[
https://issues.apache.org/jira/browse/AIRFLOW-5357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kaxil Naik updated AIRFLOW-5357:
--------------------------------
Description:
Credits to Anurag Jain for reporting this:
It was observed that the content type is set incorrectly while exporting
variables in Apache Airflow.
>>>
>>> Steps:
>>>
>>> 1. Open the Apache Airflow
>>> 2. Create a new variable at /admin/variable/
>>> 3. Keep the key as <input> and value as <input>
>>> 4. Save this variable
>>> 5. Export this variable using Mozilla Firefox Browser
>>> 6. Observe that the downloaded file is saved as <name>.json.htm instead of
>>> <name>.json. This happens since Apache airflow sets Response Content-Type
>>> as text/html instead of application/json which causes Browser to interpret
>>> it as a HTML
was:
Credits to Anurag Jain for reporting this:
It was observed that the content type is set incorrectly while exporting
variables in Apache Airflow. This allows an Attacker to run malicious scripts
on anyone who decides to export the variables and later open the export file.
>>>
>>> Steps:
>>>
>>> 1. Open the Apache Airflow
>>> 2. Create a new variable at /admin/variable/
>>> 3. Keep the key as <input> and value as <input>
>>> 4. Save this variable
>>> 5. Export this variable using Mozilla Firefox Browser
>>> 6. Observe that the downloaded file is saved as <name>.json.htm instead of
>>> <name>.json. This happens since Apache airflow sets Response Content-Type
>>> as text/html instead of application/json which causes Browser to interpret
>>> it as a HTML
> Fix Content-Type for exported variables.json file
> -------------------------------------------------
>
> Key: AIRFLOW-5357
> URL: https://issues.apache.org/jira/browse/AIRFLOW-5357
> Project: Apache Airflow
> Issue Type: Improvement
> Components: webserver
> Affects Versions: 1.10.4
> Reporter: Kaxil Naik
> Assignee: Kaxil Naik
> Priority: Major
> Fix For: 1.10.5
>
>
> Credits to Anurag Jain for reporting this:
> It was observed that the content type is set incorrectly while exporting
> variables in Apache Airflow.
> >>>
> >>> Steps:
> >>>
> >>> 1. Open the Apache Airflow
> >>> 2. Create a new variable at /admin/variable/
> >>> 3. Keep the key as <input> and value as <input>
> >>> 4. Save this variable
> >>> 5. Export this variable using Mozilla Firefox Browser
> >>> 6. Observe that the downloaded file is saved as <name>.json.htm instead
> >>> of <name>.json. This happens since Apache airflow sets Response
> >>> Content-Type as text/html instead of application/json which causes
> >>> Browser to interpret it as a HTML
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
