[
https://issues.apache.org/jira/browse/HBASE-27812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17725099#comment-17725099
]
Hudson commented on HBASE-27812:
--------------------------------
Results for branch master
[build #845 on
builds.a.o|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/845/]:
(x) *{color:red}-1 overall{color}*
----
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/845/General_20Nightly_20Build_20Report/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/845/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(x) {color:red}-1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/845/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> Provide option in HBase UI to disable stack trace for security
> --------------------------------------------------------------
>
> Key: HBASE-27812
> URL: https://issues.apache.org/jira/browse/HBASE-27812
> Project: HBase
> Issue Type: Improvement
> Components: UI
> Reporter: Yash Dodeja
> Assignee: Yash Dodeja
> Priority: Minor
> Fix For: 2.6.0, 3.0.0-alpha-4
>
>
> Uncaught server exceptions occur when providing parameter values that the
> server or servlet does not understand.
> Physical paths, versioning information, stack traces' content, and other data
> can be gathered and used to help further an attack when improper error
> handling is present.
> Applications should always fail safe in their designs. If an application
> fails to an unknown state, it is likely that an attacker may be able to
> exploit this indeterminate state to access unauthorized functionality, or
> worse, create, modify or destroy data. Error messages may also aid in the
> identification of other attacks such as buffer overflows and SQL injection,
> and can generally contribute to an overall weaker security posture.
> For example, if we use a HTTPS web server and explicitly provide Host header
> with a wrong value, say attackers.com, we get the following response in UI:
> {code:java}
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
> <title>Error 400 Host does not match SNI</title>
> </head>
> <body><h2>HTTP ERROR 400 Host does not match SNI</h2>
> <table>
> <tr><th>URI:</th><td>/tablesDetailed.jsp</td></tr>
> <tr><th>STATUS:</th><td>400</td></tr>
> <tr><th>MESSAGE:</th><td>Host does not match SNI</td></tr>
> <tr><th>SERVLET:</th><td>-</td></tr>
> <tr><th>CAUSED
> BY:</th><td>org.apache.hbase.thirdparty.org.eclipse.jetty.http.BadMessageException:
> 400: Host does not match SNI</td></tr>
> </table>
> <h3>Caused
> by:</h3><pre>org.apache.hbase.thirdparty.org.eclipse.jetty.http.BadMessageException:
> 400: Host does not match SNI
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:279)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:210)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:483)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.run(HttpChannel.java:439)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
> at java.lang.Thread.run(Thread.java:750)
> </pre>
> </body>
> </html> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
