Repository: hadoop Updated Branches: refs/heads/branch-2.8 0a94c6d9d -> 35108025e
HADOOP-12964. Http server vulnerable to clickjacking (haibochen via rkanter) (cherry picked from commit 042a3ae960883c263adc76f16d0ea3438d8b12be) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/2e2caeb5 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/2e2caeb5 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/2e2caeb5 Branch: refs/heads/branch-2.8 Commit: 2e2caeb50e0367926cf120ac28d5f0a65c61505c Parents: 0a94c6d Author: Robert Kanter <[email protected]> Authored: Tue Apr 12 14:40:43 2016 -0700 Committer: Jitendra Pandey <[email protected]> Committed: Tue Jul 12 14:37:57 2016 -0700 ---------------------------------------------------------------------- .../org/apache/hadoop/http/HttpServer2.java | 29 ++++++++++++++++---- .../org/apache/hadoop/http/TestHttpServer.java | 10 +++++++ 2 files changed, 33 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/2e2caeb5/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java index 4ec620a..a905020 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java @@ -55,10 +55,7 @@ import org.apache.hadoop.conf.ConfServlet; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.security.AuthenticationFilterInitializer; -import org.apache.hadoop.security.authentication.util.FileSignerSecretProvider; -import org.apache.hadoop.security.authentication.util.RandomSignerSecretProvider; import org.apache.hadoop.security.authentication.util.SignerSecretProvider; -import org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider; import org.apache.hadoop.security.ssl.SslSocketConnectorSecure; import org.apache.hadoop.jmx.JMXJsonServlet; import org.apache.hadoop.log.LogLevel; @@ -98,8 +95,6 @@ import com.google.common.base.Preconditions; import com.google.common.collect.Lists; import com.sun.jersey.spi.container.servlet.ServletContainer; -import static org.apache.hadoop.security.authentication.server - .AuthenticationFilter.*; /** * Create a Jetty embedded server to answer http requests. The primary goal is * to serve up status information for the server. There are three contexts: @@ -1152,9 +1147,11 @@ public final class HttpServer2 implements FilterContainer { /** * A Servlet input filter that quotes all HTML active characters in the * parameter names and values. The goal is to quote the characters to make - * all of the servlets resistant to cross-site scripting attacks. + * all of the servlets resistant to cross-site scripting attacks. It also + * sets X-FRAME-OPTIONS in the header to mitigate clickjacking attacks. */ public static class QuotingInputFilter implements Filter { + private static final XFrameOption X_FRAME_OPTION = XFrameOption.SAMEORIGIN; private FilterConfig config; public static class RequestQuoter extends HttpServletRequestWrapper { @@ -1274,6 +1271,7 @@ public final class HttpServer2 implements FilterContainer { } else if (mime.startsWith("application/xml")) { httpResponse.setContentType("text/xml; charset=utf-8"); } + httpResponse.addHeader("X-FRAME-OPTIONS", X_FRAME_OPTION.toString()); chain.doFilter(quoted, httpResponse); } @@ -1290,4 +1288,23 @@ public final class HttpServer2 implements FilterContainer { } } + + /** + * The X-FRAME-OPTIONS header in HTTP response to mitigate clickjacking + * attack. + */ + public enum XFrameOption { + DENY("DENY") , SAMEORIGIN ("SAMEORIGIN"), ALLOWFROM ("ALLOW-FROM"); + + XFrameOption(String name) { + this.name = name; + } + + private final String name; + + @Override + public String toString() { + return this.name; + } + } } http://git-wip-us.apache.org/repos/asf/hadoop/blob/2e2caeb5/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java index 5b202da..9b27941 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpServer.java @@ -235,6 +235,16 @@ public class TestHttpServer extends HttpServerFunctionalTest { assertEquals("text/html; charset=utf-8", conn.getContentType()); } + @Test + public void testHttpResonseContainsXFrameOptions() throws IOException { + URL url = new URL(baseUrl, ""); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + conn.connect(); + + String xfoHeader = conn.getHeaderField("X-FRAME-OPTIONS"); + assertTrue("X-FRAME-OPTIONS is absent in the header", xfoHeader != null); + } + /** * Dummy filter that mimics as an authentication filter. Obtains user identity * from the request parameter user.name. Wraps around the request so that --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
