From 8910e09beb6ea1e053b919ca87d6e697646527cf Mon Sep 17 00:00:00 2001
From: Shay Banon <kimchy@gmail.com>
Date: Wed, 9 Jul 2014 12:02:00 +0200
Subject: [PATCH] Disable JSONP by default By default, disable the option to
 use JSONP in our REST layer closes #6795

---
 docs/reference/api-conventions.asciidoc        | 18 ++++++++++--------
 .../org/elasticsearch/rest/RestController.java |  4 +++-
 .../options/jsonp/JsonpOptionDisabledTest.java |  8 +++++++-
 .../options/jsonp/JsonpOptionEnabledTest.java  |  3 ++-
 4 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/docs/reference/api-conventions.asciidoc b/docs/reference/api-conventions.asciidoc
index ef06dcfbaeb..1e656b5a3e2 100644
--- a/docs/reference/api-conventions.asciidoc
+++ b/docs/reference/api-conventions.asciidoc
@@ -241,17 +241,19 @@ document indexed.
 [float]
 === JSONP
 
-By default JSONP resposes are enabled. All REST APIs accept a `callback` parameter
-resulting in a http://en.wikipedia.org/wiki/JSONP[JSONP] result. You can disable
+By default JSONP responses are disabled by default. coming[1.3,Previously JSONP was enabled by default]
+
+When enabled, all REST APIs accept a `callback` parameter
+resulting in a http://en.wikipedia.org/wiki/JSONP[JSONP] result. You can enable
 this behavior by adding the following to `config.yaml`:
 
-    http.jsonp.enable: false
+    http.jsonp.enable: true
 
-Please note, due to the architecture of Elasticsearch, this may pose a security
-risk. Under some circumstances, an attacker may be able to exfiltrate data in your
-Elasticsearch server if they're able to force your browser to make a JSONP request
-on your behalf (e.g. by including a <script> tag on an untrusted site with a
-legitimate query against a local Elasticsearch server).
+Please note, when enabled, due to the architecture of Elasticsearch, this may pose
+a security risk. Under some circumstances, an attacker may be able to exfiltrate
+data in your Elasticsearch server if they're able to force your browser to make a
+JSONP request on your behalf (e.g. by including a <script> tag on an untrusted site
+with a legitimate query against a local Elasticsearch server).
 
 [float]
 === Request body in query string
diff --git a/src/main/java/org/elasticsearch/rest/RestController.java b/src/main/java/org/elasticsearch/rest/RestController.java
index 8b63f199cc4..89753639c7f 100644
--- a/src/main/java/org/elasticsearch/rest/RestController.java
+++ b/src/main/java/org/elasticsearch/rest/RestController.java
@@ -43,6 +43,8 @@ import static org.elasticsearch.rest.RestStatus.FORBIDDEN;
  */
 public class RestController extends AbstractLifecycleComponent<RestController> {
 
+    public static final String HTTP_JSON_ENABLE = "http.jsonp.enable";
+
     private final PathTrie<RestHandler> getHandlers = new PathTrie<>(RestUtils.REST_DECODER);
     private final PathTrie<RestHandler> postHandlers = new PathTrie<>(RestUtils.REST_DECODER);
     private final PathTrie<RestHandler> putHandlers = new PathTrie<>(RestUtils.REST_DECODER);
@@ -140,7 +142,7 @@ public class RestController extends AbstractLifecycleComponent<RestController> {
 
     public void dispatchRequest(final RestRequest request, final RestChannel channel) {
         // If JSONP is disabled and someone sends a callback parameter we should bail out before querying
-        if (!settings.getAsBoolean("http.jsonp.enable", true) && request.hasParam("callback")){
+        if (!settings.getAsBoolean(HTTP_JSON_ENABLE, false) && request.hasParam("callback")){
             try {
                 XContentBuilder builder = channel.newBuilder();
                 builder.startObject().field("error","JSONP is disabled.").endObject().string();
diff --git a/src/test/java/org/elasticsearch/options/jsonp/JsonpOptionDisabledTest.java b/src/test/java/org/elasticsearch/options/jsonp/JsonpOptionDisabledTest.java
index a7f536a5915..34dcc363408 100644
--- a/src/test/java/org/elasticsearch/options/jsonp/JsonpOptionDisabledTest.java
+++ b/src/test/java/org/elasticsearch/options/jsonp/JsonpOptionDisabledTest.java
@@ -22,6 +22,7 @@ package org.elasticsearch.options.jsonp;
 import org.elasticsearch.common.settings.ImmutableSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.http.HttpServerTransport;
+import org.elasticsearch.rest.RestController;
 import org.elasticsearch.rest.helper.HttpClient;
 import org.elasticsearch.rest.helper.HttpClientResponse;
 import org.elasticsearch.test.ElasticsearchIntegrationTest;
@@ -39,8 +40,13 @@ public class JsonpOptionDisabledTest extends ElasticsearchIntegrationTest {
     // Build our cluster settings
     @Override
     protected Settings nodeSettings(int nodeOrdinal) {
+        // false is the default!
+        if (randomBoolean()) {
+            logger.info("using default jsonp settings (should be false)");
+            return super.nodeSettings(nodeOrdinal);
+        }
         return ImmutableSettings.settingsBuilder()
-                .put("http.jsonp.enable", false)
+                .put(RestController.HTTP_JSON_ENABLE, false)
                 .put(super.nodeSettings(nodeOrdinal))
                 .build();
     }
diff --git a/src/test/java/org/elasticsearch/options/jsonp/JsonpOptionEnabledTest.java b/src/test/java/org/elasticsearch/options/jsonp/JsonpOptionEnabledTest.java
index ef668c36a16..f7cf206af12 100644
--- a/src/test/java/org/elasticsearch/options/jsonp/JsonpOptionEnabledTest.java
+++ b/src/test/java/org/elasticsearch/options/jsonp/JsonpOptionEnabledTest.java
@@ -22,6 +22,7 @@ package org.elasticsearch.options.jsonp;
 import org.elasticsearch.common.settings.ImmutableSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.http.HttpServerTransport;
+import org.elasticsearch.rest.RestController;
 import org.elasticsearch.rest.helper.HttpClient;
 import org.elasticsearch.rest.helper.HttpClientResponse;
 import org.elasticsearch.test.ElasticsearchIntegrationTest;
@@ -40,7 +41,7 @@ public class JsonpOptionEnabledTest extends ElasticsearchIntegrationTest {
     @Override
     protected Settings nodeSettings(int nodeOrdinal) {
         return ImmutableSettings.settingsBuilder()
-                .put("http.jsonp.enable", true)
+                .put(RestController.HTTP_JSON_ENABLE, true)
                 .put(super.nodeSettings(nodeOrdinal))
                 .build();
     }