Thanks Varun Saxena,
Apps#toAppId looks like a generic enough method which may not be only used for constructing a message which is sent back in HTTP response. How about catching the exception in WebAppProxyServlet and then sending back a custom message?
Had checked Apps#toAppId earlier, as it was not used else where did the modifications(and where ever used they had handled YarnRuntimeException). but agree it would be better handled in WebAppProxyServlet.
This issue does not seem to come after Jetty was upgraded to version 9 from previous version 6.
Seems this vulnerability has been fixed in Jetty in some version between 6.1.26 to 9.3.11.
Thanks for testing and confirming, earlier had tested with 2.8 RC2. Tested with the trunk and was not able to reproduce. have updated the target versions