You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by gu...@apache.org on 2021/02/18 09:07:28 UTC

[spark] branch branch-3.0 updated: [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218

This is an automated email from the ASF dual-hosted git repository.

gurwls223 pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/branch-3.0 by this push:
     new d089c0e  [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218
d089c0e is described below

commit d089c0eedb5d839e27fa83b29812d0ce720a1207
Author: Kousuke Saruta <sa...@oss.nttdata.com>
AuthorDate: Thu Feb 18 18:02:34 2021 +0900

    [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218
    
    This PR upgrades Jetty from `9.4.34` to `9.4.36`.
    
    CVE-2020-27218 affects currently used Jetty 9.4.34.
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27218
    
    No.
    
    Modified existing test and new test which comply with the new version of Jetty.
    
    Closes #31574 from sarutak/upgrade-jetty-9.4.36.
    
    Authored-by: Kousuke Saruta <sa...@oss.nttdata.com>
    Signed-off-by: HyukjinKwon <gu...@apache.org>
    (cherry picked from commit 51672281728164db731f3f607818bffea0334eb0)
    Signed-off-by: HyukjinKwon <gu...@apache.org>
---
 .../test/scala/org/apache/spark/ui/UISuite.scala   | 37 +++++++++++++++-------
 pom.xml                                            |  2 +-
 2 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/core/src/test/scala/org/apache/spark/ui/UISuite.scala b/core/src/test/scala/org/apache/spark/ui/UISuite.scala
index fb3015e..45a2ce0 100644
--- a/core/src/test/scala/org/apache/spark/ui/UISuite.scala
+++ b/core/src/test/scala/org/apache/spark/ui/UISuite.scala
@@ -356,20 +356,9 @@ class UISuite extends SparkFunSuite {
     try {
       val serverAddr = s"http://localhost:${serverInfo.boundPort}"
 
-      val (_, ctx) = newContext("/ctx1")
-      serverInfo.addHandler(ctx, securityMgr)
-
       val redirect = JettyUtils.createRedirectHandler("/src", "/dst")
       serverInfo.addHandler(redirect, securityMgr)
 
-      // Test Jetty's built-in redirect to add the trailing slash to the context path.
-      TestUtils.withHttpConnection(new URL(s"$serverAddr/ctx1")) { conn =>
-        assert(conn.getResponseCode() === HttpServletResponse.SC_FOUND)
-        val location = Option(conn.getHeaderFields().get("Location"))
-          .map(_.get(0)).orNull
-        assert(location === s"$proxyRoot/ctx1/")
-      }
-
       // Test with a URL handled by the added redirect handler, and also including a path prefix.
       val headers = Seq("X-Forwarded-Context" -> "/prefix")
       TestUtils.withHttpConnection(
@@ -395,6 +384,28 @@ class UISuite extends SparkFunSuite {
     }
   }
 
+  test("SPARK-34449: Jetty 9.4.35.v20201120 and later no longer return status code 302 " +
+       " and handle internally when request URL ends with a context path without trailing '/'") {
+    val proxyRoot = "https://proxy.example.com:443/prefix"
+    val (conf, securityMgr, sslOptions) = sslDisabledConf()
+    conf.set(UI.PROXY_REDIRECT_URI, proxyRoot)
+    val serverInfo = JettyUtils.startJettyServer("0.0.0.0", 0, sslOptions, conf)
+
+    try {
+      val (_, ctx) = newContext("/ctx")
+      serverInfo.addHandler(ctx, securityMgr)
+      val urlStr = s"http://localhost:${serverInfo.boundPort}/ctx"
+
+      assert(TestUtils.httpResponseCode(new URL(urlStr + "/")) === HttpServletResponse.SC_OK)
+
+      // If the following assertion fails when we upgrade Jetty, it seems to change the behavior of
+      // handling context path which doesn't have the trailing slash.
+      assert(TestUtils.httpResponseCode(new URL(urlStr)) === HttpServletResponse.SC_OK)
+    } finally {
+      stopServer(serverInfo)
+    }
+  }
+
   /**
    * Create a new context handler for the given path, with a single servlet that responds to
    * requests in `$path/root`.
@@ -403,7 +414,9 @@ class UISuite extends SparkFunSuite {
     val servlet = new CapturingServlet()
     val ctx = new ServletContextHandler()
     ctx.setContextPath(path)
-    ctx.addServlet(new ServletHolder(servlet), "/root")
+    val servletHolder = new ServletHolder(servlet)
+    ctx.addServlet(servletHolder, "/root")
+    ctx.addServlet(servletHolder, "/")
     (servlet, ctx)
   }
 
diff --git a/pom.xml b/pom.xml
index 427a241..80fcc55 100644
--- a/pom.xml
+++ b/pom.xml
@@ -140,7 +140,7 @@
     <orc.classifier></orc.classifier>
     <hive.parquet.group>com.twitter</hive.parquet.group>
     <hive.parquet.version>1.6.0</hive.parquet.version>
-    <jetty.version>9.4.34.v20201102</jetty.version>
+    <jetty.version>9.4.36.v20210114</jetty.version>
     <javaxservlet.version>3.1.0</javaxservlet.version>
     <chill.version>0.9.5</chill.version>
     <ivy.version>2.4.0</ivy.version>


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org