[jira] [Commented] (HADOOP-12758) Extend CSRF Filter with UserAgent Checks

Tue, 02 Feb 2016 16:44:35 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15129463#comment-15129463
 ] 

Anu Engineer commented on HADOOP-12758:
---------------------------------------

bq. impact of breaking existing clients that aren't even vulnerable 

I do see your point, but from that angle your fix is incomplete in the sense 
that there are more clients like this in the world. 

It is just not web pages if I am using Ruby or python , I need to add this 
flag, but if am using Java or Perl, I don't need to. Confusing, right ? 
I would argue that it is not possible to enumerate all your clients hence you 
shouldn't try to.

But if you are concerned XSRF fix will not be used without this modification, I 
am not dead against it. I would argue it is in the best interest of user to 
switch on the XSRF and most of our users are smart enough to understand it.
I just feel that we have way too many of these special cases in HDFS world -- 
which are against the Principle of least surprise or Principle of least 
Astonishment. 

bq. Should provide some level of diagnostic clarity.

I completely agree that the error message is pretty good, but what concerns me 
why bypass it for a set of arbitrarily chosen clients ? 





> Extend CSRF Filter with UserAgent Checks
> ----------------------------------------
>
>                 Key: HADOOP-12758
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12758
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 2.8.0
>
>         Attachments: HADOOP-12758-001.patch
>
>
> To protect against CSRF attacks, HADOOP-12691 introduces a CSRF filter that 
> will require a specific HTTP header to be sent with every REST API call. This 
> will affect all API consumers from web apps to CLIs and curl. 
> Since CSRF is primarily a browser based attack we can try and minimize the 
> impact on non-browser clients.
> This enhancement will provide additional configuration for identifying 
> non-browser useragents and skipping the enforcement of the header requirement 
> for anything identified as a non-browser. This will largely limit the impact 
> to browser based PUT and POST calls when configured appropriately.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to