[
https://issues.apache.org/jira/browse/SPARK-29556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dongjoon Hyun resolved SPARK-29556.
-----------------------------------
Fix Version/s: 3.0.0
2.4.5
Resolution: Fixed
Issue resolved by pull request 26211
[https://github.com/apache/spark/pull/26211]
> Avoid including path in error response from REST submission server
> ------------------------------------------------------------------
>
> Key: SPARK-29556
> URL: https://issues.apache.org/jira/browse/SPARK-29556
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Affects Versions: 2.4.4, 3.0.0
> Reporter: Sean R. Owen
> Assignee: Sean R. Owen
> Priority: Minor
> Fix For: 2.4.5, 3.0.0
>
>
> I'm not sure if it's possible to exploit, but, the following code in
> RESTSubmissionServer's ErrorServlet.service is a little risky as it includes
> user-supplied path input in the error response. We don't want to let a link
> determine what's in the resulting HTML.
> {code}
> val path = request.getPathInfo
> ...
> var msg =
> parts match {
> ...
> case _ =>
> // never reached
> s"Malformed path $path."
> }
> msg += s" Please submit requests through
> http://[host]:[port]/$serverVersion/submissions/...";
> val error = handleError(msg)
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
