[ https://issues.apache.org/jira/browse/MESOS-8182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benjamin Mahler updated MESOS-8182: ----------------------------------- Component/s: (was: webui) libprocess HTTP API > Mesos endpoint handler allows for non-existent paths to resolve > --------------------------------------------------------------- > > Key: MESOS-8182 > URL: https://issues.apache.org/jira/browse/MESOS-8182 > Project: Mesos > Issue Type: Bug > Components: HTTP API, libprocess > Affects Versions: 1.3.1, 1.4.0 > Reporter: Andrew Shahan > Priority: Minor > > I stumbled on something interesting and I want to make sure there is not a > security implication. I can append anything to `/mesos/*/` endpoints and > still have them resolve. The Mesos team suggested that this is something that > should be addressed. > To reproduce: > 1. Spin up a Mesos cluster, any environment is fine as this is a web UI issue. > 2. Append `/mesos/slaves/<any string you want including /, and .>` to your > Mesos master's address in the browser and it still resolves `/mesos/slaves`. > The same applies to anything after `/mesos/state` and I would assume all the > other Mesos endpoints following this URL pattern. > Example URLs that resolve when they probably should not: > https://<master-ip>/mesos/state/1/2/3/4/5/6/7/8/9 > or https://<master-ip>/mesos/slaves/1/2/3/thisresolves/whenIt/should/not > Benno Evers from the Mesos team let me know this behavior is due to this > section of code > https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/process.cpp#L3953 > Thanks and let me know if you need anything else from me. -- This message was sent by Atlassian JIRA (v6.4.14#64029)