Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-1530 [Umbrella] Store, manage and serve per-framework application-timeline data
  3. YARN-2528

Cross Origin Filter Http response split vulnerability protection rejects valid origins

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.6.0
    • timelineserver
    • None
    • Reviewed

    Description

      URLEncoding is too strong of a protection for HTTP Response Split Vulnerability protection and major browser reject the encoded Origin. An adequate protection is simply to remove all CRs LFs as in the case of PHP's header function.

      Attachments

        1. YARN-2528-v1.patch
          3 kB
          Jonathan Turner Eagles
        2. YARN-2528-v2.patch
          8 kB
          Jonathan Turner Eagles

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            jeagles Jonathan Turner Eagles
            jeagles Jonathan Turner Eagles
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment