[
https://issues.apache.org/jira/browse/MESOS-5346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexander Rukletsov updated MESOS-5346:
---------------------------------------
Labels: http mesosphere security tech-debt (was: http security tech-debt)
Priority: Major (was: Minor)
> Some endpoints do not specify their allowed request methods.
> ------------------------------------------------------------
>
> Key: MESOS-5346
> URL: https://issues.apache.org/jira/browse/MESOS-5346
> Project: Mesos
> Issue Type: Bug
> Components: security, technical debt
> Reporter: Jan Schlicht
> Labels: http, mesosphere, security, tech-debt
>
> Some HTTP endpoints (for example "/flags" or "/state") create a response
> regardless of what the request method is. For example an HTTP POST to the
> "/state" endpoint will create the same response as an HTTP GET.
> While this inconsistency isn't harmful at the moment, it will get problematic
> when authorization is implemented, using separate ACLs for endpoints that can
> be GETed and endpoints that can be POSTed to.
> Validation of the request method should be added to all endpoints, e.g.
> "/state" should return a 405 (Method Not Allowed) when POSTed to.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
