You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flume.apache.org by Roshan Naik <ro...@hortonworks.com> on 2016/01/08 22:08:31 UTC
Flume HTTP source and CSRF vulnerability
My understanding is that Flume HTTP source does not have any protection against Cross-Site Request Forgery (CSRF) attacks. Wanted to double check with others if that is correct ?
-roshan
Re: Flume HTTP source and CSRF vulnerability
Posted by Roshan Naik <ro...@hortonworks.com>.
Thanks!
On 1/16/16, 8:51 AM, "Ashish" <pa...@gmail.com> wrote:
>IMHO, No. XSRF can happen with session based things where two parties
>are talking.
>In Flume's case we never talk, we just listen and pass on the data.
>Other than Http Ok, we send anything back.
>We don't provide "Identifier" to the client which can be used by anyone
>else.
>
>You must have encountered something interesting, would be good to know
>(on ML or off ML both works fine)
>
>
>
>On Fri, Jan 8, 2016 at 1:08 PM, Roshan Naik <ro...@hortonworks.com>
>wrote:
>> My understanding is that Flume HTTP source does not have any
>>protection against Cross-Site Request Forgery (CSRF) attacks. Wanted to
>>double check with others if that is correct ?
>>
>> -roshan
>
>
>
>--
>thanks
>ashish
>
>Blog: http://www.ashishpaliwal.com/blog
>My Photo Galleries: http://www.pbase.com/ashishpaliwal
>
Re: Flume HTTP source and CSRF vulnerability
Posted by Ashish <pa...@gmail.com>.
IMHO, No. XSRF can happen with session based things where two parties
are talking.
In Flume's case we never talk, we just listen and pass on the data.
Other than Http Ok, we send anything back.
We don't provide "Identifier" to the client which can be used by anyone else.
You must have encountered something interesting, would be good to know
(on ML or off ML both works fine)
On Fri, Jan 8, 2016 at 1:08 PM, Roshan Naik <ro...@hortonworks.com> wrote:
> My understanding is that Flume HTTP source does not have any protection against Cross-Site Request Forgery (CSRF) attacks. Wanted to double check with others if that is correct ?
>
> -roshan
--
thanks
ashish
Blog: http://www.ashishpaliwal.com/blog
My Photo Galleries: http://www.pbase.com/ashishpaliwal
Re: Flume HTTP source and CSRF vulnerability
Posted by Gonzalo Herreros <gh...@gmail.com>.
Hi Roshan,
I haven't seen nor I'm aware of any protection like that but I don't think
is required either.
Flume http source doesn't enable CORS nor hosts any html, so that kind of
attack is prevented by the browser.
In general, I think is strange having a browser connected to Flume other
than for testing purposes with a REST extension.
What is your especific concern/use case?
You can always extend the http source to add such protection yourself if
needed
Regards,
Gonzalo
On Jan 8, 2016 9:08 PM, "Roshan Naik" <ro...@hortonworks.com> wrote:
> My understanding is that Flume HTTP source does not have any protection
> against Cross-Site Request Forgery (CSRF) attacks. Wanted to double check
> with others if that is correct ?
>
> -roshan
>