Sean R. Owen created SPARK-29556:
------------------------------------
Summary: Avoid including path in error response from REST
submission server
Key: SPARK-29556
URL: https://issues.apache.org/jira/browse/SPARK-29556
Project: Spark
Issue Type: Bug
Components: Spark Core
Affects Versions: 2.4.4, 3.0.0
Reporter: Sean R. Owen
Assignee: Sean R. Owen
I'm not sure if it's possible to exploit, but, the following code in
RESTSubmissionServer's ErrorServlet.service is a little risky as it includes
user-supplied path input in the error response. We don't want to let a link
determine what's in the resulting HTML.
{code}
val path = request.getPathInfo
...
var msg =
parts match {
...
case _ =>
// never reached
s"Malformed path $path."
}
msg += s" Please submit requests through
http://[host]:[port]/$serverVersion/submissions/...";
val error = handleError(msg)
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
