[
https://issues.apache.org/jira/browse/YARN-5115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15298608#comment-15298608
]
Varun Vasudev commented on YARN-5115:
-------------------------------------
Pretty straight forward patch. +1. I'll commit this tomorrow if no one objects.
> Security risk by using CONTENT-DISPOSITION header in the container-logs
> web-service
> -----------------------------------------------------------------------------------
>
> Key: YARN-5115
> URL: https://issues.apache.org/jira/browse/YARN-5115
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Xuan Gong
> Assignee: Xuan Gong
> Attachments: YARN-5115.1.patch
>
>
> In NMWebService/AHSWebservice, we have used CONTENT-DISPOSITION header for
> show/download container logs. Looks like it has security risks. And people
> have devised content-disposition hacking.
> The HTTP 1.1 Standard (RFC 2616) also mentions the possible security side
> effects of content disposition:
> {code}
> 15.5 Content-Disposition Issues
> RFC 1806 [35], from which the often implemented Content-Disposition
> (see section 19.5.1) header in HTTP is derived, has a number of very
> serious security considerations. Content-Disposition is not part of
> the HTTP standard, but since it is widely implemented, we are
> documenting its use and risks for implementors. See RFC 2183 [49]
> (which updates RFC 1806) for details.
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
