[PR] HIVE-28653: Jetty version disclosure in Hive [hive]

Mon, 05 May 2025 05:42:32 -0700 


kasakrisz opened a new pull request, #5800:
URL: https://github.com/apache/hive/pull/5800

   <!--
   Thanks for sending a pull request!  Here are some tips for you:
     1. If this is your first time, please read our contributor guidelines: 
https://cwiki.apache.org/confluence/display/Hive/HowToContribute
     2. Ensure that you have created an issue on the Hive project JIRA: 
https://issues.apache.org/jira/projects/HIVE/summary
     3. Ensure you have added or run the appropriate tests for your PR: 
     4. If the PR is unfinished, add '[WIP]' in your PR title, e.g., 
'[WIP]HIVE-XXXXX:  Your PR title ...'.
     5. Be sure to keep the PR description updated to reflect all changes.
     6. Please write your PR title to summarize what this PR proposes.
     7. If possible, provide a concise example to reproduce the issue for a 
faster review.
   
   -->
   
   ### What changes were proposed in this pull request?
   Disable send server version and `x-powered-by` properties when configuring 
Jetty.
   
   ### Why are the changes needed?
   Exposing the Jetty version in the header is considered a security issue.
   
   ### Does this PR introduce _any_ user-facing change?
   No.
   
   ### How was this patch tested?
   Set `hive.in.test` to `false` in `/data/conf/tez/hive-site.xml` temporary 
and run
   ```
   mvn test -Dtest=StartMiniHS2Cluster -DminiHS2.clusterType=Tez 
-DminiHS2.run=true -DminiHS2.usePortsFromConf=true 
-DminiHS2.conf="target/testconf/tez/hive-site.xml" 
-Dpackaging.minimizeJar=false -T 1C -DskipShade -Dremoteresources.skip=true 
-Dmaven.javadoc.skip=true -Denforcer.skip=true -pl itests/hive-unit -Pitests
   ```
   then open a browser and go to the page: 
   ```
   localhost:10002
   ```
   and inspect the Http response headers using the browsers inspect function. 
It should not contain properties `Server` and `x-powered-by`
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org

Reply via email to