Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-4904 YARN Log tooling enhancements
  3. YARN-5115

Avoid setting CONTENT-DISPOSITION header in the container-logs web-service

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.9.0, 3.0.0-alpha1
    • Component/s: None
    • Labels:
      None

      Description

      In NMWebService/AHSWebservice, we have used CONTENT-DISPOSITION header for show/download container logs. Looks like it has security risks. And people have devised content-disposition hacking.
      The HTTP 1.1 Standard (RFC 2616) also mentions the possible security side effects of content disposition:

      15.5 Content-Disposition Issues
      
         RFC 1806 [35], from which the often implemented Content-Disposition
         (see section 19.5.1) header in HTTP is derived, has a number of very
         serious security considerations. Content-Disposition is not part of
         the HTTP standard, but since it is widely implemented, we are
         documenting its use and risks for implementors. See RFC 2183 [49]
         (which updates RFC 1806) for details.
      

        Attachments

        1. YARN-5115.1.patch
          2 kB
          Xuan Gong

          Activity

            People

            • Assignee:
              xgong Xuan Gong
              Reporter:
              xgong Xuan Gong
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: