[ZEPPELIN-2468] Enable websocket queries without Origin if zeppelin.server.allowed.origins is * - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.7.1
Fix Version/s: 0.7.2, 0.8.0
Component/s: None
Labels:
None

Description

With ~~ZEPPELIN-2288~~ we restored the check of the Origin field for websocket requests.

Unfortunately the current implementation will deny the request if the Origin HTTP header is empty, even if the zeppelin.server.allowed.origins is *.

  public static Boolean isValidOrigin(String sourceHost, ZeppelinConfiguration conf)
      throws UnknownHostException, URISyntaxException {
    if (sourceHost == null || sourceHost.isEmpty()) {
      return false;
    }
    String sourceUriHost = new URI(sourceHost).getHost();
    sourceUriHost = (sourceUriHost == null) ? "" : sourceUriHost.toLowerCase();

    sourceUriHost = sourceUriHost.toLowerCase();
    String currentHost = InetAddress.getLocalHost().getHostName().toLowerCase();

    return conf.getAllowedOrigins().contains("*") ||
        currentHost.equals(sourceUriHost) ||
        "localhost".equals(sourceUriHost) ||
        conf.getAllowedOrigins().contains(sourceHost);
  }

It could be a problem behind a reverse proxy which is not forwarding the Origin (for example currently it couldn't work with Apache Knox).

My suggestion is to accept the request if
1. the zeppelin.server.allowed.origins = *
AND
2. the Origin header is missing.

Attachments

Issue Links

links to

GitHub Pull Request #2299

Activity

People

Assignee:: Marton Elek

Reporter:: Marton Elek

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 28/Apr/17 12:44

Updated:: 03/May/17 14:59

Resolved:: 03/May/17 14:59