[ https://issues.apache.org/jira/browse/SPARK-29556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dongjoon Hyun resolved SPARK-29556. ----------------------------------- Fix Version/s: 3.0.0 2.4.5 Resolution: Fixed Issue resolved by pull request 26211 [https://github.com/apache/spark/pull/26211] > Avoid including path in error response from REST submission server > ------------------------------------------------------------------ > > Key: SPARK-29556 > URL: https://issues.apache.org/jira/browse/SPARK-29556 > Project: Spark > Issue Type: Bug > Components: Spark Core > Affects Versions: 2.4.4, 3.0.0 > Reporter: Sean R. Owen > Assignee: Sean R. Owen > Priority: Minor > Fix For: 2.4.5, 3.0.0 > > > I'm not sure if it's possible to exploit, but, the following code in > RESTSubmissionServer's ErrorServlet.service is a little risky as it includes > user-supplied path input in the error response. We don't want to let a link > determine what's in the resulting HTML. > {code} > val path = request.getPathInfo > ... > var msg = > parts match { > ... > case _ => > // never reached > s"Malformed path $path." > } > msg += s" Please submit requests through > http://[host]:[port]/$serverVersion/submissions/..." > val error = handleError(msg) > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org