Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-1530 [Umbrella] Store, manage and serve per-framework application-timeline data
  3. YARN-2528

Cross Origin Filter Http response split vulnerability protection rejects valid origins

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.6.0
    • Component/s: timelineserver
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      URLEncoding is too strong of a protection for HTTP Response Split Vulnerability protection and major browser reject the encoded Origin. An adequate protection is simply to remove all CRs LFs as in the case of PHP's header function.

        Attachments

        1. YARN-2528-v1.patch
          3 kB
          Jonathan Eagles
        2. YARN-2528-v2.patch
          8 kB
          Jonathan Eagles

          Activity

            People

            • Assignee:
              jeagles Jonathan Eagles
              Reporter:
              jeagles Jonathan Eagles
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: