Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12758

Extend CSRF Filter with UserAgent Checks

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.8.0, 3.0.0-alpha1
    • Component/s: security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      To protect against CSRF attacks, HADOOP-12691 introduces a CSRF filter that will require a specific HTTP header to be sent with every REST API call. This will affect all API consumers from web apps to CLIs and curl.

      Since CSRF is primarily a browser based attack we can try and minimize the impact on non-browser clients.

      This enhancement will provide additional configuration for identifying non-browser useragents and skipping the enforcement of the header requirement for anything identified as a non-browser. This will largely limit the impact to browser based PUT and POST calls when configured appropriately.

        Attachments

        1. HADOOP-12758-004.patch
          12 kB
          Larry McCay
        2. HADOOP-12758-003.patch
          10 kB
          Larry McCay
        3. HADOOP-12758-002.patch
          7 kB
          Larry McCay
        4. HADOOP-12758-001.patch
          7 kB
          Larry McCay

          Issue Links

            Activity

              People

              • Assignee:
                lmccay Larry McCay
                Reporter:
                lmccay Larry McCay
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: