[YARN-5115] Avoid setting CONTENT-DISPOSITION header in the container-logs web-service - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.9.0, 3.0.0-alpha1
Component/s: None
Labels:
None

Description

In NMWebService/AHSWebservice, we have used CONTENT-DISPOSITION header for show/download container logs. Looks like it has security risks. And people have devised content-disposition hacking.
The HTTP 1.1 Standard (RFC 2616) also mentions the possible security side effects of content disposition:

15.5 Content-Disposition Issues

   RFC 1806 [35], from which the often implemented Content-Disposition
   (see section 19.5.1) header in HTTP is derived, has a number of very
   serious security considerations. Content-Disposition is not part of
   the HTTP standard, but since it is widely implemented, we are
   documenting its use and risks for implementors. See RFC 2183 [49]
   (which updates RFC 1806) for details.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

YARN-5115.1.patch
19/May/16 18:38
2 kB
Xuan Gong

Activity

People

Assignee:: Xuan Gong

Reporter:: Xuan Gong

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 19/May/16 18:35

Updated:: 30/Aug/16 01:01

Resolved:: 25/May/16 13:32