You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Jan Schlicht (JIRA)" <ji...@apache.org> on 2016/05/09 13:57:12 UTC

[jira] [Updated] (MESOS-5346) Some endpoints do not specify their allowed request methods.

     [ https://issues.apache.org/jira/browse/MESOS-5346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Schlicht updated MESOS-5346:
--------------------------------
    Priority: Minor  (was: Major)

> Some endpoints do not specify their allowed request methods.
> ------------------------------------------------------------
>
>                 Key: MESOS-5346
>                 URL: https://issues.apache.org/jira/browse/MESOS-5346
>             Project: Mesos
>          Issue Type: Bug
>          Components: security, technical debt
>            Reporter: Jan Schlicht
>            Priority: Minor
>              Labels: http, security, tech-debt
>
> Some HTTP endpoints (for example "/flags" or "/state") create a response regardless of what the request method is. For example an HTTP POST to the "/state" endpoint will create the same response as an HTTP GET.
> While this inconsistency isn't harmful at the moment, it will get problematic when authorization is implemented, using separate ACLs for endpoints that can be GETed and endpoints that can be POSTed to.
> Validation of the request method should be added to all endpoints, e.g. "/state" should return a 405 (Method Not Allowed) when POSTed to.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)