hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2528) Cross Origin Filter Http response split vulnerability protection rejects valid origins
Date Sat, 13 Sep 2014 11:30:54 GMT

    [ https://issues.apache.org/jira/browse/YARN-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14132654#comment-14132654
] 

Hudson commented on YARN-2528:
------------------------------

SUCCESS: Integrated in Hadoop-Yarn-trunk #679 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk/679/])
YARN-2528. Relaxed http response split vulnerability protection for the origins header and
made it accept multiple origins in CrossOriginFilter. Contributed by Jonathan Eagles. (zjshen:
rev 98588cf044d9908ecf767257c09a52cf17aa2ec2)
* hadoop-yarn-project/CHANGES.txt
* hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilter.java
* hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilter.java


> Cross Origin Filter Http response split vulnerability protection rejects valid origins
> --------------------------------------------------------------------------------------
>
>                 Key: YARN-2528
>                 URL: https://issues.apache.org/jira/browse/YARN-2528
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Jonathan Eagles
>            Assignee: Jonathan Eagles
>             Fix For: 2.6.0
>
>         Attachments: YARN-2528-v1.patch, YARN-2528-v2.patch
>
>
> URLEncoding is too strong of a protection for HTTP Response Split Vulnerability protection
and major browser reject the encoded Origin. An adequate protection is simply to remove all
CRs LFs as in the case of PHP's header function.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message