[
https://issues.apache.org/jira/browse/YARN-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14132531#comment-14132531
]
Zhijie Shen commented on YARN-2528:
-----------------------------------
bq. To reproduce this findbugs warning, take the above v2 patch and make the
following modifications setting the origin header response directly from the
origin header request.
Thanks for explaining the rationale about the change. It sounds a useful
protection.
+1 for v2 patch. I'll commit it.
> Cross Origin Filter Http response split vulnerability protection rejects
> valid origins
> --------------------------------------------------------------------------------------
>
> Key: YARN-2528
> URL: https://issues.apache.org/jira/browse/YARN-2528
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: timelineserver
> Reporter: Jonathan Eagles
> Assignee: Jonathan Eagles
> Attachments: YARN-2528-v1.patch, YARN-2528-v2.patch
>
>
> URLEncoding is too strong of a protection for HTTP Response Split
> Vulnerability protection and major browser reject the encoded Origin. An
> adequate protection is simply to remove all CRs LFs as in the case of PHP's
> header function.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
