hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Eagles (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-2528) Cross Origin Filter Http response split vulnerability protection rejects valid origins
Date Sat, 13 Sep 2014 01:19:35 GMT

     [ https://issues.apache.org/jira/browse/YARN-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jonathan Eagles updated YARN-2528:
----------------------------------
    Attachment:     (was: YARN-2528-v2-split-header.patch)

> Cross Origin Filter Http response split vulnerability protection rejects valid origins
> --------------------------------------------------------------------------------------
>
>                 Key: YARN-2528
>                 URL: https://issues.apache.org/jira/browse/YARN-2528
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Jonathan Eagles
>            Assignee: Jonathan Eagles
>         Attachments: YARN-2528-v1.patch, YARN-2528-v2.patch
>
>
> URLEncoding is too strong of a protection for HTTP Response Split Vulnerability protection
and major browser reject the encoded Origin. An adequate protection is simply to remove all
CRs LFs as in the case of PHP's header function.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message