Copilot commented on code in PR #7540:
URL: https://github.com/apache/hbase/pull/7540#discussion_r2617996906
##########
hbase-http/src/main/java/org/apache/hadoop/hbase/http/log/LogLevel.java:
##########
@@ -335,6 +329,13 @@ public void doGet(HttpServletRequest request,
HttpServletResponse response)
Logger log = LoggerFactory.getLogger(logName);
out.println(MARKER + "Log Class: <b>" + log.getClass().getName() +
"</b><br />");
if (level != null) {
+ // Disallow modification of the LogLevel if explicitly set to
readonly
+ if (conf.getBoolean("hbase.master.ui.readonly", false)) {
+ sendError(response, HttpServletResponse.SC_FORBIDDEN,
+ "Modification of HBase via the UI is disallowed in
configuration.");
+ return;
+ }
Review Comment:
The readonly check at line 333 occurs after the response body has already
been written (header.jsp included at line 310, FORMS written at line 316, and
potentially more output at lines 326-330). Calling sendError() at this point
will not work correctly because the HTTP response has already been committed.
The status code cannot be changed after the response body has started being
written, which will result in either an IllegalStateException or a malformed
HTTP response.
To fix this issue, the readonly check should be moved earlier in the method,
before any output is written to the response. One approach would be to check if
level is not null and readonly mode is enabled right after retrieving the
parameters (around line 320), but before writing any output beyond that point.
Alternatively, the check could be conditional on whether we're about to write
the forms or process the request.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
