You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by djoelz <gi...@git.apache.org> on 2015/08/12 21:27:15 UTC
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
GitHub user djoelz opened a pull request:
https://github.com/apache/incubator-zeppelin/pull/205
Fixing issue with ZEPPELIN-173: Zeppelin websocket server is vulnerab…
Fixing the socket cross-origin vulnerability as described in the Jira. Overwrote the checkOrigin in the WebSocketServlet class implemented by NotebookServer so that a list of all seen socket Get requests are kept and only Upgrade requests from the same origin will be accepted. Otherwise unauthorized will be returned.
Included basic unit tests.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/djoelz/incubator-zeppelin master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-zeppelin/pull/205.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #205
----
commit ea54b55bfadf6a1ab777866c2e1d03979dc049d6
Author: joelz <dj...@gmail.com>
Date: 2015-08-12T19:16:29Z
Fixing issue with ZEPPELIN-173: Zeppelin websocket server is vulnerable to Cross-Site WebSocket Hijacking
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by djoelz <gi...@git.apache.org>.
Github user djoelz commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-130821663
I have fixed the merge issues and recommitted. Ready for your review.
Thanks,
Joel
________________________________
From: Lee moon soo <no...@github.com>
Sent: Thursday, August 13, 2015 9:20:05 AM
To: apache/incubator-zeppelin
Cc: Joel Zambrano
Subject: Re: [incubator-zeppelin] Fixing issue with ZEPPELIN-173: Zeppelin websocket server is vulnerab… (#205)
Tested and working nicely. Thanks for the contribution!
—
Reply to this email directly or view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fgithub.com%2fapache%2fincubator-zeppelin%2fpull%2f205%23issuecomment-130748871&data=01%7c01%7cjoelz%40microsoft.com%7c8b71ee668dd34c8e280708d2a3fb0e00%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=ulufWnZiCgXfeRlodVWtuiUPUk0fi81urTN4V4uiJiA%3d>.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by Leemoonsoo <gi...@git.apache.org>.
Github user Leemoonsoo commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-131115567
Next step is, getting more review and votes, or waiting for enough time to have discussions and consensus (which is normally take a day at least). Then it's going to be merged.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by philwills <gi...@git.apache.org>.
Github user philwills commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-131806588
Not sure if it's best to comment here, or open a new issue, but
```java
java.net.InetAddress.getLocalHost().getHostName();
```
isn't going to return all possible addresses which a node might reasonably be listening on. For instance, on an EC2 node, this will return the private IP, but if you want to connect to that node from outside of Amazon's network, that address won't be visible, where as the public address will.
I think there needs to at least be the option of setting an alternative value in config.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/incubator-zeppelin/pull/205
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by djoelz <gi...@git.apache.org>.
Github user djoelz commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-131115075
Great! Next step is to merge? Who does this?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by jitenderaswani <gi...@git.apache.org>.
Github user jitenderaswani commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-132902838
Looking forward to this fix, I am unable to run Zeppelin in AWS. On my local machine, I don't have web-socket issue.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by Leemoonsoo <gi...@git.apache.org>.
Github user Leemoonsoo commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-132911474
@djoelz I also pushed a fix. @djoelz, @jitenderaswani please review #233.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by corneadoug <gi...@git.apache.org>.
Github user corneadoug commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-131818215
We got a similar problem, can't complete websocket handshake in some instalations since this commit
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by Leemoonsoo <gi...@git.apache.org>.
Github user Leemoonsoo commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-130748871
Tested and working nicely. Thanks for the contribution!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by Leemoonsoo <gi...@git.apache.org>.
Github user Leemoonsoo commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-131112912
Thanks, LGTM.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by Leemoonsoo <gi...@git.apache.org>.
Github user Leemoonsoo commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-131998419
@djoelz If you can implement, that would be really appreciated!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by djoelz <gi...@git.apache.org>.
Github user djoelz commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-132335142
@Leemoonsoo @jonbuffington is already doing the work. I will work closely with Jon to wrap this up.
Thanks Jon!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by djoelz <gi...@git.apache.org>.
Github user djoelz commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-131907820
@Leemoonsoo can I suggest alternativeallowedsource as the configuration name? Also this will be used for my other pull request that affects REST endpoints as well.
I could implement it also if you want. have you started already?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by djoelz <gi...@git.apache.org>.
Github user djoelz commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-132804492
I have a fix for this. Will create the PR soon
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Fixing issue with ZEPPELIN-173: Z...
Posted by Leemoonsoo <gi...@git.apache.org>.
Github user Leemoonsoo commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/205#issuecomment-131840512
@philwills @corneadoug Right, i'll create a patch, soon. Thanks!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---