Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-29556

Avoid including path in error response from REST submission server

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.6.3, 2.0.2, 2.1.3, 2.2.3, 2.3.4, 2.4.4, 3.0.0
    • Fix Version/s: 2.4.5, 3.0.0
    • Component/s: Spark Core
    • Labels:
      None

      Description

      I'm not sure if it's possible to exploit, but, the following code in RESTSubmissionServer's ErrorServlet.service is a little risky as it includes user-supplied path input in the error response. We don't want to let a link determine what's in the resulting HTML.

      val path = request.getPathInfo
      ...
      var msg =
            parts match {
              ...
              case _ =>
                // never reached
                s"Malformed path $path."
            }
          msg += s" Please submit requests through http://[host]:[port]/$serverVersion/submissions/..."
          val error = handleError(msg)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                srowen Sean R. Owen
                Reporter:
                srowen Sean R. Owen
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: