[jira] [Commented] (HADOOP-12758) Extend CSRF Filter with UserAgent Checks

Tue, 02 Feb 2016 18:21:49 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15129633#comment-15129633
 ] 

Larry McCay commented on HADOOP-12758:
--------------------------------------

I am not missing your point.
I am trying to strike the balance between CSRF protection and breaking existing 
consumers.
If the existing consumers that we are talking about were vulnerable to this 
attack it would be a different story.

Breaking java clients (server side of webapps, custom CLI apps, Hadoop CLIs, 
third party integrations), scripting (Ambari calls from python scripts, cron 
driven curl scripting, groovy based scripting through Knox), generic command 
line tools (curl, wget), etc - when none of them are vulnerable to the actual 
attack would be wrong.

So, I think we can address it a couple ways for user-agents:

* default with common ones and hopefully not need to configure an override
* default to non exclusions and require admins to override for any user-agents 
that are desired

"Btw, I don't think many of these client libraries - like Python / Ruby are 
well behaved or have standard user-agent headers. You can add a header if you 
need, but lot of them have no standard user agent."

That was my conclusion but was hoping that I was wrong. :/

> Extend CSRF Filter with UserAgent Checks
> ----------------------------------------
>
>                 Key: HADOOP-12758
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12758
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 2.8.0
>
>         Attachments: HADOOP-12758-001.patch, HADOOP-12758-002.patch
>
>
> To protect against CSRF attacks, HADOOP-12691 introduces a CSRF filter that 
> will require a specific HTTP header to be sent with every REST API call. This 
> will affect all API consumers from web apps to CLIs and curl. 
> Since CSRF is primarily a browser based attack we can try and minimize the 
> impact on non-browser clients.
> This enhancement will provide additional configuration for identifying 
> non-browser useragents and skipping the enforcement of the header requirement 
> for anything identified as a non-browser. This will largely limit the impact 
> to browser based PUT and POST calls when configured appropriately.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to