GitHub user djoelz opened a pull request:
https://github.com/apache/incubator-zeppelin/pull/183
ZEPPELIN-173: Zeppelin websocket server is vulnerable to Cross-Site
WebSocket Hijacking
Fixing the socket cross-origin vulnerability as described in the Jira.
Overwrote the checkOrigin in the WebSocketServlet class implemented by
NotebookServer so that a list of all seen socket Get requests are kept and only
Upgrade requests from the same origin will be accepted. Otherwise unauthorized
will be returned.
Included basic unit tests.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/djoelz/incubator-zeppelin master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-zeppelin/pull/183.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #183
----
commit 038cdb1b09d89c4b7b9ce206d6b3613d0475c276
Author: joelz <joelz@joelzlinux.(none)>
Date: 2015-08-06T22:15:21Z
Fix to websocket origin bug
commit 86619a485fc41d095521e170104168ba92e05e9f
Author: joelz <[email protected]>
Date: 2015-08-06T22:23:51Z
Fixing websocket issue
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
