[
https://issues.apache.org/jira/browse/SPARK-5983?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sean Owen updated SPARK-5983:
-----------------------------
Component/s: (was: Spark Core)
Web UI
Labels: security (was: )
Resolved by https://github.com/apache/spark/pull/4765
> Don't respond to HTTP TRACE in HTTP-based UIs
> ---------------------------------------------
>
> Key: SPARK-5983
> URL: https://issues.apache.org/jira/browse/SPARK-5983
> Project: Spark
> Issue Type: Improvement
> Components: Web UI
> Reporter: Sean Owen
> Assignee: Sean Owen
> Priority: Minor
> Labels: security
> Fix For: 1.4.0
>
>
> This was flagged a while ago during a routine security scan: the HTTP-based
> Spark services respond to an HTTP TRACE command. This is basically an HTTP
> verb that has no practical use, and has a pretty theoretical chance of being
> an exploit vector. It is flagged as a security issue by one common tool,
> however.
> Spark's HTTP services are based on Jetty, which by default does not enable
> TRACE (like Tomcat). However, the services do reply to TRACE requests. I
> think it is because the use of Jetty is pretty 'raw' and does not enable much
> of the default additional configuration you might get by using Jetty as a
> standalone server.
> I know that it is at least possible to stop the reply to TRACE with a few
> extra lines of code, so I think it is worth shutting off TRACE requests.
> Although the security risk is quite theoretical, it should be easy to fix and
> bring the Spark services into line with the common default of HTTP servers
> today.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
