[jira] [Updated] (YARN-2528) Cross Origin Filter Http response split vulnerability protection rejects valid origins

Jonathan Eagles (JIRA) Fri, 12 Sep 2014 18:20:06 -0700

     [ 
https://issues.apache.org/jira/browse/YARN-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jonathan Eagles updated YARN-2528:
----------------------------------
    Attachment:     (was: YARN-2528-v2-split-header.patch)

> Cross Origin Filter Http response split vulnerability protection rejects 
> valid origins
> --------------------------------------------------------------------------------------
>
>                 Key: YARN-2528
>                 URL: https://issues.apache.org/jira/browse/YARN-2528
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Jonathan Eagles
>            Assignee: Jonathan Eagles
>         Attachments: YARN-2528-v1.patch, YARN-2528-v2.patch
>
>
> URLEncoding is too strong of a protection for HTTP Response Split 
> Vulnerability protection and major browser reject the encoded Origin. An 
> adequate protection is simply to remove all CRs LFs as in the case of PHP's 
> header function.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (YARN-2528) Cross Origin Filter Http response split vulnerability protection rejects valid origins

Reply via email to