You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2021/02/08 21:41:00 UTC
[jira] [Resolved] (NIFI-7962) NiFi should not respond with HTTP 500
errors for HTTP TRACK request
[ https://issues.apache.org/jira/browse/NIFI-7962?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Handermann resolved NIFI-7962.
------------------------------------
Assignee: David Handermann
Resolution: Information Provided
Confirmed that setting {{nifi.web.should.send.server.version}} to {{false}} in {{nifi.properties}} stops Jetty from returning the Server HTTP header and associated version information on HTTP responses from the NiFi API.
> NiFi should not respond with HTTP 500 errors for HTTP TRACK request
> -------------------------------------------------------------------
>
> Key: NIFI-7962
> URL: https://issues.apache.org/jira/browse/NIFI-7962
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.12.1
> Reporter: Andy LoPresto
> Assignee: David Handermann
> Priority: Trivial
> Labels: http, jetty, security
>
> The HTTP {{TRACK}} method was not specified in RFC 2068 [1] for HTTP 1.1 but is now available on some clients. NiFi currently responds to these requests with a 500 Internal Server Error page which reveals the version of the servlet API being used but does not contain any sensitive information. As NiFi is an open source project, the servlet API version would already be readily available to an attacker.
> The error page should be generic to obscure the servlet API version.
> [1] https://tools.ietf.org/html/rfc2068
--
This message was sent by Atlassian Jira
(v8.3.4#803005)