spark-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ankit Jain <ankitjain....@gmail.com>
Subject Re: Turning off Jetty Http Options Method
Date Tue, 30 Apr 2019 23:25:07 GMT
+ dev@spark.apache.org

On Tue, Apr 30, 2019 at 4:23 PM Ankit Jain <ankitjain.dce@gmail.com> wrote:

> Aah - actually found https://issues.apache.org/jira/browse/SPARK-18664 -
> "Don't respond to HTTP OPTIONS in HTTP-based UIs"
>
> Does anyone know if this can be prioritized?
>
> Thanks
> Ankit
>
> On Tue, Apr 30, 2019 at 1:31 PM Ankit Jain <ankitjain.dce@gmail.com>
> wrote:
>
>> Hi Fellow Spark users,
>> We are using Spark 2.3.0 and security team is reporting a violation that
>> Spark allows HTTP OPTIONS method to work(This method exposes what all
>> methods are supported by the end point which could be exploited by a
>> hacker).
>>
>> This method is on Jetty web server, I see Spark uses Jetty for web UI and
>> some internal communication as well.
>>
>> For Spark UI, we are planning to write a javaxfiler, create a jar and add
>> it to spark libs to not respond to options method. We don't have a clean
>> solution for internal jetty server that is used as a file server though.
>>
>> It will be nice if Spark itself didn't allow Options method to work,
>> similar to what was done for TRACE -
>> https://issues.apache.org/jira/browse/SPARK-5983
>>
>> What do you guys think? Does community feel this should be something
>> added directly to spark code?
>>
>> Also, if there is a later version of Spark where this has been addressed,
>> please let us know too.
>>
>> --
>> Thanks & Regards,
>> Ankit.
>>
>
>
> --
> Thanks & Regards,
> Ankit.
>


-- 
Thanks & Regards,
Ankit.

Mime
View raw message