Wellington Chevreuil created HBASE-21275:
--------------------------------------------
Summary: Thrift Server (branch 1 fix) -> Disable TRACE HTTP method
for thrift http server (branch 1 only)
Key: HBASE-21275
URL: https://issues.apache.org/jira/browse/HBASE-21275
Project: HBase
Issue Type: Bug
Components: Thrift
Reporter: Wellington Chevreuil
Assignee: Wellington Chevreuil
Fix For: 1.2.7
There's been a reasonable number of users running thrift http server on hbase
1.x suffering with security audit tests pointing thrift server allows TRACE
requests.
After doing some search, I can see HBASE-20406 added restrictions for
TRACE/OPTIONS method when Thrift is running over http, but it relies on many
other commits applied to thrift http server. This patch was later reverted from
master. Then again later, HBASE-20004 had made TRACE/OPTIONS configurable via
"*hbase.thrift.http.allow.options.method*" property, with both methods being
disabled by default. This also seems to rely on many changes applied to thrift
http server, and a branch 1 compatible patch does not seem feasible.
A solution for branch 1 is pretty simple though, am proposing a patch that
simply uses *WebAppContext*, instead of *Context*, as the context for the
*HttpServer* instance. *WebAppContext* will already restrict TRACE methods by
default.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
