + assert(TestUtils.httpResponseCode(new URL(urlStr + "/")) === HttpServletResponse.SC_OK) + + // If the following assertion fails when we upgrade Jetty, it seems to change the behavior of + // handling context path which doesn't have the trailing slash. + assert(TestUtils.httpResponseCode(new URL(urlStr)) === HttpServletResponse.SC_OK) + } finally { + stopServer(serverInfo) + } + } + /** * Create a new context handler for the given path, with a single servlet that responds to * requests in `$path/root`. @@ -403,7 +414,9 @@ class UISuite extends SparkFunSuite { val servlet = new CapturingServlet() val ctx = new ServletContextHandler() ctx.setContextPath(path) - ctx.addServlet(new ServletHolder(servlet), "/root") + val servletHolder = new ServletHolder(servlet) + ctx.addServlet(servletHolder, "/root") + ctx.addServlet(servletHolder, "/") (servlet, ctx) } diff --git a/pom.xml b/pom.xml index 427a241..80fcc55 100644 --- a/pom.xml +++ b/pom.xml @@ -140,7 +140,7 @@ <orc.classifier></orc.classifier> <hive.parquet.group>com.twitter</hive.parquet.group> <hive.parquet.version>1.6.0</hive.parquet.version> - <jetty.version>9.4.34.v20201102</jetty.version> + <jetty.version>9.4.36.v20210114</jetty.version> <javaxservlet.version>3.1.0</javaxservlet.version> <chill.version>0.9.5</chill.version> <ivy.version>2.4.0</ivy.version> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org