HBASE-26903 Bump httpclient from 4.5.3 to 4.5.13 (#4296)
Bump httpclient from 4.5.3 to 4.5.13 to avoid a CVE of medium severity in this dependency. Newer httpclient versions enable a URI normalization algorithm by default that rewrites URIs in a way that breaks some forms of valid REST gateway interactions, so disable it when building the httpclient instance in Client. Signed-off-by: Duo Zhang <zhangduo@apache.org> Signed-off-by: Pankaj Kumar <pankajkumar@apache.org>
This commit is contained in:
Andrew Purtell
parent
af1cafc8ca
commit
b96c84371d
|
|
@ -23,7 +23,6 @@ import java.io.BufferedInputStream;
|
||||||
import java.io.ByteArrayInputStream;
|
import java.io.ByteArrayInputStream;
|
||||||
import java.io.ByteArrayOutputStream;
|
import java.io.ByteArrayOutputStream;
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.io.FileInputStream;
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.InputStream;
|
import java.io.InputStream;
|
||||||
import java.net.URI;
|
import java.net.URI;
|
||||||
|
|
@ -40,7 +39,6 @@ import java.util.Map;
|
||||||
import java.util.Optional;
|
import java.util.Optional;
|
||||||
import java.util.concurrent.ConcurrentHashMap;
|
import java.util.concurrent.ConcurrentHashMap;
|
||||||
import javax.net.ssl.SSLContext;
|
import javax.net.ssl.SSLContext;
|
||||||
|
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
import org.apache.hadoop.hbase.HBaseConfiguration;
|
import org.apache.hadoop.hbase.HBaseConfiguration;
|
||||||
import org.apache.hadoop.hbase.rest.Constants;
|
import org.apache.hadoop.hbase.rest.Constants;
|
||||||
|
|
@ -113,8 +111,11 @@ public class Client {
|
||||||
Constants.DEFAULT_REST_CLIENT_CONN_TIMEOUT);
|
Constants.DEFAULT_REST_CLIENT_CONN_TIMEOUT);
|
||||||
int socketTimeout = this.conf.getInt(Constants.REST_CLIENT_SOCKET_TIMEOUT,
|
int socketTimeout = this.conf.getInt(Constants.REST_CLIENT_SOCKET_TIMEOUT,
|
||||||
Constants.DEFAULT_REST_CLIENT_SOCKET_TIMEOUT);
|
Constants.DEFAULT_REST_CLIENT_SOCKET_TIMEOUT);
|
||||||
RequestConfig requestConfig = RequestConfig.custom().setConnectTimeout(connTimeout)
|
RequestConfig requestConfig = RequestConfig.custom()
|
||||||
.setSocketTimeout(socketTimeout).build();
|
.setConnectTimeout(connTimeout)
|
||||||
|
.setSocketTimeout(socketTimeout)
|
||||||
|
.setNormalizeUri(false) // URIs should not be normalized, see HBASE-26903
|
||||||
|
.build();
|
||||||
httpClientBuilder.setDefaultRequestConfig(requestConfig);
|
httpClientBuilder.setDefaultRequestConfig(requestConfig);
|
||||||
|
|
||||||
// Since HBASE-25267 we don't use the deprecated DefaultHttpClient anymore.
|
// Since HBASE-25267 we don't use the deprecated DefaultHttpClient anymore.
|
||||||
|
|
|
||||||
6
pom.xml
6
pom.xml
|
|
@ -564,11 +564,7 @@
|
||||||
<commons-lang3.version>3.9</commons-lang3.version>
|
<commons-lang3.version>3.9</commons-lang3.version>
|
||||||
<commons-math.version>3.6.1</commons-math.version>
|
<commons-math.version>3.6.1</commons-math.version>
|
||||||
<disruptor.version>3.4.2</disruptor.version>
|
<disruptor.version>3.4.2</disruptor.version>
|
||||||
<!-- Updating the httpclient will break hbase-rest. It writes out URLs with '//' in it
|
<httpclient.version>4.5.13</httpclient.version>
|
||||||
especially when writing out 'no column families'. Later httpclients collapse the '//'
|
|
||||||
into single '/' as double-slash is not legal in an URL. Breaks #testDelete in
|
|
||||||
TestRemoteTable. -->
|
|
||||||
<httpclient.version>4.5.3</httpclient.version>
|
|
||||||
<httpcore.version>4.4.13</httpcore.version>
|
<httpcore.version>4.4.13</httpcore.version>
|
||||||
<metrics-core.version>3.2.6</metrics-core.version>
|
<metrics-core.version>3.2.6</metrics-core.version>
|
||||||
<jackson.version>2.13.1</jackson.version>
|
<jackson.version>2.13.1</jackson.version>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue