HADOOP-13299. JMXJsonServlet is vulnerable to TRACE. (Haibo Chen via kasha)
(cherry picked from commit 85422bb7c5
)
This commit is contained in:
parent
7f1879abe6
commit
2df34ab6e2
|
@ -144,6 +144,15 @@ public class JMXJsonServlet extends HttpServlet {
|
||||||
request, response);
|
request, response);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Disable TRACE method to avoid TRACE vulnerability.
|
||||||
|
*/
|
||||||
|
@Override
|
||||||
|
protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
|
||||||
|
throws ServletException, IOException {
|
||||||
|
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Process a GET request for the specified resource.
|
* Process a GET request for the specified resource.
|
||||||
*
|
*
|
||||||
|
|
|
@ -24,6 +24,8 @@ import org.junit.AfterClass;
|
||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
import java.io.IOException;
|
||||||
import java.net.HttpURLConnection;
|
import java.net.HttpURLConnection;
|
||||||
import java.net.URL;
|
import java.net.URL;
|
||||||
import java.util.regex.Matcher;
|
import java.util.regex.Matcher;
|
||||||
|
@ -81,4 +83,15 @@ public class TestJMXJsonServlet extends HttpServerFunctionalTest {
|
||||||
assertEquals("GET", conn.getHeaderField(ACCESS_CONTROL_ALLOW_METHODS));
|
assertEquals("GET", conn.getHeaderField(ACCESS_CONTROL_ALLOW_METHODS));
|
||||||
assertNotNull(conn.getHeaderField(ACCESS_CONTROL_ALLOW_ORIGIN));
|
assertNotNull(conn.getHeaderField(ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testTraceRequest() throws IOException {
|
||||||
|
URL url = new URL(baseUrl, "/jmx");
|
||||||
|
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
||||||
|
conn.setRequestMethod("TRACE");
|
||||||
|
|
||||||
|
assertEquals("Unexpected response code",
|
||||||
|
HttpServletResponse.SC_METHOD_NOT_ALLOWED, conn.getResponseCode());
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue