[ 
https://issues.apache.org/jira/browse/SPARK-29556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dongjoon Hyun resolved SPARK-29556.
-----------------------------------
    Fix Version/s: 3.0.0
                   2.4.5
       Resolution: Fixed

Issue resolved by pull request 26211
[https://github.com/apache/spark/pull/26211]

> Avoid including path in error response from REST submission server
> ------------------------------------------------------------------
>
>                 Key: SPARK-29556
>                 URL: https://issues.apache.org/jira/browse/SPARK-29556
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Core
>    Affects Versions: 2.4.4, 3.0.0
>            Reporter: Sean R. Owen
>            Assignee: Sean R. Owen
>            Priority: Minor
>             Fix For: 2.4.5, 3.0.0
>
>
> I'm not sure if it's possible to exploit, but, the following code in 
> RESTSubmissionServer's ErrorServlet.service is a little risky as it includes 
> user-supplied path input in the error response. We don't want to let a link 
> determine what's in the resulting HTML.
> {code}
> val path = request.getPathInfo
> ...
> var msg =
>       parts match {
>         ...
>         case _ =>
>           // never reached
>           s"Malformed path $path."
>       }
>     msg += s" Please submit requests through 
> http://[host]:[port]/$serverVersion/submissions/...";
>     val error = handleError(msg)
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to