[
https://issues.apache.org/jira/browse/YARN-6352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Naganarasimha G R updated YARN-6352:
------------------------------------
Attachment: YARN-6352-branch-2.002.patch
Thanks [~varun_saxena],
bq. Apps#toAppId looks like a generic enough method which may not be only used
for constructing a message which is sent back in HTTP response. How about
catching the exception in WebAppProxyServlet and then sending back a custom
message?
Had checked {{Apps#toAppId}} earlier, as it was not used else where did the
modifications(and where ever used they had handled YarnRuntimeException). but
agree it would be better handled in WebAppProxyServlet.
bq. This issue does not seem to come after Jetty was upgraded to version 9 from
previous version 6.
Seems this vulnerability has been fixed in Jetty in some version between 6.1.26
to 9.3.11.
Thanks for testing and confirming, earlier had tested with 2.8 RC2. Tested with
the trunk and was not able to reproduce. have updated the target versions
> Header injections are possible in the application proxy servlet
> ---------------------------------------------------------------
>
> Key: YARN-6352
> URL: https://issues.apache.org/jira/browse/YARN-6352
> Project: Hadoop YARN
> Issue Type: Bug
> Components: resourcemanager, security
> Affects Versions: 2.8.0, 2.7.3
> Reporter: Naganarasimha G R
> Assignee: Naganarasimha G R
> Attachments: headerInjection.png, YARN-6352.001.patch,
> YARN-6352-branch-2.002.patch
>
>
> This issue was found in WVS security tool.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
