Sean Owen created SPARK-5983:
--------------------------------
Summary: Don't respond to HTTP TRACE in HTTP-based UIs
Key: SPARK-5983
URL: https://issues.apache.org/jira/browse/SPARK-5983
Project: Spark
Issue Type: Improvement
Components: Spark Core
Reporter: Sean Owen
Priority: Minor
This was flagged a while ago during a routine security scan: the HTTP-based
Spark services respond to an HTTP TRACE command. This is basically an HTTP verb
that has no practical use, and has a pretty theoretical chance of being an
exploit vector. It is flagged as a security issue by one common tool, however.
Spark's HTTP services are based on Jetty, which by default does not enable
TRACE (like Tomcat). However, the services do reply to TRACE requests. I think
it is because the use of Jetty is pretty 'raw' and does not enable much of the
default additional configuration you might get by using Jetty as a standalone
server.
I know that it is at least possible to stop the reply to TRACE with a few extra
lines of code, so I think it is worth shutting off TRACE requests. Although the
security risk is quite theoretical, it should be easy to fix and bring the
Spark services into line with the common default of HTTP servers today.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
