HUE-4704 [security] Fixed Arbitrary host header accepted in Hue

Review Request #9116 - Created Dec. 14, 2016 and submitted

Prakash Ranade
hue
master
HUE-4704
hue
enricoberti, jennykim, johan, krish, ranade, romain, subrata, weixia
commit 992ee376602b41a3f9adb87cd53292eb4104770a
Author: Prakash Ranade <ranade@cloudera.com>
Date:   Wed Dec 14 17:05:15 2016 -0800

    HUE-4704 [security] Fixed Arbitrary host header accepted in Hue

:100644 100644 a036b8d... 5a2c947... M	desktop/core/src/desktop/conf.py
:100644 100644 55e73d2... 768decd... M	desktop/core/src/desktop/tests.py
  1. Tested on nightly, created multiple hue servers and one load balancer. Checked connecting to Load Balancer's port and verified backend HUE servers are not generating "Bad Request(400)" error.
  2. Ran "./build/env/bin/hue test specific desktop.tests:test_get_dn"
    [14/Dec/2016 17:36:17 -0800] models INFO HuePermissions: 31 added, 0 updated, 0 up to date, 0 stale
    .

Ran 1 test in 0.000s

OK
Destroying test database for alias 'default'...
[14/Dec/2016 17:36:18 -0800] test INFO Tests (desktop.tests:test_get_dn) returned 0

  • 0
  • 0
  • 2
  • 0
  • 2
Description From Last Updated
  1. Nice for the live testing, let's just add a small test

  2. desktop/core/src/desktop/conf.py (Diff revision 1)
     
     

    If we do

    def get_dn(fqdn=None):
    ....

    if fqdn is None:
    fqdn = socket.getfqdn()

    Could we then unit test it?

    e.g. or fqdns:

    [empty string]
    hue
    hue.com
    sql.hue.com
    finance.sql.hue.com

    1. sure, what is the best place to put unit test?

  3. desktop/core/src/desktop/conf.py (Diff revision 1)
     
     

    spaces around '%s'

  4. 
      
  1. Ship It!
  2. 
      
Review request changed

Status: Closed (submitted)

Loading...