Repository: hadoop Updated Branches: refs/heads/branch-2 7f1879abe -> 2df34ab6e
HADOOP-13299. JMXJsonServlet is vulnerable to TRACE. (Haibo Chen via kasha) (cherry picked from commit 85422bb7c5d3e70a49f620ba1c8800e0ba4b64f2) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/2df34ab6 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/2df34ab6 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/2df34ab6 Branch: refs/heads/branch-2 Commit: 2df34ab6e261613526bc7b8e4ef303617f89c758 Parents: 7f1879a Author: Karthik Kambatla <[email protected]> Authored: Tue Aug 9 13:42:25 2016 -0700 Committer: Karthik Kambatla <[email protected]> Committed: Tue Aug 9 13:47:19 2016 -0700 ---------------------------------------------------------------------- .../java/org/apache/hadoop/jmx/JMXJsonServlet.java | 9 +++++++++ .../java/org/apache/hadoop/jmx/TestJMXJsonServlet.java | 13 +++++++++++++ 2 files changed, 22 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/2df34ab6/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java index 1764ecc..f59b64c 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java @@ -145,6 +145,15 @@ public class JMXJsonServlet extends HttpServlet { } /** + * Disable TRACE method to avoid TRACE vulnerability. + */ + @Override + protected void doTrace(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); + } + + /** * Process a GET request for the specified resource. * * @param request http://git-wip-us.apache.org/repos/asf/hadoop/blob/2df34ab6/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java index eb67642..4fab1f7 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java @@ -24,6 +24,8 @@ import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; import java.net.HttpURLConnection; import java.net.URL; import java.util.regex.Matcher; @@ -81,4 +83,15 @@ public class TestJMXJsonServlet extends HttpServerFunctionalTest { assertEquals("GET", conn.getHeaderField(ACCESS_CONTROL_ALLOW_METHODS)); assertNotNull(conn.getHeaderField(ACCESS_CONTROL_ALLOW_ORIGIN)); } + + @Test + public void testTraceRequest() throws IOException { + URL url = new URL(baseUrl, "/jmx"); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + conn.setRequestMethod("TRACE"); + + assertEquals("Unexpected response code", + HttpServletResponse.SC_METHOD_NOT_ALLOWED, conn.getResponseCode()); + } + } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
