[ZEPPELIN-2288] Fix Cross-Site WebSocket check - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.7.0
Fix Version/s: 0.7.1, 0.8.0
Component/s: Core
Labels:
None

Description

The websocket cross site vulnerability check implemented in ~~ZEPPELIN-173~~ has been broken by the ~~ZEPPELIN-798~~ (migrate to jetty9). The checkOrigin has no longer an overridden method, so it won't be called.

see:
http://download.eclipse.org/jetty/8.1.17.v20150415/apidocs//org/eclipse/jetty/websocket/WebSocketServlet.html

http://www.eclipse.org/external/jetty/stable-9/apidocs/org/eclipse/jetty/websocket/servlet/WebSocketServlet.html

The second one doesn't contain the checkOrigin.

A trivial fix is to call the existing check from the WebsocketCreator.

Attachments

Issue Links

links to

GitHub Pull Request #2166

Activity

People

Assignee:: Marton Elek

Reporter:: Marton Elek

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Mar/17 14:22

Updated:: 24/Mar/17 21:13

Resolved:: 21/Mar/17 20:02