Xuan Gong created YARN-5115: ------------------------------- Summary: Security risk by using CONTENT-DISPOSITION header Key: YARN-5115 URL: https://issues.apache.org/jira/browse/YARN-5115 Project: Hadoop YARN Issue Type: Bug Reporter: Xuan Gong
In NMWebService/AHSWebservice, we have used CONTENT-DISPOSITION header for show/download container logs. Looks like it has security risks. And people have devised content-disposition hacking. The HTTP 1.1 Standard (RFC 2616) also mentions the possible security side effects of content disposition: {code} 15.5 Content-Disposition Issues RFC 1806 [35], from which the often implemented Content-Disposition (see section 19.5.1) header in HTTP is derived, has a number of very serious security considerations. Content-Disposition is not part of the HTTP standard, but since it is widely implemented, we are documenting its use and risks for implementors. See RFC 2183 [49] (which updates RFC 1806) for details. {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org