spark-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ankit Jain <ankitjain....@gmail.com>
Subject Re: Turning off Jetty Http Options Method
Date Tue, 30 Apr 2019 23:23:22 GMT
Aah - actually found https://issues.apache.org/jira/browse/SPARK-18664 -
"Don't respond to HTTP OPTIONS in HTTP-based UIs"

Does anyone know if this can be prioritized?

Thanks
Ankit

On Tue, Apr 30, 2019 at 1:31 PM Ankit Jain <ankitjain.dce@gmail.com> wrote:

> Hi Fellow Spark users,
> We are using Spark 2.3.0 and security team is reporting a violation that
> Spark allows HTTP OPTIONS method to work(This method exposes what all
> methods are supported by the end point which could be exploited by a
> hacker).
>
> This method is on Jetty web server, I see Spark uses Jetty for web UI and
> some internal communication as well.
>
> For Spark UI, we are planning to write a javaxfiler, create a jar and add
> it to spark libs to not respond to options method. We don't have a clean
> solution for internal jetty server that is used as a file server though.
>
> It will be nice if Spark itself didn't allow Options method to work,
> similar to what was done for TRACE -
> https://issues.apache.org/jira/browse/SPARK-5983
>
> What do you guys think? Does community feel this should be something added
> directly to spark code?
>
> Also, if there is a later version of Spark where this has been addressed,
> please let us know too.
>
> --
> Thanks & Regards,
> Ankit.
>


-- 
Thanks & Regards,
Ankit.

Mime
View raw message