[YARN-1932] Javascript injection on the job status page - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 0.23.9, 2.5.0, 3.0.0-alpha1
Fix Version/s: 0.23.11, 2.4.1
Component/s: None
Labels:
None

Target Version/s:

0.23.10, 2.5.0, 2.4.1
Hadoop Flags:

Reviewed

Description

Scripts can be injected into the job status page as the diagnostics field is
not sanitized. Whatever string you set there will show up to the jobs page as it is ... ie. if you put any script commands, they will be executed in the browser of the user who is opening the page.

We need escaping the diagnostic string in order to not run the scripts.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

YARN-1932.patch
11/Apr/14 15:29
2 kB
Mit Desai
YARN-1932.patch
17/Apr/14 21:22
3 kB
Mit Desai

Issue Links

breaks

YARN-1975 Used resources shows escaped html in CapacityScheduler and FairScheduler page

Closed

Activity

People

Assignee:: Mit Desai

Reporter:: Mit Desai

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 11/Apr/14 15:18

Updated:: 12/May/16 18:29

Resolved:: 18/Apr/14 21:53