diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilter.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilter.java index 5a0703d..93e7c45 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilter.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilter.java @@ -191,13 +191,11 @@ static String encodeHeader(final String header) { if (header == null) { return null; } - try { - // Protect against HTTP response splitting vulnerability - // since value is written as part of the response header - return URLEncoder.encode(header, "ASCII"); - } catch (UnsupportedEncodingException e) { - return null; - } + // Protect against HTTP response splitting vulnerability + // since value is written as part of the response header + // Ensure this header only has one header by removing + // CRs and LFs + return header.split("\\s+")[0]; } static boolean isCrossOrigin(String origin) { diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilter.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilter.java index ccc9bbf..b0a9ea6 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilter.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilter.java @@ -81,6 +81,20 @@ public void testAllowAllOrigins() throws ServletException, IOException { } @Test + public void testEncodeHeaders() { + String validOrigin = "http://localhost:12345"; + String encodedValidOrigin = CrossOriginFilter.encodeHeader(validOrigin); + Assert.assertEquals("Valid orign encoding should match exactly", + validOrigin, encodedValidOrigin); + + String httpResponseSplitOrigin = validOrigin + "\nSecondHeader: value"; + String encodedResponseSplitOrigin = + CrossOriginFilter.encodeHeader(httpResponseSplitOrigin); + Assert.assertEquals("Http response split origin should be protected against", + validOrigin, encodedResponseSplitOrigin); + } + + @Test public void testPatternMatchingOrigins() throws ServletException, IOException { // Setup the configuration settings of the server