From 85422bb7c5d3e70a49f620ba1c8800e0ba4b64f2 Mon Sep 17 00:00:00 2001
From: Karthik Kambatla <kasha@cloudera.com>
Date: Tue, 9 Aug 2016 13:42:25 -0700
Subject: [PATCH] HADOOP-13299. JMXJsonServlet is vulnerable to TRACE. (Haibo
 Chen via kasha)

---
 .../java/org/apache/hadoop/jmx/JMXJsonServlet.java  | 11 ++++++++++-
 .../org/apache/hadoop/jmx/TestJMXJsonServlet.java   | 13 +++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
index 9ade62f27a..b6ec7bc9bc 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
@@ -147,7 +147,16 @@ protected boolean isInstrumentationAccessAllowed(HttpServletRequest request,
     return HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
         request, response);
   }
-  
+
+  /**
+   * Disable TRACE method to avoid TRACE vulnerability.
+   */
+  @Override
+  protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
+      throws ServletException, IOException {
+    resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+  }
+
   /**
    * Process a GET request for the specified resource.
    * 
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
index cf7014ddc6..035090ef65 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
@@ -24,6 +24,8 @@
 import org.junit.BeforeClass;
 import org.junit.Test;
 
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.util.regex.Matcher;
@@ -81,4 +83,15 @@ public static void assertReFind(String re, String value) {
     assertEquals("GET", conn.getHeaderField(ACCESS_CONTROL_ALLOW_METHODS));
     assertNotNull(conn.getHeaderField(ACCESS_CONTROL_ALLOW_ORIGIN));
   }
+
+  @Test
+  public void testTraceRequest() throws IOException {
+    URL url = new URL(baseUrl, "/jmx");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    conn.setRequestMethod("TRACE");
+
+    assertEquals("Unexpected response code",
+        HttpServletResponse.SC_METHOD_NOT_ALLOWED, conn.getResponseCode());
+  }
+
 }