[jira] [Commented] (HBASE-21275) Thrift Server (branch 1 fix) -> Disable TRACE HTTP method for thrift http server (branch 1 only)

Wed, 10 Oct 2018 03:53:31 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-21275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16644813#comment-16644813
 ] 

Wellington Chevreuil commented on HBASE-21275:
----------------------------------------------

I suppose you are talking about the thrift server itself (default port 9090), 
not infoserver (default port 9095). For 9090, this is not an issue, as we map 
all http paths to be handled by ThriftHttpServlet only.

{noformat}
...
    String httpPath = "/*";
    httpServer.setHandler(context);
    context.addServlet(new ServletHolder(thriftHttpServlet), httpPath);
...
{noformat}

But just for sure, tried accessing http://thrift_host:9090/logLevel, and got an 
error, so I guess this should be ok.

On the checkstyles issue, not sure why I keep getting that, had already 
imported hbase_eclipse_formatter.xml into my intelij as instructed 
[here|https://hbase.apache.org/book.html#eclipse.code.formatting]. 
Nevertheless, attaching new patch version with that fixed, 

> Thrift Server (branch 1 fix) -> Disable TRACE HTTP method for thrift http 
> server (branch 1 only)
> ------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-21275
>                 URL: https://issues.apache.org/jira/browse/HBASE-21275
>             Project: HBase
>          Issue Type: Bug
>          Components: Thrift
>            Reporter: Wellington Chevreuil
>            Assignee: Wellington Chevreuil
>            Priority: Minor
>             Fix For: 1.4.8, 1.2.7
>
>         Attachments: HBASE-21275-branch-1.2.001.patch, 
> HBASE-21275-branch-1.2.002.patch, HBASE-21275-branch-1.2.003.patch
>
>
> There's been a reasonable number of users running thrift http server on hbase 
> 1.x suffering with security audit tests pointing thrift server allows TRACE 
> requests.
> After doing some search, I can see HBASE-20406 added restrictions for 
> TRACE/OPTIONS method when Thrift is running over http, but it relies on many 
> other commits applied to thrift http server. This patch was later reverted 
> from master. Then again later, HBASE-20004 had made TRACE/OPTIONS 
> configurable via "*hbase.thrift.http.allow.options.method*" property, with 
> both methods being disabled by default. This also seems to rely on many 
> changes applied to thrift http server, and a branch 1 compatible patch does 
> not seem feasible.
> A solution for branch 1 is pretty simple though, am proposing a patch that 
> simply uses *WebAppContext*, instead of *Context*, as the context for the 
> *HttpServer* instance. *WebAppContext* will already restrict TRACE methods by 
> default.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to