[ https://issues.apache.org/jira/browse/MESOS-5346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexander Rukletsov updated MESOS-5346: --------------------------------------- Labels: http mesosphere security tech-debt (was: http security tech-debt) Priority: Major (was: Minor) > Some endpoints do not specify their allowed request methods. > ------------------------------------------------------------ > > Key: MESOS-5346 > URL: https://issues.apache.org/jira/browse/MESOS-5346 > Project: Mesos > Issue Type: Bug > Components: security, technical debt > Reporter: Jan Schlicht > Labels: http, mesosphere, security, tech-debt > > Some HTTP endpoints (for example "/flags" or "/state") create a response > regardless of what the request method is. For example an HTTP POST to the > "/state" endpoint will create the same response as an HTTP GET. > While this inconsistency isn't harmful at the moment, it will get problematic > when authorization is implemented, using separate ACLs for endpoints that can > be GETed and endpoints that can be POSTed to. > Validation of the request method should be added to all endpoints, e.g. > "/state" should return a 405 (Method Not Allowed) when POSTed to. -- This message was sent by Atlassian JIRA (v6.3.4#6332)