Re: [PR] HBASE-21500 "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x… [hbase]

Sat, 16 Dec 2023 13:38:05 -0800 


NihalJain commented on PR #5586:
URL: https://github.com/apache/hbase/pull/5586#issuecomment-1858935387

   Changing the property name to `org.eclipse.jetty.servlet.Default.aliases` 
does not solve the problem.
   
   Upon investigating found that in 
[Jetty#ContextHandler](https://github.com/jetty/jetty.project/blob/d49f298c7f5361161cd71264aabd50dbfc8e4c59/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java),
 `SymlinkAllowedResourceAliasChecker` is added by default, irrespective of 
whether `hbase.jetty.logs.serve.aliases` is set to true or false, allowing 
aliases for /logs always. Hence issue is revealed only if the value is set to 
`false`. See 
[serving-aliased-files](https://github.com/jetty/jetty.project/blob/jetty-9.4.53.v20231009/jetty-documentation/src/main/asciidoc/configuring/security/serving-aliased-files.adoc)
 for how this feature works.
   
   
   Based on the docs, I have created a patch with fix.
   To test the fix following steps were followed:
   
   1. Disallowed flow
   - Build code with `assembly:single`
   - Untar the tarball
   - Configure `hbase.jetty.logs.serve.aliases` to `false` and start hbase in 
local mode
       ```
       <property>
       <name>hbase.jetty.logs.serve.aliases</name>
       <value>false</value>
       </property>
       ``` 
   - Goto logs directory and run following:
     - `touch /tmp/test.txt test.txt`
     - `ln -s /tmp/test.txt test.txt`
   - Goto `http://localhost:16010/logs/test.txt` and a 404 error should be 
thrown. See <img width="556" alt="Screenshot 2023-12-17 at 2 50 45 AM" 
src="https://github.com/apache/hbase/assets/3429351/12ad9b92-3808-40b0-a9b3-d135ce156623";>
   
   2.  Allowed flow, which is current default behavior and works even without 
the patch
   - Repeat above steps  `hbase.jetty.logs.serve.aliases` to `true` or just 
remove it.
   - We should be able to access symlinked file test.txt
   
   CC: @Apache9 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to