You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by gu...@apache.org on 2021/02/18 09:07:28 UTC
[spark] branch branch-3.0 updated: [SPARK-34449][BUILD] Upgrade
Jetty to fix CVE-2020-27218
This is an automated email from the ASF dual-hosted git repository.
gurwls223 pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/branch-3.0 by this push:
new d089c0e [SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218
d089c0e is described below
commit d089c0eedb5d839e27fa83b29812d0ce720a1207
Author: Kousuke Saruta <sa...@oss.nttdata.com>
AuthorDate: Thu Feb 18 18:02:34 2021 +0900
[SPARK-34449][BUILD] Upgrade Jetty to fix CVE-2020-27218
This PR upgrades Jetty from `9.4.34` to `9.4.36`.
CVE-2020-27218 affects currently used Jetty 9.4.34.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27218
No.
Modified existing test and new test which comply with the new version of Jetty.
Closes #31574 from sarutak/upgrade-jetty-9.4.36.
Authored-by: Kousuke Saruta <sa...@oss.nttdata.com>
Signed-off-by: HyukjinKwon <gu...@apache.org>
(cherry picked from commit 51672281728164db731f3f607818bffea0334eb0)
Signed-off-by: HyukjinKwon <gu...@apache.org>
---
.../test/scala/org/apache/spark/ui/UISuite.scala | 37 +++++++++++++++-------
pom.xml | 2 +-
2 files changed, 26 insertions(+), 13 deletions(-)
diff --git a/core/src/test/scala/org/apache/spark/ui/UISuite.scala b/core/src/test/scala/org/apache/spark/ui/UISuite.scala
index fb3015e..45a2ce0 100644
--- a/core/src/test/scala/org/apache/spark/ui/UISuite.scala
+++ b/core/src/test/scala/org/apache/spark/ui/UISuite.scala
@@ -356,20 +356,9 @@ class UISuite extends SparkFunSuite {
try {
val serverAddr = s"http://localhost:${serverInfo.boundPort}"
- val (_, ctx) = newContext("/ctx1")
- serverInfo.addHandler(ctx, securityMgr)
-
val redirect = JettyUtils.createRedirectHandler("/src", "/dst")
serverInfo.addHandler(redirect, securityMgr)
- // Test Jetty's built-in redirect to add the trailing slash to the context path.
- TestUtils.withHttpConnection(new URL(s"$serverAddr/ctx1")) { conn =>
- assert(conn.getResponseCode() === HttpServletResponse.SC_FOUND)
- val location = Option(conn.getHeaderFields().get("Location"))
- .map(_.get(0)).orNull
- assert(location === s"$proxyRoot/ctx1/")
- }
-
// Test with a URL handled by the added redirect handler, and also including a path prefix.
val headers = Seq("X-Forwarded-Context" -> "/prefix")
TestUtils.withHttpConnection(
@@ -395,6 +384,28 @@ class UISuite extends SparkFunSuite {
}
}
+ test("SPARK-34449: Jetty 9.4.35.v20201120 and later no longer return status code 302 " +
+ " and handle internally when request URL ends with a context path without trailing '/'") {
+ val proxyRoot = "https://proxy.example.com:443/prefix"
+ val (conf, securityMgr, sslOptions) = sslDisabledConf()
+ conf.set(UI.PROXY_REDIRECT_URI, proxyRoot)
+ val serverInfo = JettyUtils.startJettyServer("0.0.0.0", 0, sslOptions, conf)
+
+ try {
+ val (_, ctx) = newContext("/ctx")
+ serverInfo.addHandler(ctx, securityMgr)
+ val urlStr = s"http://localhost:${serverInfo.boundPort}/ctx"
+
+ assert(TestUtils.httpResponseCode(new URL(urlStr + "/")) === HttpServletResponse.SC_OK)
+
+ // If the following assertion fails when we upgrade Jetty, it seems to change the behavior of
+ // handling context path which doesn't have the trailing slash.
+ assert(TestUtils.httpResponseCode(new URL(urlStr)) === HttpServletResponse.SC_OK)
+ } finally {
+ stopServer(serverInfo)
+ }
+ }
+
/**
* Create a new context handler for the given path, with a single servlet that responds to
* requests in `$path/root`.
@@ -403,7 +414,9 @@ class UISuite extends SparkFunSuite {
val servlet = new CapturingServlet()
val ctx = new ServletContextHandler()
ctx.setContextPath(path)
- ctx.addServlet(new ServletHolder(servlet), "/root")
+ val servletHolder = new ServletHolder(servlet)
+ ctx.addServlet(servletHolder, "/root")
+ ctx.addServlet(servletHolder, "/")
(servlet, ctx)
}
diff --git a/pom.xml b/pom.xml
index 427a241..80fcc55 100644
--- a/pom.xml
+++ b/pom.xml
@@ -140,7 +140,7 @@
<orc.classifier></orc.classifier>
<hive.parquet.group>com.twitter</hive.parquet.group>
<hive.parquet.version>1.6.0</hive.parquet.version>
- <jetty.version>9.4.34.v20201102</jetty.version>
+ <jetty.version>9.4.36.v20210114</jetty.version>
<javaxservlet.version>3.1.0</javaxservlet.version>
<chill.version>0.9.5</chill.version>
<ivy.version>2.4.0</ivy.version>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org