+ d...@spark.apache.org On Tue, Apr 30, 2019 at 4:23 PM Ankit Jain <ankitjain....@gmail.com> wrote:
> Aah - actually found https://issues.apache.org/jira/browse/SPARK-18664 - > "Don't respond to HTTP OPTIONS in HTTP-based UIs" > > Does anyone know if this can be prioritized? > > Thanks > Ankit > > On Tue, Apr 30, 2019 at 1:31 PM Ankit Jain <ankitjain....@gmail.com> > wrote: > >> Hi Fellow Spark users, >> We are using Spark 2.3.0 and security team is reporting a violation that >> Spark allows HTTP OPTIONS method to work(This method exposes what all >> methods are supported by the end point which could be exploited by a >> hacker). >> >> This method is on Jetty web server, I see Spark uses Jetty for web UI and >> some internal communication as well. >> >> For Spark UI, we are planning to write a javaxfiler, create a jar and add >> it to spark libs to not respond to options method. We don't have a clean >> solution for internal jetty server that is used as a file server though. >> >> It will be nice if Spark itself didn't allow Options method to work, >> similar to what was done for TRACE - >> https://issues.apache.org/jira/browse/SPARK-5983 >> >> What do you guys think? Does community feel this should be something >> added directly to spark code? >> >> Also, if there is a later version of Spark where this has been addressed, >> please let us know too. >> >> -- >> Thanks & Regards, >> Ankit. >> > > > -- > Thanks & Regards, > Ankit. > -- Thanks & Regards, Ankit.
