Sean R. Owen created SPARK-29556: ------------------------------------ Summary: Avoid including path in error response from REST submission server Key: SPARK-29556 URL: https://issues.apache.org/jira/browse/SPARK-29556 Project: Spark Issue Type: Bug Components: Spark Core Affects Versions: 2.4.4, 3.0.0 Reporter: Sean R. Owen Assignee: Sean R. Owen
I'm not sure if it's possible to exploit, but, the following code in RESTSubmissionServer's ErrorServlet.service is a little risky as it includes user-supplied path input in the error response. We don't want to let a link determine what's in the resulting HTML. {code} val path = request.getPathInfo ... var msg = parts match { ... case _ => // never reached s"Malformed path $path." } msg += s" Please submit requests through http://[host]:[port]/$serverVersion/submissions/..." val error = handleError(msg) {code} -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org