Merge pull request #53593 from ClickHouse/better-docs-redirect

Better documentation about redirects
This commit is contained in:
Alexey Milovidov 2023-08-20 04:51:45 +03:00 committed by GitHub
commit 826540671c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 2 deletions

View File

@ -270,7 +270,7 @@ class IColumn;
\ \
M(Bool, add_http_cors_header, false, "Write add http CORS header.", 0) \ M(Bool, add_http_cors_header, false, "Write add http CORS header.", 0) \
\ \
M(UInt64, max_http_get_redirects, 0, "Max number of http GET redirects hops allowed. Make sure additional security measures are in place to prevent a malicious server to redirect your requests to unexpected services.", 0) \ M(UInt64, max_http_get_redirects, 0, "Max number of http GET redirects hops allowed. Ensures additional security measures are in place to prevent a malicious server to redirect your requests to unexpected services.\n\nIt is the case when an external server redirects to another address, but that address appears to be internal to the company's infrastructure, and by sending an HTTP request to an internal server, you could request an internal API from the internal network, bypassing the auth, or even query other services, such as Redis or Memcached. When you don't have an internal infrastructure (including something running on your localhost), or you trust the server, it is safe to allow redirects. Although keep in mind, that if the URL uses HTTP instead of HTTPS, and you will have to trust not only the remote server but also your ISP and every network in the middle.", 0) \
\ \
M(Bool, use_client_time_zone, false, "Use client timezone for interpreting DateTime string values, instead of adopting server timezone.", 0) \ M(Bool, use_client_time_zone, false, "Use client timezone for interpreting DateTime string values, instead of adopting server timezone.", 0) \
\ \

View File

@ -40,7 +40,12 @@ void UpdatableSession<TSessionFactory>::updateSession(const Poco::URI & uri)
if (redirects <= max_redirects) if (redirects <= max_redirects)
session = session_factory->buildNewSession(uri); session = session_factory->buildNewSession(uri);
else else
throw Exception(ErrorCodes::TOO_MANY_REDIRECTS, "Too many redirects while trying to access {}", initial_uri.toString()); throw Exception(ErrorCodes::TOO_MANY_REDIRECTS,
"Too many redirects while trying to access {}."
" You can {} redirects by changing the setting 'max_http_get_redirects'."
" Example: `SET max_http_get_redirects = 10`."
" Redirects are restricted to prevent possible attack when a malicious server redirects to an internal resource, bypassing the authentication or firewall.",
initial_uri.toString(), max_redirects ? "increase the allowed maximum number of" : "allow");
} }
template <typename TSessionFactory> template <typename TSessionFactory>