[
https://issues.apache.org/jira/browse/HBASE-27812?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Duo Zhang resolved HBASE-27812.
-------------------------------
Fix Version/s: 2.6.0
3.0.0-alpha-4
Hadoop Flags: Reviewed
Resolution: Fixed
Pushed to master and branch-2.
Thanks [~yashdodeja] for contributing!
> Provide option in HBase UI to disable stack trace for security
> --------------------------------------------------------------
>
> Key: HBASE-27812
> URL: https://issues.apache.org/jira/browse/HBASE-27812
> Project: HBase
> Issue Type: Improvement
> Components: UI
> Reporter: Yash Dodeja
> Assignee: Yash Dodeja
> Priority: Minor
> Fix For: 2.6.0, 3.0.0-alpha-4
>
>
> Uncaught server exceptions occur when providing parameter values that the
> server or servlet does not understand.
> Physical paths, versioning information, stack traces' content, and other data
> can be gathered and used to help further an attack when improper error
> handling is present.
> Applications should always fail safe in their designs. If an application
> fails to an unknown state, it is likely that an attacker may be able to
> exploit this indeterminate state to access unauthorized functionality, or
> worse, create, modify or destroy data. Error messages may also aid in the
> identification of other attacks such as buffer overflows and SQL injection,
> and can generally contribute to an overall weaker security posture.
> For example, if we use a HTTPS web server and explicitly provide Host header
> with a wrong value, say attackers.com, we get the following response in UI:
> {code:java}
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
> <title>Error 400 Host does not match SNI</title>
> </head>
> <body><h2>HTTP ERROR 400 Host does not match SNI</h2>
> <table>
> <tr><th>URI:</th><td>/tablesDetailed.jsp</td></tr>
> <tr><th>STATUS:</th><td>400</td></tr>
> <tr><th>MESSAGE:</th><td>Host does not match SNI</td></tr>
> <tr><th>SERVLET:</th><td>-</td></tr>
> <tr><th>CAUSED
> BY:</th><td>org.apache.hbase.thirdparty.org.eclipse.jetty.http.BadMessageException:
> 400: Host does not match SNI</td></tr>
> </table>
> <h3>Caused
> by:</h3><pre>org.apache.hbase.thirdparty.org.eclipse.jetty.http.BadMessageException:
> 400: Host does not match SNI
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:279)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:210)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:483)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.run(HttpChannel.java:439)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
> at
> org.apache.hbase.thirdparty.org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
> at java.lang.Thread.run(Thread.java:750)
> </pre>
> </body>
> </html> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
