[YARN-2528] Cross Origin Filter Http response split vulnerability protection rejects valid origins - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.6.0
Component/s: timelineserver
Labels:
None

Target Version/s:

2.6.0
Hadoop Flags:

Reviewed

Description

URLEncoding is too strong of a protection for HTTP Response Split Vulnerability protection and major browser reject the encoded Origin. An adequate protection is simply to remove all CRs LFs as in the case of PHP's header function.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

YARN-2528-v2.patch
12/Sep/14 22:06
8 kB
Jonathan Turner Eagles
YARN-2528-v1.patch
09/Sep/14 20:43
3 kB
Jonathan Turner Eagles

Activity

People

Assignee:: Jonathan Turner Eagles

Reporter:: Jonathan Turner Eagles

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 09/Sep/14 20:42

Updated:: 01/Dec/14 03:08

Resolved:: 13/Sep/14 04:38