hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Eagles (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2528) Cross Origin Filter Http response split vulnerability protection rejects valid origins
Date Tue, 09 Sep 2014 21:33:29 GMT

    [ https://issues.apache.org/jira/browse/YARN-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14127592#comment-14127592
] 

Jonathan Eagles commented on YARN-2528:
---------------------------------------

[~zjshen], sorry to bother you again. Found another bug while working on getting the Tez UI
running in a hosted environment. Can you give a review?

> Cross Origin Filter Http response split vulnerability protection rejects valid origins
> --------------------------------------------------------------------------------------
>
>                 Key: YARN-2528
>                 URL: https://issues.apache.org/jira/browse/YARN-2528
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Jonathan Eagles
>            Assignee: Jonathan Eagles
>         Attachments: YARN-2528-v1.patch
>
>
> URLEncoding is too strong of a protection for HTTP Response Split Vulnerability protection
and major browser reject the encoded Origin. An adequate protection is simply to remove all
CRs LFs as in the case of PHP's header function.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message