[
https://issues.apache.org/jira/browse/HBASE-21275?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wellington Chevreuil updated HBASE-21275:
-----------------------------------------
Status: Patch Available (was: Open)
> Thrift Server (branch 1 fix) -> Disable TRACE HTTP method for thrift http
> server (branch 1 only)
> ------------------------------------------------------------------------------------------------
>
> Key: HBASE-21275
> URL: https://issues.apache.org/jira/browse/HBASE-21275
> Project: HBase
> Issue Type: Bug
> Components: Thrift
> Reporter: Wellington Chevreuil
> Assignee: Wellington Chevreuil
> Priority: Minor
> Fix For: 1.2.7, 1.4.8
>
> Attachments: HBASE-21275-branch-1.2.001.patch
>
>
> There's been a reasonable number of users running thrift http server on hbase
> 1.x suffering with security audit tests pointing thrift server allows TRACE
> requests.
> After doing some search, I can see HBASE-20406 added restrictions for
> TRACE/OPTIONS method when Thrift is running over http, but it relies on many
> other commits applied to thrift http server. This patch was later reverted
> from master. Then again later, HBASE-20004 had made TRACE/OPTIONS
> configurable via "*hbase.thrift.http.allow.options.method*" property, with
> both methods being disabled by default. This also seems to rely on many
> changes applied to thrift http server, and a branch 1 compatible patch does
> not seem feasible.
> A solution for branch 1 is pretty simple though, am proposing a patch that
> simply uses *WebAppContext*, instead of *Context*, as the context for the
> *HttpServer* instance. *WebAppContext* will already restrict TRACE methods by
> default.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
