Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-1530 [Umbrella] Store, manage and serve per-framework application-timeline data
  3. YARN-2528

Cross Origin Filter Http response split vulnerability protection rejects valid origins

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.6.0
    • timelineserver
    • None
    • Reviewed

    Description

      URLEncoding is too strong of a protection for HTTP Response Split Vulnerability protection and major browser reject the encoded Origin. An adequate protection is simply to remove all CRs LFs as in the case of PHP's header function.

      Attachments

        1. YARN-2528-v2.patch
          8 kB
          Jonathan Turner Eagles
        2. YARN-2528-v1.patch
          3 kB
          Jonathan Turner Eagles

        Activity

          People

            jeagles Jonathan Turner Eagles
            jeagles Jonathan Turner Eagles
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: