[
https://issues.apache.org/jira/browse/YARN-1932?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13974824#comment-13974824
]
Hudson commented on YARN-1932:
------------------------------
SUCCESS: Integrated in Hadoop-Yarn-trunk #545 (See
[https://builds.apache.org/job/Hadoop-Yarn-trunk/545/])
YARN-1932. Javascript injection on the job status page. Contributed by Mit
Desai (jlowe:
http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1588572)
* /hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt
*
/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java
*
/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java
> Javascript injection on the job status page
> -------------------------------------------
>
> Key: YARN-1932
> URL: https://issues.apache.org/jira/browse/YARN-1932
> Project: Hadoop YARN
> Issue Type: Bug
> Affects Versions: 3.0.0, 0.23.9, 2.5.0
> Reporter: Mit Desai
> Assignee: Mit Desai
> Priority: Blocker
> Fix For: 3.0.0, 0.23.11, 2.4.1
>
> Attachments: YARN-1932.patch, YARN-1932.patch
>
>
> Scripts can be injected into the job status page as the diagnostics field is
> not sanitized. Whatever string you set there will show up to the jobs page as
> it is ... ie. if you put any script commands, they will be executed in the
> browser of the user who is opening the page.
> We need escaping the diagnostic string in order to not run the scripts.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
