HADOOP-13299. JMXJsonServlet is vulnerable to TRACE. (Haibo Chen via kasha)
(cherry picked from commit 85422bb7c5
)
This commit is contained in:
parent
7f1879abe6
commit
2df34ab6e2
|
@ -144,6 +144,15 @@ public class JMXJsonServlet extends HttpServlet {
|
|||
request, response);
|
||||
}
|
||||
|
||||
/**
|
||||
* Disable TRACE method to avoid TRACE vulnerability.
|
||||
*/
|
||||
@Override
|
||||
protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
|
||||
throws ServletException, IOException {
|
||||
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
|
||||
}
|
||||
|
||||
/**
|
||||
* Process a GET request for the specified resource.
|
||||
*
|
||||
|
|
|
@ -24,6 +24,8 @@ import org.junit.AfterClass;
|
|||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.io.IOException;
|
||||
import java.net.HttpURLConnection;
|
||||
import java.net.URL;
|
||||
import java.util.regex.Matcher;
|
||||
|
@ -81,4 +83,15 @@ public class TestJMXJsonServlet extends HttpServerFunctionalTest {
|
|||
assertEquals("GET", conn.getHeaderField(ACCESS_CONTROL_ALLOW_METHODS));
|
||||
assertNotNull(conn.getHeaderField(ACCESS_CONTROL_ALLOW_ORIGIN));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testTraceRequest() throws IOException {
|
||||
URL url = new URL(baseUrl, "/jmx");
|
||||
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
||||
conn.setRequestMethod("TRACE");
|
||||
|
||||
assertEquals("Unexpected response code",
|
||||
HttpServletResponse.SC_METHOD_NOT_ALLOWED, conn.getResponseCode());
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue