hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xuan Gong (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-5115) Security risk by using CONTENT-DISPOSITION header
Date Thu, 19 May 2016 18:36:13 GMT
Xuan Gong created YARN-5115:

             Summary: Security risk by using CONTENT-DISPOSITION header
                 Key: YARN-5115
                 URL: https://issues.apache.org/jira/browse/YARN-5115
             Project: Hadoop YARN
          Issue Type: Bug
            Reporter: Xuan Gong

In NMWebService/AHSWebservice, we have used CONTENT-DISPOSITION header for show/download container
logs. Looks like it has security risks. And people have devised content-disposition hacking.
The HTTP 1.1 Standard (RFC 2616) also mentions the possible security side effects of content
15.5 Content-Disposition Issues

   RFC 1806 [35], from which the often implemented Content-Disposition
   (see section 19.5.1) header in HTTP is derived, has a number of very
   serious security considerations. Content-Disposition is not part of
   the HTTP standard, but since it is widely implemented, we are
   documenting its use and risks for implementors. See RFC 2183 [49]
   (which updates RFC 1806) for details.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org

View raw message