[CHUKWA-619] Disable Trace Method on Collector's Port - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Wish
Status: Resolved
Priority: Trivial
Resolution: Fixed
Affects Version/s: 0.4.0
Fix Version/s: 0.5.0
Component/s: Data Collection
Labels:
None
Environment:

Debian 5.0, Hadoop 0.20

Release Note:
Disabled trace method on Chukwa servlets. (Julio Conca via Eric Yang)

Description

After a safety auditory of our client. He notified us the next vulnerability at port 8081 (Collector port).
HTTP TRACE / TRACK Methods Allowed

I think this is a good documentation over the vulnerability.
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf.

We add the following code to all the collector's servlets to solve the problem.
protected void doTrace(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
}

The collector's servlets we fixed are.
org.apache.hadoop.chukwa.datacollection.collector.servlet.CommitCheckServlet
org.apache.hadoop.chukwa.datacollection.collector.servlet.LogDisplayServlet
org.apache.hadoop.chukwa.datacollection.collector.servlet.ServletCollector

Another solution could be to extend from jetty's DefaultServlet, but we didn't try. Our solution is good enough for us.

Regards.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Julio Conca

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 14/Dec/11 09:07

Updated:: 14/Dec/11 21:00

Resolved:: 14/Dec/11 21:00