[
https://issues.apache.org/jira/browse/HADOOP-14908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184993#comment-16184993
]
Johannes Alberti commented on HADOOP-14908:
-------------------------------------------
[~jeagles] thanks for your comments, I took a quick look at the Jetty filter,
and I can see, Jetty has the same issue, the support for wildcards alone can
easily lead to security issues. Below code is from the Jetty filter ... and
this 'greed' can lead to issues, very easily.
{code:java}
private String parseAllowedWildcardOriginToRegex(String allowedOrigin)
{
String regex = allowedOrigin.replace(".", "\\.");
return regex.replace("*", ".*"); // we want to be greedy here to match
multiple subdomains, thus we use .*
}
{code}
> CrossOriginFilter should trigger regex on more input
> ----------------------------------------------------
>
> Key: HADOOP-14908
> URL: https://issues.apache.org/jira/browse/HADOOP-14908
> Project: Hadoop Common
> Issue Type: Improvement
> Components: common, security
> Affects Versions: 3.0.0-beta1
> Reporter: Allen Wittenauer
> Assignee: Johannes Alberti
> Attachments: HADOOP-14908-PR279.patch
>
>
> Currently, CrossOriginFilter.java limits regex matching only if there is an
> asterisk (\*) in the config.
> {code}
> if (allowedOrigin.contains("*")) {
> {code}
> This means that entries such as:
> {code}
> http?://foo.example.com
> https://[a-z][0-9].example.com
> {code}
> ... and other patterns that succinctly limit the input space need to either
> be fully expanded or dramatically have their space increased by using an
> asterisk in order to pass through the filter.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
