hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5115) Avoid setting CONTENT-DISPOSITION header in the container-logs web-service
Date Wed, 25 May 2016 13:55:12 GMT

    [ https://issues.apache.org/jira/browse/YARN-5115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15300079#comment-15300079
] 

Hudson commented on YARN-5115:
------------------------------

SUCCESS: Integrated in Hadoop-trunk-Commit #9858 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/9858/])
YARN-5115. Avoid setting CONTENT-DISPOSITION header in the (vvasudev: rev 9a31e5dfef42929951d305f31200ca4f80d86632)
* hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/applicationhistoryservice/webapp/AHSWebServices.java
* hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/NMWebServices.java


> Avoid setting CONTENT-DISPOSITION header in the container-logs web-service
> --------------------------------------------------------------------------
>
>                 Key: YARN-5115
>                 URL: https://issues.apache.org/jira/browse/YARN-5115
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Xuan Gong
>            Assignee: Xuan Gong
>             Fix For: 2.9.0
>
>         Attachments: YARN-5115.1.patch
>
>
> In NMWebService/AHSWebservice, we have used CONTENT-DISPOSITION header for show/download
container logs. Looks like it has security risks. And people have devised content-disposition
hacking.
> The HTTP 1.1 Standard (RFC 2616) also mentions the possible security side effects of
content disposition:
> {code}
> 15.5 Content-Disposition Issues
>    RFC 1806 [35], from which the often implemented Content-Disposition
>    (see section 19.5.1) header in HTTP is derived, has a number of very
>    serious security considerations. Content-Disposition is not part of
>    the HTTP standard, but since it is widely implemented, we are
>    documenting its use and risks for implementors. See RFC 2183 [49]
>    (which updates RFC 1806) for details.
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message