[
https://issues.apache.org/jira/browse/YARN-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14132712#comment-14132712
]
Hudson commented on YARN-2528:
------------------------------
FAILURE: Integrated in Hadoop-Mapreduce-trunk #1895 (See
[https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1895/])
YARN-2528. Relaxed http response split vulnerability protection for the origins
header and made it accept multiple origins in CrossOriginFilter. Contributed by
Jonathan Eagles. (zjshen: rev 98588cf044d9908ecf767257c09a52cf17aa2ec2)
* hadoop-yarn-project/CHANGES.txt
*
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestCrossOriginFilter.java
*
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/CrossOriginFilter.java
> Cross Origin Filter Http response split vulnerability protection rejects
> valid origins
> --------------------------------------------------------------------------------------
>
> Key: YARN-2528
> URL: https://issues.apache.org/jira/browse/YARN-2528
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: timelineserver
> Reporter: Jonathan Eagles
> Assignee: Jonathan Eagles
> Fix For: 2.6.0
>
> Attachments: YARN-2528-v1.patch, YARN-2528-v2.patch
>
>
> URLEncoding is too strong of a protection for HTTP Response Split
> Vulnerability protection and major browser reject the encoded Origin. An
> adequate protection is simply to remove all CRs LFs as in the case of PHP's
> header function.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
