GitHub user djoelz opened a pull request:
https://github.com/apache/incubator-zeppelin/pull/205
Fixing issue with ZEPPELIN-173: Zeppelin websocket server is vulnerabâ¦
Fixing the socket cross-origin vulnerability as described in the Jira.
Overwrote the checkOrigin in the WebSocketServlet class implemented by
NotebookServer so that a list of all seen socket Get requests are kept and only
Upgrade requests from the same origin will be accepted. Otherwise unauthorized
will be returned.
Included basic unit tests.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/djoelz/incubator-zeppelin master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-zeppelin/pull/205.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #205
----
commit ea54b55bfadf6a1ab777866c2e1d03979dc049d6
Author: joelz <djo...@gmail.com>
Date: 2015-08-12T19:16:29Z
Fixing issue with ZEPPELIN-173: Zeppelin websocket server is vulnerable to
Cross-Site WebSocket Hijacking
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
