[
https://issues.apache.org/jira/browse/MESOS-5346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15814329#comment-15814329
]
UENISHI Kota commented on MESOS-5346:
-------------------------------------
I'd like to note here that and endpoint {{/files/download}} also has weird
behavior where agents respond full body against any methods like {{POST}}
{{DELETE}} or even {{HEAD}}. Also, under {{GET}} request recognizing {{Range}}
header element to enable smarter download of file contents in a sandbox would
be very nice.
I consider this important because there may be a case where the size of files
ranges like up to ~10GB. Although necessary files or files larger than that
should be saved to more reliable storage like HDFS or S3, depending on result
of a task, files remaining in the sandbox would be sometimes downloaded. Nobody
expects full 10GB body of a file on just HEADing it.
> Some endpoints do not specify their allowed request methods.
> ------------------------------------------------------------
>
> Key: MESOS-5346
> URL: https://issues.apache.org/jira/browse/MESOS-5346
> Project: Mesos
> Issue Type: Bug
> Components: security, technical debt
> Reporter: Jan Schlicht
> Labels: http, mesosphere, security, tech-debt
>
> Some HTTP endpoints (for example "/flags" or "/state") create a response
> regardless of what the request method is. For example an HTTP POST to the
> "/state" endpoint will create the same response as an HTTP GET.
> While this inconsistency isn't harmful at the moment, it will get problematic
> when authorization is implemented, using separate ACLs for endpoints that can
> be GETed and endpoints that can be POSTed to.
> Validation of the request method should be added to all endpoints, e.g.
> "/state" should return a 405 (Method Not Allowed) when POSTed to.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
