Elek, Marton created ZEPPELIN-2468:
--------------------------------------
Summary: Enable websocket queries without Origin if
zeppelin.server.allowed.origins is *
Key: ZEPPELIN-2468
URL: https://issues.apache.org/jira/browse/ZEPPELIN-2468
Project: Zeppelin
Issue Type: Bug
Affects Versions: 0.7.1
Reporter: Elek, Marton
Assignee: Elek, Marton
With ZEPPELIN-2288 we restored the check of the Origin field for websocket
requests.
Unfortunately the current implementation will deny the request if the Origin
HTTP header is empty, even if the zeppelin.server.allowed.origins is *.
{code}
public static Boolean isValidOrigin(String sourceHost, ZeppelinConfiguration
conf)
throws UnknownHostException, URISyntaxException {
if (sourceHost == null || sourceHost.isEmpty()) {
return false;
}
String sourceUriHost = new URI(sourceHost).getHost();
sourceUriHost = (sourceUriHost == null) ? "" : sourceUriHost.toLowerCase();
sourceUriHost = sourceUriHost.toLowerCase();
String currentHost = InetAddress.getLocalHost().getHostName().toLowerCase();
return conf.getAllowedOrigins().contains("*") ||
currentHost.equals(sourceUriHost) ||
"localhost".equals(sourceUriHost) ||
conf.getAllowedOrigins().contains(sourceHost);
}
{code}
It could be a problem behind a reverse proxy which is not forwarding the Origin
(for example currently it couldn't work with Apache Knox).
My suggestion is to accept the request if
1. the zeppelin.server.allowed.origins = *
AND
2. the Origin header is missing.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
