You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by "Elek, Marton (JIRA)" <ji...@apache.org> on 2017/04/28 12:45:04 UTC

[jira] [Created] (ZEPPELIN-2468) Enable websocket queries without Origin if zeppelin.server.allowed.origins is *

Elek, Marton created ZEPPELIN-2468:
--------------------------------------

             Summary: Enable websocket queries without Origin if zeppelin.server.allowed.origins is *
                 Key: ZEPPELIN-2468
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2468
             Project: Zeppelin
          Issue Type: Bug
    Affects Versions: 0.7.1
            Reporter: Elek, Marton
            Assignee: Elek, Marton


With ZEPPELIN-2288 we restored the check of the Origin field for websocket requests.

Unfortunately the current implementation will deny the request if the Origin HTTP header is empty, even if the zeppelin.server.allowed.origins is *.

{code}
  public static Boolean isValidOrigin(String sourceHost, ZeppelinConfiguration conf)
      throws UnknownHostException, URISyntaxException {
    if (sourceHost == null || sourceHost.isEmpty()) {
      return false;
    }
    String sourceUriHost = new URI(sourceHost).getHost();
    sourceUriHost = (sourceUriHost == null) ? "" : sourceUriHost.toLowerCase();

    sourceUriHost = sourceUriHost.toLowerCase();
    String currentHost = InetAddress.getLocalHost().getHostName().toLowerCase();

    return conf.getAllowedOrigins().contains("*") ||
        currentHost.equals(sourceUriHost) ||
        "localhost".equals(sourceUriHost) ||
        conf.getAllowedOrigins().contains(sourceHost);
  }
{code}

It could be a problem behind a reverse proxy which is not forwarding the Origin (for example currently it couldn't work with Apache Knox).

My suggestion is to accept the request if
 1. the zeppelin.server.allowed.origins = *
 AND 
 2. the Origin header is missing. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)