[jira] [Commented] (HADOOP-12758) Extend CSRF Filter with UserAgent Checks

Tue, 02 Feb 2016 18:11:54 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15129613#comment-15129613
 ] 

Anu Engineer commented on HADOOP-12758:
---------------------------------------

No Larry, I don't want to add user-agent for other libraries. I think you are 
missing my point. My point was that we should *not* special case for various 
user-agents. I think we should have XSRF enabled by default in trunk (your last 
patch) and let clients use the right headers if they want to use it in 2.x 
branch. This special casing leads to lots of corner cases which are not very 
useful.

Btw, I don't think many of these client libraries - like Python / Ruby are well 
behaved or have standard user-agent headers. You can add a header  if you need, 
but lot of them have no standard user agent. 

Also with this feature an end-user can override an administrator controlled  
cluster wide setting. For example, I can have a user-agent spoofing chrome 
extension and override the XSRF setting by setting it to "curl" even if I were 
using a browser. Worse, if I did that , as a user I could be open to a XSRF 
attack.


> Extend CSRF Filter with UserAgent Checks
> ----------------------------------------
>
>                 Key: HADOOP-12758
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12758
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 2.8.0
>
>         Attachments: HADOOP-12758-001.patch, HADOOP-12758-002.patch
>
>
> To protect against CSRF attacks, HADOOP-12691 introduces a CSRF filter that 
> will require a specific HTTP header to be sent with every REST API call. This 
> will affect all API consumers from web apps to CLIs and curl. 
> Since CSRF is primarily a browser based attack we can try and minimize the 
> impact on non-browser clients.
> This enhancement will provide additional configuration for identifying 
> non-browser useragents and skipping the enforcement of the header requirement 
> for anything identified as a non-browser. This will largely limit the impact 
> to browser based PUT and POST calls when configured appropriately.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to