[
https://issues.apache.org/jira/browse/STORM-749?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14393871#comment-14393871
]
ASF GitHub Bot commented on STORM-749:
--------------------------------------
GitHub user Parth-Brahmbhatt opened a pull request:
https://github.com/apache/storm/pull/502
STORM-749: Remove CSRF check.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/Parth-Brahmbhatt/incubator-storm STORM-749
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/storm/pull/502.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #502
----
commit bebf11a25c23f0aa65a3cf5dc74ef02bb5cafeb6
Author: Parth Brahmbhatt <[email protected]>
Date: 2015-04-03T01:13:18Z
STORM-749: Remove CSRF check.
----
> Remove CSRF check from rest API
> -------------------------------
>
> Key: STORM-749
> URL: https://issues.apache.org/jira/browse/STORM-749
> Project: Apache Storm
> Issue Type: Task
> Affects Versions: 0.9.3
> Reporter: Parth Brahmbhatt
> Assignee: Parth Brahmbhatt
> Fix For: 0.10.0
>
>
> I think we can safely get rid of the whole CSRF code. CSRF vulnerability is
> only exposed when websites use session based authentication. In our case we
> only use http authentication so we are not really vulnerable to CSRF attacks.
> Currently the CSRF check only hinders non browser clients.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
