[HIVE-21902] HiveServer2 UI: jetty response header needs X-Frame-Options - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1.0
Fix Version/s: 4.0.0-alpha-1
Component/s: None
Labels:
- security

Hadoop Flags:

Reviewed

Description

there are some vulnerability are reported for hiveserver2 ui

X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 10002.

GET / HTTP/1.1 
Host: HOSTNAME:10002 
Connection: Keep-Alive 



X-XSS-Protection HTTP Header missing on port 10002. 
X-Content-Type-Options HTTP Header missing on port 10002.

after the proposed changes

HTTP/1.1 200 OK
Date: Thu, 20 Jun 2019 05:29:59 GMT
Content-Type: text/html;charset=utf-8
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=15kscuow9cmy7qms6dzaxllqt;Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 3824
Server: Jetty(9.3.25.v20180904)

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HIVE-21902.01.patch
20/Jun/19 22:09
16 kB
Rajkumar Singh
HIVE-21902.patch
20/Jun/19 05:52
15 kB
Rajkumar Singh

Activity

People

Assignee:: Rajkumar Singh

Reporter:: Rajkumar Singh

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Jun/19 05:51

Updated:: 17/Nov/22 08:50

Resolved:: 25/Jun/19 21:04