Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-1932

Javascript injection on the job status page

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 0.23.9, 2.5.0, 3.0.0-alpha1
    • 0.23.11, 2.4.1
    • None
    • None

    Description

      Scripts can be injected into the job status page as the diagnostics field is
      not sanitized. Whatever string you set there will show up to the jobs page as it is ... ie. if you put any script commands, they will be executed in the browser of the user who is opening the page.

      We need escaping the diagnostic string in order to not run the scripts.

      Attachments

        1. YARN-1932.patch
          3 kB
          Mit Desai
        2. YARN-1932.patch
          2 kB
          Mit Desai

        Issue Links

        breaks

        Bug - A problem which impairs or prevents the functions of the product. YARN-1975 Used resources shows escaped html in CapacityScheduler and FairScheduler page

        • Major - Major loss of function.
        • Closed

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            mitdesai Mit Desai
            mitdesai Mit Desai
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment