chukwa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julio Conca (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CHUKWA-619) Disable Trace Method on Collector's Port
Date Wed, 14 Dec 2011 09:08:30 GMT
Disable Trace Method on Collector's Port
----------------------------------------

                 Key: CHUKWA-619
                 URL: https://issues.apache.org/jira/browse/CHUKWA-619
             Project: Chukwa
          Issue Type: Wish
          Components: data collection
    Affects Versions: 0.4.0
         Environment: Debian 5.0, Hadoop 0.20
            Reporter: Julio Conca
            Priority: Trivial


After a safety auditory of our client. He notified us the next vulnerability at port 8081
(Collector port).
HTTP TRACE / TRACK Methods Allowed

I think this is a good documentation over the vulnerability.
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf.

We add the following code to all the collector's servlets to solve the problem.
protected void doTrace(HttpServletRequest req, HttpServletResponse resp) throws ServletException,
IOException {
    resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
}

The collector's servlets we fixed are.
org.apache.hadoop.chukwa.datacollection.collector.servlet.CommitCheckServlet
org.apache.hadoop.chukwa.datacollection.collector.servlet.LogDisplayServlet
org.apache.hadoop.chukwa.datacollection.collector.servlet.ServletCollector


Another solution could be to extend from jetty's DefaultServlet, but we didn't try. Our solution
is good enough for us.

Regards.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message