Closed anuraaga closed 4 years ago
Describe the bug Currently, it seems that updating configs of ZPages uses HTTP GET https://github.com/open-telemetry/opentelemetry-java/blob/master/sdk_extensions/zpages/src/main/java/io/opentelemetry/sdk/extensions/zpages/TraceConfigzZPageHandler.java#L277
What did you expect to see? It should use POST for security reasons. An image tag in an email would be enough to raise sampling rate and take down a service.
@wtyanan
I sure hope no-one is exposing zpages to the public internet!
This is done. closing
Describe the bug Currently, it seems that updating configs of ZPages uses HTTP GET https://github.com/open-telemetry/opentelemetry-java/blob/master/sdk_extensions/zpages/src/main/java/io/opentelemetry/sdk/extensions/zpages/TraceConfigzZPageHandler.java#L277
What did you expect to see? It should use POST for security reasons. An image tag in an email would be enough to raise sampling rate and take down a service.