[ https://issues.apache.org/jira/browse/SPARK-5983?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Owen resolved SPARK-5983. ------------------------------ Resolution: Fixed Fix Version/s: 1.4.0 Assignee: Sean Owen > Don't respond to HTTP TRACE in HTTP-based UIs > --------------------------------------------- > > Key: SPARK-5983 > URL: https://issues.apache.org/jira/browse/SPARK-5983 > Project: Spark > Issue Type: Improvement > Components: Spark Core > Reporter: Sean Owen > Assignee: Sean Owen > Priority: Minor > Fix For: 1.4.0 > > > This was flagged a while ago during a routine security scan: the HTTP-based > Spark services respond to an HTTP TRACE command. This is basically an HTTP > verb that has no practical use, and has a pretty theoretical chance of being > an exploit vector. It is flagged as a security issue by one common tool, > however. > Spark's HTTP services are based on Jetty, which by default does not enable > TRACE (like Tomcat). However, the services do reply to TRACE requests. I > think it is because the use of Jetty is pretty 'raw' and does not enable much > of the default additional configuration you might get by using Jetty as a > standalone server. > I know that it is at least possible to stop the reply to TRACE with a few > extra lines of code, so I think it is worth shutting off TRACE requests. > Although the security risk is quite theoretical, it should be easy to fix and > bring the Spark services into line with the common default of HTTP servers > today. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org