[ https://issues.apache.org/jira/browse/YARN-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14132654#comment-14132654 ]
Hudson commented on YARN-2528: ------------------------------ SUCCESS: Integrated in Hadoop-Yarn-trunk #679 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk/679/]) YARN-2528. Relaxed http response split vulnerability protection for the origins header and made it accept multiple origins in CrossOriginFilter. Contributed by Jonathan Eagles. (zjshen: rev 98588cf044d9908ecf767257c09a52cf17aa2ec2) * hadoop-yarn-project/CHANGES.txt * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilter.java * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilter.java > Cross Origin Filter Http response split vulnerability protection rejects > valid origins > -------------------------------------------------------------------------------------- > > Key: YARN-2528 > URL: https://issues.apache.org/jira/browse/YARN-2528 > Project: Hadoop YARN > Issue Type: Sub-task > Components: timelineserver > Reporter: Jonathan Eagles > Assignee: Jonathan Eagles > Fix For: 2.6.0 > > Attachments: YARN-2528-v1.patch, YARN-2528-v2.patch > > > URLEncoding is too strong of a protection for HTTP Response Split > Vulnerability protection and major browser reject the encoded Origin. An > adequate protection is simply to remove all CRs LFs as in the case of PHP's > header function. -- This message was sent by Atlassian JIRA (v6.3.4#6332)