You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by "Elek, Marton (JIRA)" <ji...@apache.org> on 2017/04/28 12:45:04 UTC
[jira] [Created] (ZEPPELIN-2468) Enable websocket queries without
Origin if zeppelin.server.allowed.origins is *
Elek, Marton created ZEPPELIN-2468:
--------------------------------------
Summary: Enable websocket queries without Origin if zeppelin.server.allowed.origins is *
Key: ZEPPELIN-2468
URL: https://issues.apache.org/jira/browse/ZEPPELIN-2468
Project: Zeppelin
Issue Type: Bug
Affects Versions: 0.7.1
Reporter: Elek, Marton
Assignee: Elek, Marton
With ZEPPELIN-2288 we restored the check of the Origin field for websocket requests.
Unfortunately the current implementation will deny the request if the Origin HTTP header is empty, even if the zeppelin.server.allowed.origins is *.
{code}
public static Boolean isValidOrigin(String sourceHost, ZeppelinConfiguration conf)
throws UnknownHostException, URISyntaxException {
if (sourceHost == null || sourceHost.isEmpty()) {
return false;
}
String sourceUriHost = new URI(sourceHost).getHost();
sourceUriHost = (sourceUriHost == null) ? "" : sourceUriHost.toLowerCase();
sourceUriHost = sourceUriHost.toLowerCase();
String currentHost = InetAddress.getLocalHost().getHostName().toLowerCase();
return conf.getAllowedOrigins().contains("*") ||
currentHost.equals(sourceUriHost) ||
"localhost".equals(sourceUriHost) ||
conf.getAllowedOrigins().contains(sourceHost);
}
{code}
It could be a problem behind a reverse proxy which is not forwarding the Origin (for example currently it couldn't work with Apache Knox).
My suggestion is to accept the request if
1. the zeppelin.server.allowed.origins = *
AND
2. the Origin header is missing.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)