From 2df34ab6e261613526bc7b8e4ef303617f89c758 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@cloudera.com>
Date: Tue, 9 Aug 2016 13:42:25 -0700
Subject: [PATCH] HADOOP-13299. JMXJsonServlet is vulnerable to TRACE. (Haibo
 Chen via kasha)

(cherry picked from commit 85422bb7c5d3e70a49f620ba1c8800e0ba4b64f2)
---
 .../java/org/apache/hadoop/jmx/JMXJsonServlet.java  |  9 +++++++++
 .../org/apache/hadoop/jmx/TestJMXJsonServlet.java   | 13 +++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
index 1764eccccaf..f59b64c616b 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
@@ -144,6 +144,15 @@ public class JMXJsonServlet extends HttpServlet {
         request, response);
   }
 
+  /**
+   * Disable TRACE method to avoid TRACE vulnerability.
+   */
+  @Override
+  protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
+      throws ServletException, IOException {
+    resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+  }
+
   /**
    * Process a GET request for the specified resource.
    * 
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
index eb676423ed9..4fab1f7a4a5 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
@@ -24,6 +24,8 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.util.regex.Matcher;
@@ -81,4 +83,15 @@ public class TestJMXJsonServlet extends HttpServerFunctionalTest {
     assertEquals("GET", conn.getHeaderField(ACCESS_CONTROL_ALLOW_METHODS));
     assertNotNull(conn.getHeaderField(ACCESS_CONTROL_ALLOW_ORIGIN));
   }
+
+  @Test
+  public void testTraceRequest() throws IOException {
+    URL url = new URL(baseUrl, "/jmx");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    conn.setRequestMethod("TRACE");
+
+    assertEquals("Unexpected response code",
+        HttpServletResponse.SC_METHOD_NOT_ALLOWED, conn.getResponseCode());
+  }
+
 }