[jira] [Updated] (YARN-10833) RM logs endpoint vulnerable to clickjacking

Benjamin Teke (Jira) Fri, 25 Jun 2021 11:41:07 -0700


     [ 
https://issues.apache.org/jira/browse/YARN-10833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Benjamin Teke updated YARN-10833:
---------------------------------
    Description: 
The /logs endpoint is missing the X-FRAME-OPTIONS in the response header, even 
though YARN is configured to do include it. This makes it vulnerable to 
clickjacking.


{code:java}
Request URL: http://{{rm_host}}:8088/logs/
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:8088
Referrer Policy: strict-origin-when-cross-origin

HTTP/1.1 200 OK
Date: Fri, 25 Jun 2021 17:38:38 GMT
Cache-Control: no-cache
Expires: Fri, 25 Jun 2021 17:38:38 GMT
Date: Fri, 25 Jun 2021 17:38:38 GMT
Pragma: no-cache
Content-Type: text/html;charset=utf-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 469 
{code}


  was:
The /logs endpoint is missing the x-frame options in the response header, even 
though YARN is configured to do so.


{code:java}
Request URL: http://{{rm_host}}:8088/logs/
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:8088
Referrer Policy: strict-origin-when-cross-origin

HTTP/1.1 200 OK
Date: Fri, 25 Jun 2021 17:38:38 GMT
Cache-Control: no-cache
Expires: Fri, 25 Jun 2021 17:38:38 GMT
Date: Fri, 25 Jun 2021 17:38:38 GMT
Pragma: no-cache
Content-Type: text/html;charset=utf-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 469 
{code}



> RM logs endpoint vulnerable to clickjacking
> -------------------------------------------
>
>                 Key: YARN-10833
>                 URL: https://issues.apache.org/jira/browse/YARN-10833
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Benjamin Teke
>            Assignee: Benjamin Teke
>            Priority: Major
>         Attachments: YARN-10833.001.patch
>
>
> The /logs endpoint is missing the X-FRAME-OPTIONS in the response header, 
> even though YARN is configured to do include it. This makes it vulnerable to 
> clickjacking.
> {code:java}
> Request URL: http://{{rm_host}}:8088/logs/
> Request Method: GET
> Status Code: 200 OK
> Remote Address: [::1]:8088
> Referrer Policy: strict-origin-when-cross-origin
> HTTP/1.1 200 OK
> Date: Fri, 25 Jun 2021 17:38:38 GMT
> Cache-Control: no-cache
> Expires: Fri, 25 Jun 2021 17:38:38 GMT
> Date: Fri, 25 Jun 2021 17:38:38 GMT
> Pragma: no-cache
> Content-Type: text/html;charset=utf-8
> X-Content-Type-Options: nosniff
> X-XSS-Protection: 1; mode=block
> Content-Length: 469 
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (YARN-10833) RM logs endpoint vulnerable to clickjacking

Reply via email to