Marton Greber has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/22063 )
Change subject: [squeasel] Allow HTTP unsafe methods ...................................................................... [squeasel] Allow HTTP unsafe methods By default, Squeasel restricts the use of HTTP methods like PUT, DELETE, and CONNECT [1]. However, these methods are essential for the REST API's functionality in managing server resources. This patch introduces the -DALLOW_UNSAFE_HTTP_METHODS build flag, following a commit that added this option in response to OWASP security recommendations [2][3]. Although PUT and DELETE methods can modify server resources, enabling them does not inherently pose a security risk. Proper security checks in the webserver prevent unauthorized access and misuse. For web services that require PUT and DELETE, it's essential to ensure that these methods are accessible only to trusted users and operate in safe conditions. [1] https://github.com/cloudera/squeasel/blob/ d83cf6d9af0e2c98c16467a6a035ae0d7ca21cb1/squeasel.c#L220-L223 [2] https://github.com/cloudera/squeasel/commit/ e6409059a72293ff7be07f78a785581024cedb87 [3] https://web.archive.org/web/20190128223602/ https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006) Change-Id: I14580704c0274ca83f318bcdab6d4cf3509ec271 Reviewed-on: http://gerrit.cloudera.org:8080/22063 Reviewed-by: Zoltan Chovan <[email protected]> Tested-by: Marton Greber <[email protected]> Reviewed-by: Marton Greber <[email protected]> --- M src/kudu/server/webserver-test.cc M thirdparty/build-definitions.sh 2 files changed, 16 insertions(+), 2 deletions(-) Approvals: Zoltan Chovan: Looks good to me, but someone else must approve Marton Greber: Looks good to me, approved; Verified -- To view, visit http://gerrit.cloudera.org:8080/22063 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I14580704c0274ca83f318bcdab6d4cf3509ec271 Gerrit-Change-Number: 22063 Gerrit-PatchSet: 3 Gerrit-Owner: Gabriella Lotz <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Marton Greber <[email protected]> Gerrit-Reviewer: Zoltan Chovan <[email protected]>
