参考链接:https://github.com/azkaban/azkaban/pull/2044/commits/c7395bee157f7436cfa89936cb2281a1a22a46a4
修改:azkaban-web-server/src/main/java/azkaban/webapp/WebServerProvider.java
增加import类
import java.util.ArrayList;
import org.mortbay.jetty.security.Constraint;
import org.mortbay.jetty.security.ConstraintMapping;
import org.mortbay.jetty.security.SecurityHandler;
增加 disableHttpMethods 方法
/**
* Disable HTTP methods defined in jetty.disable.http-methods property
* <p>
* Multiple methods can be separated by coma eg. TRACE,OPTION
*
* @param server - jetty server instance
*/
private void disableHttpMethods(Server server) {
String toDisable = props.getString("jetty.disable.http-methods","");
if (!toDisable.trim().isEmpty()) {
Constraint c = new Constraint();
c.setAuthenticate(true);
ArrayList<ConstraintMapping> mappings = new ArrayList<>();
for(String methodToDisable : toDisable.split(",")) {
ConstraintMapping cmt = new ConstraintMapping();
cmt.setConstraint(c);
cmt.setMethod(methodToDisable);
cmt.setPathSpec("/*");
mappings.add(cmt);
}
SecurityHandler sh = new SecurityHandler();
sh.setConstraintMappings(mappings.toArray(new ConstraintMapping[]{}));
server.addHandler(sh);
}
}
在 get 方法中执行新增加的 disableHttpMethods 方法
@Override
public Server get() {
requireNonNull(this.props);
final int maxThreads = this.props
.getInt("jetty.maxThreads", Constants.DEFAULT_JETTY_MAX_THREAD_COUNT);
final boolean useSsl = this.props.getBoolean("jetty.use.ssl", true);
final int port;
final Server server = new Server();
if (useSsl) {
final int sslPortNumber = this.props
.getInt("jetty.ssl.port", Constants.DEFAULT_SSL_PORT_NUMBER);
port = sslPortNumber;
server.addConnector(getSslSocketConnector(sslPortNumber));
} else {
port = this.props.getInt("jetty.port", Constants.DEFAULT_PORT_NUMBER);
server.addConnector(getSocketConnector(port));
}
// setting stats configuration for connectors
setStatsOnConnectors(server);
disableHttpMethods(server);
logger.info(String.format(
"Starting %sserver on port: %d # Max threads: %d", useSsl ? "SSL " : "", port, maxThreads));
return server;
}
在 azkaban.properties 配置文件中添加 jetty.disable.http-methods=
#需要禁用的多个方法以逗号分隔
jetty.disable.http-methods=trace
测试 trace 漏洞是否修复
[hadoop@node1 azkaban-web]$ curl -v -X TRACE -I localhost:8081
转自:https://www.jianshu.com/p/dd53c6be04a6
网友评论