Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-4904 YARN Log tooling enhancements
  3. YARN-5115

Avoid setting CONTENT-DISPOSITION header in the container-logs web-service

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.9.0, 3.0.0-alpha1
    • None
    • None

    Description

      In NMWebService/AHSWebservice, we have used CONTENT-DISPOSITION header for show/download container logs. Looks like it has security risks. And people have devised content-disposition hacking.
      The HTTP 1.1 Standard (RFC 2616) also mentions the possible security side effects of content disposition:

      15.5 Content-Disposition Issues
      
         RFC 1806 [35], from which the often implemented Content-Disposition
         (see section 19.5.1) header in HTTP is derived, has a number of very
         serious security considerations. Content-Disposition is not part of
         the HTTP standard, but since it is widely implemented, we are
         documenting its use and risks for implementors. See RFC 2183 [49]
         (which updates RFC 1806) for details.
      

      Attachments

        1. YARN-5115.1.patch
          2 kB
          Xuan Gong

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            xgong Xuan Gong
            xgong Xuan Gong
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment