Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/23657 )
Change subject: [webserver] Restrict UI pages to GET/HEAD methods only ...................................................................... [webserver] Restrict UI pages to GET/HEAD methods only Currently, the web server UI pages return 200 OK regardless of the HTTP method used. Display pages like "/", "/tables", "/tablet-servers" accept POST, PUT, DELETE and other methods even though they're purely informational read-only pages. This could lead to unintended interactions and doesn't follow HTTP best practices. This patch adds HTTP method validation for display pages. Pages registered with StyleMode::STYLED (human-readable UI pages with CSS and navigation) now only accept GET and HEAD requests. Other HTTP methods (POST, PUT, DELETE, etc.) return 405 Method Not Allowed with an appropriate Allow header. Functional endpoints like /metrics, and REST API endpoints registered with StyleMode::UNSTYLED or StyleMode::JSON continue to accept all HTTP methods as before, since they may legitimately need POST for operations. The design uses StyleMode as a signal for method restrictions since STYLED pages are semantically read-only displays for human viewing, while functional endpoints are machine-consumable and may need to accept writes. This approach requires no API changes and automatically applies the correct restrictions based on existing semantics. Change-Id: Ie232bd50785bb750ecaa0a7e19403e573ac193eb Reviewed-on: http://gerrit.cloudera.org:8080/23657 Tested-by: Kudu Jenkins Reviewed-by: Marton Greber <[email protected]> Reviewed-by: Alexey Serbin <[email protected]> --- M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc 2 files changed, 126 insertions(+), 8 deletions(-) Approvals: Kudu Jenkins: Verified Marton Greber: Looks good to me, approved Alexey Serbin: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/23657 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Ie232bd50785bb750ecaa0a7e19403e573ac193eb Gerrit-Change-Number: 23657 Gerrit-PatchSet: 7 Gerrit-Owner: Gabriella Lotz <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Ashwani Raina <[email protected]> Gerrit-Reviewer: Gabriella Lotz <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Marton Greber <[email protected]>
