Xuan Gong created YARN-5115:
-------------------------------
Summary: Security risk by using CONTENT-DISPOSITION header
Key: YARN-5115
URL: https://issues.apache.org/jira/browse/YARN-5115
Project: Hadoop YARN
Issue Type: Bug
Reporter: Xuan Gong
In NMWebService/AHSWebservice, we have used CONTENT-DISPOSITION header for
show/download container logs. Looks like it has security risks. And people have
devised content-disposition hacking.
The HTTP 1.1 Standard (RFC 2616) also mentions the possible security side
effects of content disposition:
{code}
15.5 Content-Disposition Issues
RFC 1806 [35], from which the often implemented Content-Disposition
(see section 19.5.1) header in HTTP is derived, has a number of very
serious security considerations. Content-Disposition is not part of
the HTTP standard, but since it is widely implemented, we are
documenting its use and risks for implementors. See RFC 2183 [49]
(which updates RFC 1806) for details.
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
