[
https://issues.apache.org/jira/browse/SPARK-5983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14336440#comment-14336440
]
Apache Spark commented on SPARK-5983:
-------------------------------------
User 'srowen' has created a pull request for this issue:
https://github.com/apache/spark/pull/4765
> Don't respond to HTTP TRACE in HTTP-based UIs
> ---------------------------------------------
>
> Key: SPARK-5983
> URL: https://issues.apache.org/jira/browse/SPARK-5983
> Project: Spark
> Issue Type: Improvement
> Components: Spark Core
> Reporter: Sean Owen
> Priority: Minor
>
> This was flagged a while ago during a routine security scan: the HTTP-based
> Spark services respond to an HTTP TRACE command. This is basically an HTTP
> verb that has no practical use, and has a pretty theoretical chance of being
> an exploit vector. It is flagged as a security issue by one common tool,
> however.
> Spark's HTTP services are based on Jetty, which by default does not enable
> TRACE (like Tomcat). However, the services do reply to TRACE requests. I
> think it is because the use of Jetty is pretty 'raw' and does not enable much
> of the default additional configuration you might get by using Jetty as a
> standalone server.
> I know that it is at least possible to stop the reply to TRACE with a few
> extra lines of code, so I think it is worth shutting off TRACE requests.
> Although the security risk is quite theoretical, it should be easy to fix and
> bring the Spark services into line with the common default of HTTP servers
> today.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
