[jira] [Updated] (YARN-10972) Remove stack traces from Jetty's response for Security Reasons

Tamas Domok (Jira) Mon, 04 Oct 2021 02:59:07 -0700


     [ 
https://issues.apache.org/jira/browse/YARN-10972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Tamas Domok updated YARN-10972:
-------------------------------
    Description: 
*HttpServer2* uses the default error handler for Jetty which renders the 
stack-trace in the response's output. This is a potential security 
vulnerability.

 

The stack-trace can be disabled, e.g.:
{code:java}
webAppContext.getErrorHandler().setShowStacks(false); {code}

An error handler should be used that does not render the error message neither 
the stack-trace in the output for security reasons. This should be configurable 
for backward compatibility.

The logs should contain the information in case of errors for debugging 
purposes.

 

*Verbose Error Messages*

During the test it has been revealed that in case of some requests, server
 throws out an error exception. The exception message may contains a lot of
 detailed technical information, including filenames, absolute paths, but also
 libraries, classes and methods used. This information might be crucial in
 conducting other, critical attacks (like Arbitrary File Read, Code Execution or
 platform specific attacks). Such detail information should be available only to
 application developers and system administrators and should never be revealed 
to the end user.

[https://cwe.mitre.org/data/definitions/209.html]

 

*Before:*
{code:java}
curl 
"http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok"curl
 
"http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok";<html><head><meta
 http-equiv="Content-Type" content="text/html;charset=utf-8"/><title>Error 500 
java.lang.IllegalArgumentException: Illegal character in path at index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</title></head><body><h2>HTTP
 ERROR 500 java.lang.IllegalArgumentException: Illegal character in path at 
index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</h2><table><tr><th>URI:</th><td>/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>STATUS:</th><td>500</td></tr><tr><th>MESSAGE:</th><td>java.lang.IllegalArgumentException:
 Illegal character in path at index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>SERVLET:</th><td>org.apache.hadoop.http.WebServlet-ccb4b1b</td></tr><tr><th>CAUSED
 BY:</th><td>java.lang.IllegalArgumentException: Illegal character in path at 
index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>CAUSED
 BY:</th><td>java.net.URISyntaxException: Illegal character in path at index 
51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr></table><h3>Caused
 by:</h3><pre>java.lang.IllegalArgumentException: Illegal character in path at 
index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml 
at java.net.URI.create(URI.java:852) at 
javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:95) at 
com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:911)
 at 
com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:875)
 at 
org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebAppFilter.doFilter(RMWebAppFilter.java:180)
 at 
com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:829)
 at 
com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
 at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133) at 
org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
 at 
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:650)
 at 
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:592)
 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
 at 
org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1827)
 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
 at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) at 
org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
 at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) 
at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) 
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602) 
at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) 
at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
 at 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
 at 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
 at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) 
at 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
 at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) 
at 
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
 at 
org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:179)
 at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) 
at org.eclipse.jetty.server.Server.handle(Server.java:516) at 
org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388) at 
org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633) at 
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380) at 
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at 
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
 at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at 
org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
 at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
 at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
 at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137)
 at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
 at 
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
 at java.lang.Thread.run(Thread.java:748)Caused by: 
java.net.URISyntaxException: Illegal character in path at index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml at 
java.net.URI$Parser.fail(URI.java:2847) at 
java.net.URI$Parser.checkChars(URI.java:3020) at 
java.net.URI$Parser.parseHierarchical(URI.java:3104) at 
java.net.URI$Parser.parse(URI.java:3052) at 
java.net.URI.&lt;init&gt;(URI.java:588) at java.net.URI.create(URI.java:850) 
... 51 more</pre>
</body></html>{code}
 

*Expected:*
{code:java}
curl 
"http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok";
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 500</title>
</head>
<body><h2>HTTP ERROR 500</h2>
</html> {code}

  was:
*HttpServer2* uses the default error handler for Jetty which renders the 
stack-trace in the response's output. This is a potential security 
vulnerability.

