[NIFI-7962] NiFi should not respond with HTTP 500 errors for HTTP TRACK request - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Trivial
Resolution: Information Provided
Affects Version/s: 1.12.1
Fix Version/s: None
Component/s: Core Framework
Labels:
- http
- jetty
- security

Description

The HTTP TRACK method was not specified in RFC 2068 [1] for HTTP 1.1 but is now available on some clients. NiFi currently responds to these requests with a 500 Internal Server Error page which reveals the version of the servlet API being used but does not contain any sensitive information. As NiFi is an open source project, the servlet API version would already be readily available to an attacker.

The error page should be generic to obscure the servlet API version.

[1] https://tools.ietf.org/html/rfc2068

Attachments

Activity

People

Assignee:: David Handermann

Reporter:: Andy LoPresto

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 28/Oct/20 16:29

Updated:: 08/Feb/21 21:40

Resolved:: 08/Feb/21 21:40