You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ai...@apache.org on 2016/11/08 13:33:28 UTC
hive git commit: HIVE-14984: Hive-WebUI access results in Request is
a replay (34) attack (Barna Zsombor Klara, reviewed by Aihua Xu)
Repository: hive
Updated Branches:
refs/heads/master 36ea6831f -> f42021125
HIVE-14984: Hive-WebUI access results in Request is a replay (34) attack (Barna Zsombor Klara, reviewed by Aihua Xu)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/f4202112
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/f4202112
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/f4202112
Branch: refs/heads/master
Commit: f42021125b79ff8c9f6d52777c6c67738c07d675
Parents: 36ea683
Author: Aihua Xu <ai...@apache.org>
Authored: Tue Nov 8 08:32:45 2016 -0500
Committer: Aihua Xu <ai...@apache.org>
Committed: Tue Nov 8 08:32:59 2016 -0500
----------------------------------------------------------------------
.../java/org/apache/hive/http/HttpServer.java | 16 +++++++++++++-
.../hive-webapps/hiveserver2/index.html | 20 -----------------
.../hive/service/server/TestHS2HttpServer.java | 23 ++++++++++++++++++++
3 files changed, 38 insertions(+), 21 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/f4202112/common/src/java/org/apache/hive/http/HttpServer.java
----------------------------------------------------------------------
diff --git a/common/src/java/org/apache/hive/http/HttpServer.java b/common/src/java/org/apache/hive/http/HttpServer.java
index c4e2e33..42d2959 100644
--- a/common/src/java/org/apache/hive/http/HttpServer.java
+++ b/common/src/java/org/apache/hive/http/HttpServer.java
@@ -51,6 +51,8 @@ import org.apache.logging.log4j.core.LoggerContext;
import org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender;
import org.apache.logging.log4j.core.appender.FileManager;
import org.apache.logging.log4j.core.appender.OutputStreamManager;
+import org.eclipse.jetty.rewrite.handler.RewriteHandler;
+import org.eclipse.jetty.rewrite.handler.RewriteRegexRule;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.handler.ContextHandler.Context;
@@ -386,9 +388,21 @@ public class HttpServer {
connector.setPort(b.port);
webServer.addConnector(connector);
+ RewriteHandler rwHandler = new RewriteHandler();
+ rwHandler.setRewriteRequestURI(true);
+ rwHandler.setRewritePathInfo(false);
+
+ RewriteRegexRule rootRule = new RewriteRegexRule();
+ rootRule.setRegex("^/$");
+ rootRule.setReplacement("/hiveserver2.jsp");
+ rootRule.setTerminating(true);
+
+ rwHandler.addRule(rootRule);
+ rwHandler.setHandler(webAppContext);
+
// Configure web application contexts for the web server
ContextHandlerCollection contexts = new ContextHandlerCollection();
- contexts.addHandler(webAppContext);
+ contexts.addHandler(rwHandler);
webServer.setHandler(contexts);
addServlet("jmx", "/jmx", JMXJsonServlet.class);
http://git-wip-us.apache.org/repos/asf/hive/blob/f4202112/service/src/resources/hive-webapps/hiveserver2/index.html
----------------------------------------------------------------------
diff --git a/service/src/resources/hive-webapps/hiveserver2/index.html b/service/src/resources/hive-webapps/hiveserver2/index.html
deleted file mode 100644
index f18ba53..0000000
--- a/service/src/resources/hive-webapps/hiveserver2/index.html
+++ /dev/null
@@ -1,20 +0,0 @@
-<!--
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
--->
-<meta HTTP-EQUIV="REFRESH" content="0;url=/hiveserver2.jsp"/>
http://git-wip-us.apache.org/repos/asf/hive/blob/f4202112/service/src/test/org/apache/hive/service/server/TestHS2HttpServer.java
----------------------------------------------------------------------
diff --git a/service/src/test/org/apache/hive/service/server/TestHS2HttpServer.java b/service/src/test/org/apache/hive/service/server/TestHS2HttpServer.java
index c9e0ac3..d918c64 100644
--- a/service/src/test/org/apache/hive/service/server/TestHS2HttpServer.java
+++ b/service/src/test/org/apache/hive/service/server/TestHS2HttpServer.java
@@ -20,9 +20,11 @@ package org.apache.hive.service.server;
import java.io.BufferedReader;
import java.io.InputStreamReader;
+import java.io.StringWriter;
import java.net.HttpURLConnection;
import java.net.URL;
+import org.apache.commons.io.IOUtils;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hadoop.hive.metastore.MetaStoreUtils;
@@ -86,6 +88,27 @@ public class TestHS2HttpServer {
}
@Test
+ public void testContextRootUrlRewrite() throws Exception {
+ String baseURL = "http://localhost:" + webUIPort + "/";
+ URL url = new URL(baseURL);
+ HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+ Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+ StringWriter writer = new StringWriter();
+ IOUtils.copy(conn.getInputStream(), writer, "UTF-8");
+ String contextRootContent = writer.toString();
+
+ String jspUrl = "http://localhost:" + webUIPort + "/hiveserver2.jsp";
+ url = new URL(jspUrl);
+ conn = (HttpURLConnection) url.openConnection();
+ Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+ writer = new StringWriter();
+ IOUtils.copy(conn.getInputStream(), writer, "UTF-8");
+ String jspContent = writer.toString();
+
+ Assert.assertEquals(contextRootContent, jspContent);
+ }
+
+ @Test
public void testConfStrippedFromWebUI() throws Exception {
String pwdValFound = null;