 

The stack-trace could be disabled on normal log levels, e.g.:
{code:java}
webAppContext.getErrorHandler().setShowStacks(LOG.isTraceEnabled()); {code}
 

*Verbose Error Messages*

During the test it has been revealed that in case of some requests, server
throws out an error exception. The exception message may contains a lot of
detailed technical information, including filenames, absolute paths, but also
libraries, classes and methods used. This information might be crucial in
conducting other, critical attacks (like Arbitrary File Read, Code Execution or
platform specific attacks). Such detail information should be available only to
application developers and system administrators and should never be revealed 
to the end user.

[https://cwe.mitre.org/data/definitions/209.html]

 

*Before:*
{code:java}
curl 
"http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok"curl
 
"http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok";<html><head><meta
 http-equiv="Content-Type" content="text/html;charset=utf-8"/><title>Error 500 
java.lang.IllegalArgumentException: Illegal character in path at index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</title></head><body><h2>HTTP
 ERROR 500 java.lang.IllegalArgumentException: Illegal character in path at 
index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</h2><table><tr><th>URI:</th><td>/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>STATUS:</th><td>500</td></tr><tr><th>MESSAGE:</th><td>java.lang.IllegalArgumentException:
 Illegal character in path at index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>SERVLET:</th><td>org.apache.hadoop.http.WebServlet-ccb4b1b</td></tr><tr><th>CAUSED
 BY:</th><td>java.lang.IllegalArgumentException: Illegal character in path at 
index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>CAUSED
 BY:</th><td>java.net.URISyntaxException: Illegal character in path at index 
51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr></table><h3>Caused
 by:</h3><pre>java.lang.IllegalArgumentException: Illegal character in path at 
index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml 
at java.net.URI.create(URI.java:852) at 
javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:95) at 
com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:911)
 at 
com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:875)
 at 
org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebAppFilter.doFilter(RMWebAppFilter.java:180)
 at 
com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:829)
 at 
com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
 at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133) at 
org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
 at 
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:650)
 at 
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:592)
 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
 at 
org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1827)
 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
 at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) at 
org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
 at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) 
at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) 
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602) 
at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) 
at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
 at 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
 at 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
 at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) 
at 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
 at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) 
at 
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
 at 
org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:179)
 at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) 
at org.eclipse.jetty.server.Server.handle(Server.java:516) at 
org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388) at 
org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633) at 
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380) at 
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at 
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
 at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at 
org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
 at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
 at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
 at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137)
 at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
 at 
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
 at java.lang.Thread.run(Thread.java:748)Caused by: 
java.net.URISyntaxException: Illegal character in path at index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml at 
java.net.URI$Parser.fail(URI.java:2847) at 
java.net.URI$Parser.checkChars(URI.java:3020) at 
java.net.URI$Parser.parseHierarchical(URI.java:3104) at 
java.net.URI$Parser.parse(URI.java:3052) at 
java.net.URI.&lt;init&gt;(URI.java:588) at java.net.URI.create(URI.java:850) 
... 51 more</pre>
</body></html>{code}
 

*After:*
{code:java}
curl 
"http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok";
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 500 java.lang.IllegalArgumentException: Illegal character in path 
at index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</title>
</head>
<body><h2>HTTP ERROR 500 java.lang.IllegalArgumentException: Illegal character 
in path at index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</h2>
<table>
<tr><th>URI:</th><td>/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr>
<tr><th>STATUS:</th><td>500</td></tr>
<tr><th>MESSAGE:</th><td>java.lang.IllegalArgumentException: Illegal character 
in path at index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr>
<tr><th>SERVLET:</th><td>org.apache.hadoop.http.WebServlet-ccb4b1b</td></tr>
<tr><th>CAUSED BY:</th><td>java.lang.IllegalArgumentException: Illegal 
character in path at index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr>
<tr><th>CAUSED BY:</th><td>java.net.URISyntaxException: Illegal character in 
path at index 51: 
http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr>
</table></body>
</html> {code}


