hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Eagles (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-2528) Cross Origin Filter Http response split vulnerability protection rejects valid origins
Date Tue, 09 Sep 2014 20:42:28 GMT
Jonathan Eagles created YARN-2528:
-------------------------------------

             Summary: Cross Origin Filter Http response split vulnerability protection rejects
valid origins
                 Key: YARN-2528
                 URL: https://issues.apache.org/jira/browse/YARN-2528
             Project: Hadoop YARN
          Issue Type: Sub-task
          Components: timelineserver
            Reporter: Jonathan Eagles
            Assignee: Jonathan Eagles


URLEncoding is too strong of a protection for HTTP Response Split Vulnerability protection
and major browser reject the encoded Origin. An adequate protection is simply to remove all
CRs LFs as in the case of PHP's header function.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message