Repository: hive Updated Branches: refs/heads/master 36ea6831f -> f42021125
HIVE-14984: Hive-WebUI access results in Request is a replay (34) attack (Barna Zsombor Klara, reviewed by Aihua Xu) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/f4202112 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/f4202112 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/f4202112 Branch: refs/heads/master Commit: f42021125b79ff8c9f6d52777c6c67738c07d675 Parents: 36ea683 Author: Aihua Xu <aihu...@apache.org> Authored: Tue Nov 8 08:32:45 2016 -0500 Committer: Aihua Xu <aihu...@apache.org> Committed: Tue Nov 8 08:32:59 2016 -0500 ---------------------------------------------------------------------- .../java/org/apache/hive/http/HttpServer.java | 16 +++++++++++++- .../hive-webapps/hiveserver2/index.html | 20 ----------------- .../hive/service/server/TestHS2HttpServer.java | 23 ++++++++++++++++++++ 3 files changed, 38 insertions(+), 21 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/f4202112/common/src/java/org/apache/hive/http/HttpServer.java ---------------------------------------------------------------------- diff --git a/common/src/java/org/apache/hive/http/HttpServer.java b/common/src/java/org/apache/hive/http/HttpServer.java index c4e2e33..42d2959 100644 --- a/common/src/java/org/apache/hive/http/HttpServer.java +++ b/common/src/java/org/apache/hive/http/HttpServer.java @@ -51,6 +51,8 @@ import org.apache.logging.log4j.core.LoggerContext; import org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender; import org.apache.logging.log4j.core.appender.FileManager; import org.apache.logging.log4j.core.appender.OutputStreamManager; +import org.eclipse.jetty.rewrite.handler.RewriteHandler; +import org.eclipse.jetty.rewrite.handler.RewriteRegexRule; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.handler.ContextHandler.Context; @@ -386,9 +388,21 @@ public class HttpServer { connector.setPort(b.port); webServer.addConnector(connector); + RewriteHandler rwHandler = new RewriteHandler(); + rwHandler.setRewriteRequestURI(true); + rwHandler.setRewritePathInfo(false); + + RewriteRegexRule rootRule = new RewriteRegexRule(); + rootRule.setRegex("^/$"); + rootRule.setReplacement("/hiveserver2.jsp"); + rootRule.setTerminating(true); + + rwHandler.addRule(rootRule); + rwHandler.setHandler(webAppContext); + // Configure web application contexts for the web server ContextHandlerCollection contexts = new ContextHandlerCollection(); - contexts.addHandler(webAppContext); + contexts.addHandler(rwHandler); webServer.setHandler(contexts); addServlet("jmx", "/jmx", JMXJsonServlet.class); http://git-wip-us.apache.org/repos/asf/hive/blob/f4202112/service/src/resources/hive-webapps/hiveserver2/index.html ---------------------------------------------------------------------- diff --git a/service/src/resources/hive-webapps/hiveserver2/index.html b/service/src/resources/hive-webapps/hiveserver2/index.html deleted file mode 100644 index f18ba53..0000000 --- a/service/src/resources/hive-webapps/hiveserver2/index.html +++ /dev/null @@ -1,20 +0,0 @@ -<!-- -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ ---> -<meta HTTP-EQUIV="REFRESH" content="0;url=/hiveserver2.jsp"/> http://git-wip-us.apache.org/repos/asf/hive/blob/f4202112/service/src/test/org/apache/hive/service/server/TestHS2HttpServer.java ---------------------------------------------------------------------- diff --git a/service/src/test/org/apache/hive/service/server/TestHS2HttpServer.java b/service/src/test/org/apache/hive/service/server/TestHS2HttpServer.java index c9e0ac3..d918c64 100644 --- a/service/src/test/org/apache/hive/service/server/TestHS2HttpServer.java +++ b/service/src/test/org/apache/hive/service/server/TestHS2HttpServer.java @@ -20,9 +20,11 @@ package org.apache.hive.service.server; import java.io.BufferedReader; import java.io.InputStreamReader; +import java.io.StringWriter; import java.net.HttpURLConnection; import java.net.URL; +import org.apache.commons.io.IOUtils; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.metastore.MetaStoreUtils; @@ -86,6 +88,27 @@ public class TestHS2HttpServer { } @Test + public void testContextRootUrlRewrite() throws Exception { + String baseURL = "http://localhost:" + webUIPort + "/"; + URL url = new URL(baseURL); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode()); + StringWriter writer = new StringWriter(); + IOUtils.copy(conn.getInputStream(), writer, "UTF-8"); + String contextRootContent = writer.toString(); + + String jspUrl = "http://localhost:" + webUIPort + "/hiveserver2.jsp"; + url = new URL(jspUrl); + conn = (HttpURLConnection) url.openConnection(); + Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode()); + writer = new StringWriter(); + IOUtils.copy(conn.getInputStream(), writer, "UTF-8"); + String jspContent = writer.toString(); + + Assert.assertEquals(contextRootContent, jspContent); + } + + @Test public void testConfStrippedFromWebUI() throws Exception { String pwdValFound = null;