[ 
https://issues.apache.org/jira/browse/YARN-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14132712#comment-14132712
 ] 

Hudson commented on YARN-2528:
------------------------------

FAILURE: Integrated in Hadoop-Mapreduce-trunk #1895 (See 
[https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1895/])
YARN-2528. Relaxed http response split vulnerability protection for the origins 
header and made it accept multiple origins in CrossOriginFilter. Contributed by 
Jonathan Eagles. (zjshen: rev 98588cf044d9908ecf767257c09a52cf17aa2ec2)
* hadoop-yarn-project/CHANGES.txt
* 
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilter.java
* 
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilter.java


> Cross Origin Filter Http response split vulnerability protection rejects 
> valid origins
> --------------------------------------------------------------------------------------
>
>                 Key: YARN-2528
>                 URL: https://issues.apache.org/jira/browse/YARN-2528
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Jonathan Eagles
>            Assignee: Jonathan Eagles
>             Fix For: 2.6.0
>
>         Attachments: YARN-2528-v1.patch, YARN-2528-v2.patch
>
>
> URLEncoding is too strong of a protection for HTTP Response Split 
> Vulnerability protection and major browser reject the encoded Origin. An 
> adequate protection is simply to remove all CRs LFs as in the case of PHP's 
> header function.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to