> Remove stack traces from Jetty's response for Security Reasons
> --------------------------------------------------------------
>
>                 Key: YARN-10972
>                 URL: https://issues.apache.org/jira/browse/YARN-10972
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Tamas Domok
>            Assignee: Tamas Domok
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> *HttpServer2* uses the default error handler for Jetty which renders the 
> stack-trace in the response's output. This is a potential security 
> vulnerability.
>  
> The stack-trace can be disabled, e.g.:
> {code:java}
> webAppContext.getErrorHandler().setShowStacks(false); {code}
> An error handler should be used that does not render the error message 
> neither the stack-trace in the output for security reasons. This should be 
> configurable for backward compatibility.
> The logs should contain the information in case of errors for debugging 
> purposes.
>  
> *Verbose Error Messages*
> During the test it has been revealed that in case of some requests, server
>  throws out an error exception. The exception message may contains a lot of
>  detailed technical information, including filenames, absolute paths, but also
>  libraries, classes and methods used. This information might be crucial in
>  conducting other, critical attacks (like Arbitrary File Read, Code Execution 
> or
>  platform specific attacks). Such detail information should be available only 
> to
>  application developers and system administrators and should never be 
> revealed to the end user.
> [https://cwe.mitre.org/data/definitions/209.html]
>  
> *Before:*
> {code:java}
> curl 
> "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok"curl
>  
> "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok";<html><head><meta
>  http-equiv="Content-Type" content="text/html;charset=utf-8"/><title>Error 
> 500 java.lang.IllegalArgumentException: Illegal character in path at index 
> 51: 
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</title></head><body><h2>HTTP
>  ERROR 500 java.lang.IllegalArgumentException: Illegal character in path at 
> index 51: 
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</h2><table><tr><th>URI:</th><td>/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>STATUS:</th><td>500</td></tr><tr><th>MESSAGE:</th><td>java.lang.IllegalArgumentException:
>  Illegal character in path at index 51: 
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>SERVLET:</th><td>org.apache.hadoop.http.WebServlet-ccb4b1b</td></tr><tr><th>CAUSED
>  BY:</th><td>java.lang.IllegalArgumentException: Illegal character in path at 
> index 51: 
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>CAUSED
>  BY:</th><td>java.net.URISyntaxException: Illegal character in path at index 
> 51: 
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr></table><h3>Caused
>  by:</h3><pre>java.lang.IllegalArgumentException: Illegal character in path 
> at index 51: 
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml at 
> java.net.URI.create(URI.java:852) at 
> javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:95) at 
> com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:911)
>  at 
> com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:875)
>  at 
> org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebAppFilter.doFilter(RMWebAppFilter.java:180)
>  at 
> com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:829)
>  at 
> com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
>  at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133) at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
>  at 
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:650)
>  at 
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:592)
>  at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
>  at 
> org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1827)
>  at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
>  at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) at 
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at 
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
>  at 
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) 
> at 
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602) 
> at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
>  at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
>  at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
>  at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
>  at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
>  at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
>  at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) 
> at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
>  at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
>  at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
>  at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) 
> at 
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
>  at 
> org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:179)
>  at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
>  at org.eclipse.jetty.server.Server.handle(Server.java:516) at 
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388) at 
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633) at 
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380) at 
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) 
> at 
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
>  at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at 
> org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
>  at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
>  at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
>  at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137)
>  at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
>  at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
>  at java.lang.Thread.run(Thread.java:748)Caused by: 
> java.net.URISyntaxException: Illegal character in path at index 51: 
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml at 
> java.net.URI$Parser.fail(URI.java:2847) at 
> java.net.URI$Parser.checkChars(URI.java:3020) at 
> java.net.URI$Parser.parseHierarchical(URI.java:3104) at 
> java.net.URI$Parser.parse(URI.java:3052) at 
> java.net.URI.&lt;init&gt;(URI.java:588) at java.net.URI.create(URI.java:850) 
> ... 51 more</pre>
> </body></html>{code}
>  
> *Expected:*
> {code:java}
> curl 
> "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok";
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 500</title>
> </head>
> <body><h2>HTTP ERROR 500</h2>
> </html> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (YARN-10972) Remove stack traces from Jetty's response for Security Reasons

Reply via email to