[
https://issues.apache.org/jira/browse/DRILL-7351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16908992#comment-16908992
]
Anton Gozhiy commented on DRILL-7351:
-------------------------------------
[~perialdon], there is a common agreement about what a bug report should
contain:
- [optional] Initial conditions
- Steps to reproduce
- Expected results
- Actual results
- Logs, screenshots and any additional info that would help to track it down
>From your message it is not clear, what the problem exactly is and what use
>cases it can affect.
> WebUI is Vulnerable to CSRF
> ---------------------------
>
> Key: DRILL-7351
> URL: https://issues.apache.org/jira/browse/DRILL-7351
> Project: Apache Drill
> Issue Type: Bug
> Components: Web Server
> Affects Versions: 1.16.0
> Reporter: Don Perial
> Priority: Major
> Attachments: drill-csrf.html
>
>
> There is no way to protect the WebUI from CSRF and the fact that the value
> for the access-control-allow-origin header is '*' appears to confound this
> issue as well.
> The attached file demonstrates the vulnerability.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
