You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "UENISHI Kota (JIRA)" <ji...@apache.org> on 2017/01/10 08:33:58 UTC

[jira] [Commented] (MESOS-5346) Some endpoints do not specify their allowed request methods.

    [ https://issues.apache.org/jira/browse/MESOS-5346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15814329#comment-15814329 ] 

UENISHI Kota commented on MESOS-5346:
-------------------------------------

I'd like to note here that and endpoint {{/files/download}} also has weird behavior where agents respond full body against any methods like {{POST}} {{DELETE}} or even {{HEAD}}. Also, under {{GET}} request recognizing {{Range}} header element to enable smarter download of file contents in a sandbox would be very nice.

I consider this important because there may be a case where the size of files ranges like up to ~10GB. Although necessary files or files larger than that should be saved to more reliable storage like HDFS or S3, depending on result of a task, files remaining in the sandbox would be sometimes downloaded. Nobody expects full 10GB body of a file on just HEADing it.

> Some endpoints do not specify their allowed request methods.
> ------------------------------------------------------------
>
>                 Key: MESOS-5346
>                 URL: https://issues.apache.org/jira/browse/MESOS-5346
>             Project: Mesos
>          Issue Type: Bug
>          Components: security, technical debt
>            Reporter: Jan Schlicht
>              Labels: http, mesosphere, security, tech-debt
>
> Some HTTP endpoints (for example "/flags" or "/state") create a response regardless of what the request method is. For example an HTTP POST to the "/state" endpoint will create the same response as an HTTP GET.
> While this inconsistency isn't harmful at the moment, it will get problematic when authorization is implemented, using separate ACLs for endpoints that can be GETed and endpoints that can be POSTed to.
> Validation of the request method should be added to all endpoints, e.g. "/state" should return a 405 (Method Not Allowed) when POSTed to.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)