Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Kyuubi Jetty server should be able to hide version info in response, thus avoiding vulnerability exposure. #6615

Closed
3 of 4 tasks
paul8263 opened this issue Aug 14, 2024 · 1 comment · May be fixed by #6685
Closed
3 of 4 tasks

[FEATURE] Kyuubi Jetty server should be able to hide version info in response, thus avoiding vulnerability exposure. #6615

paul8263 opened this issue Aug 14, 2024 · 1 comment · May be fixed by #6685
Labels
kind:feature Feature request priority:major

Comments

@paul8263
Copy link
Contributor

Code of Conduct

Search before asking

  • I have searched in the issues and found no similar issues.

Describe the feature

Add a switch for enabling/disabling jetty sending server version in response.

Motivation

By default Jetty always send version in ressponse, such as Jetty(9.4.54.v20240208), which could expose vulnerablilty. Malicious visitors could easily detect Jetty version and then perform specific attack.

Describe the solution

Add a config item that controls whether Jetty should send its version in response.

Sending Jetty version could be disabled by calling HttpConfiguration::setSendServerVersion(false)

Additional context

No response

Are you willing to submit PR?

  • Yes. I would be willing to submit a PR with guidance from the Kyuubi community to improve.
  • No. I cannot submit a PR at this time.
@github-actions GitHub Actions
Copy link

Hello @paul8263,
Thanks for finding the time to report the issue!
We really appreciate the community's efforts to improve Apache Kyuubi.

paul8263 added a commit to paul8263/kyuubi that referenced this issue Aug 14, 2024
@paul8263
[KYUUBI apache#6615] Added a switch for enabling/disabling jetty send…
217e182 
…ing server version in response.
@paul8263 paul8263 mentioned this issue Aug 14, 2024
Closed
4 tasks
paul8263 added a commit to paul8263/kyuubi that referenced this issue Aug 14, 2024
@paul8263
[KYUUBI apache#6615] Added a switch for enabling/disabling jetty send…
51a8ff6 
…ing server version in response.
paul8263 added a commit to paul8263/kyuubi that referenced this issue Aug 14, 2024
@paul8263
[KYUUBI apache#6615] Make Jetty sending server version in response co…
ca975eb 
…nfigurable
paul8263 added a commit to paul8263/kyuubi that referenced this issue Aug 14, 2024
@paul8263
[KYUUBI apache#6615] Make Jetty sending server version in response co…
ad11927 
…nfigurable
paul8263 added a commit to paul8263/kyuubi that referenced this issue Aug 15, 2024
@paul8263
[KYUUBI apache#6615] Make Jetty sending server version in response co…
c1567fd 
…nfigurable
pan3793 pushed a commit that referenced this issue Aug 16, 2024
@paul8263 @pan3793
[KYUUBI #6615] Make Jetty sending server version in response configur…
89af82c 
…able

This pull request fixes #6615

Add a config item that controls whether Jetty should send its version in response.

Sending Jetty version could be disabled by calling HttpConfiguration::setSendServerVersion(false)

- [ ] Bugfix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)

Compiled and tested manually.

---

- [ ] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html)

**Be nice. Be informative.**

Closes #6616 from paul8263/KYUUBI-6615.

Closes #6615

c1567fd [zhang_yao] [KYUUBI #6615] Make Jetty sending server version in response configurable

Authored-by: zhang_yao <[email protected]>
Signed-off-by: Cheng Pan <[email protected]>
(cherry picked from commit 7c20e69)
Signed-off-by: Cheng Pan <[email protected]>
paul8263 added a commit to paul8263/kyuubi that referenced this issue Sep 11, 2024
@paul8263
[KYUUBI apache#6615] Make Jetty sending server version in response co…
14880fe 
…nfigurable
@paul8263 paul8263 mentioned this issue Sep 11, 2024
Open
4 tasks
paul8263 added a commit to paul8263/kyuubi that referenced this issue Sep 12, 2024
@paul8263
[KYUUBI apache#6615] Make Jetty sending server version in response co…
0638a51 
…nfigurable
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind:feature Feature request priority:major
Projects
None yet
Milestone
No milestone
1 participant
@paul8263