HADOOP-13299. JMXJsonServlet is vulnerable to TRACE. (Haibo Chen via kasha)

(cherry picked from commit 85422bb7c5)
(cherry picked from commit 2df34ab6e2)
This commit is contained in:
Karthik Kambatla 2016-08-09 13:42:25 -07:00
parent 16c8fd9dca
commit 5ea35b2af2
2 changed files with 22 additions and 0 deletions

View File

@ -144,6 +144,15 @@ public class JMXJsonServlet extends HttpServlet {
request, response);
}
/**
* Disable TRACE method to avoid TRACE vulnerability.
*/
@Override
protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
}
/**
* Process a GET request for the specified resource.
*

View File

@ -24,6 +24,8 @@ import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.regex.Matcher;
@ -81,4 +83,15 @@ public class TestJMXJsonServlet extends HttpServerFunctionalTest {
assertEquals("GET", conn.getHeaderField(ACCESS_CONTROL_ALLOW_METHODS));
assertNotNull(conn.getHeaderField(ACCESS_CONTROL_ALLOW_ORIGIN));
}
@Test
public void testTraceRequest() throws IOException {
URL url = new URL(baseUrl, "/jmx");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("TRACE");
assertEquals("Unexpected response code",
HttpServletResponse.SC_METHOD_NOT_ALLOWED, conn.getResponseCode());
}
}