[jira] [Commented] (HADOOP-12758) Extend CSRF Filter with UserAgent Checks

Tue, 02 Feb 2016 21:21:07 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15129804#comment-15129804
 ] 

Larry McCay commented on HADOOP-12758:
--------------------------------------

The nature of the CSRF attack and the protection provided by sending an HTTP 
header hinges on the facts that:

a. headers cannot be added by malicious HTML such as FORMs provided on on 
malicious page
b. that if javascript where being used to add a header from an origin other 
than that serves valid pages that the cross origin policies in the browser will 
not allow it to be added unless it is explicitly allowed

This is not a security issue.

As I said earlier, this is an existing pattern in Hadoop. Defaulting it such 
that all configuration must configure the non-browser user-agents every time 
makes it inconsistent in behavior to the authentication handler.

I suggest that this go in as is. Since this is a common filter, individual 
component uptake of it may do what they want with default values and 
consistency with the rest of the platform. See HDFS-9711.


> Extend CSRF Filter with UserAgent Checks
> ----------------------------------------
>
>                 Key: HADOOP-12758
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12758
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 2.8.0
>
>         Attachments: HADOOP-12758-001.patch, HADOOP-12758-002.patch
>
>
> To protect against CSRF attacks, HADOOP-12691 introduces a CSRF filter that 
> will require a specific HTTP header to be sent with every REST API call. This 
> will affect all API consumers from web apps to CLIs and curl. 
> Since CSRF is primarily a browser based attack we can try and minimize the 
> impact on non-browser clients.
> This enhancement will provide additional configuration for identifying 
> non-browser useragents and skipping the enforcement of the header requirement 
> for anything identified as a non-browser. This will largely limit the impact 
> to browser based PUT and POST calls when configured appropriately.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to