You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@drill.apache.org by "Anton Gozhiy (JIRA)" <ji...@apache.org> on 2019/08/16 11:47:00 UTC

[jira] [Commented] (DRILL-7351) WebUI is Vulnerable to CSRF

    [ https://issues.apache.org/jira/browse/DRILL-7351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16908992#comment-16908992 ] 

Anton Gozhiy commented on DRILL-7351:
-------------------------------------

[~perialdon], there is a common agreement about what a bug report should contain:
- [optional] Initial conditions
- Steps to reproduce
- Expected results
- Actual results
- Logs, screenshots and any additional info that would help to track it down

From your message it is not clear, what the problem exactly is and what use cases it can affect.

> WebUI is Vulnerable to CSRF
> ---------------------------
>
>                 Key: DRILL-7351
>                 URL: https://issues.apache.org/jira/browse/DRILL-7351
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Web Server
>    Affects Versions: 1.16.0
>            Reporter: Don Perial
>            Priority: Major
>         Attachments: drill-csrf.html
>
>
> There is no way to protect the WebUI from CSRF and the fact that the value for the access-control-allow-origin header is '*' appears to confound this issue as well.
> The attached file demonstrates the vulnerability.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)