Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-1932

Javascript injection on the job status page

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 0.23.9, 2.5.0, 3.0.0-alpha1
    • Fix Version/s: 0.23.11, 2.4.1
    • Component/s: None
    • Labels:
      None

      Description

      Scripts can be injected into the job status page as the diagnostics field is
      not sanitized. Whatever string you set there will show up to the jobs page as it is ... ie. if you put any script commands, they will be executed in the browser of the user who is opening the page.

      We need escaping the diagnostic string in order to not run the scripts.

        Attachments

        1. YARN-1932.patch
          2 kB
          Mit Desai
        2. YARN-1932.patch
          3 kB
          Mit Desai

          Issue Links

            Activity

              People

              • Assignee:
                mitdesai Mit Desai
                Reporter:
                mitdesai Mit Desai
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: