You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Xuan Gong (JIRA)" <ji...@apache.org> on 2016/05/19 18:36:13 UTC

[jira] [Assigned] (YARN-5115) Security risk by using CONTENT-DISPOSITION header

     [ https://issues.apache.org/jira/browse/YARN-5115?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Xuan Gong reassigned YARN-5115:
-------------------------------

    Assignee: Xuan Gong

> Security risk by using CONTENT-DISPOSITION header
> -------------------------------------------------
>
>                 Key: YARN-5115
>                 URL: https://issues.apache.org/jira/browse/YARN-5115
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Xuan Gong
>            Assignee: Xuan Gong
>
> In NMWebService/AHSWebservice, we have used CONTENT-DISPOSITION header for show/download container logs. Looks like it has security risks. And people have devised content-disposition hacking.
> The HTTP 1.1 Standard (RFC 2616) also mentions the possible security side effects of content disposition:
> {code}
> 15.5 Content-Disposition Issues
>    RFC 1806 [35], from which the often implemented Content-Disposition
>    (see section 19.5.1) header in HTTP is derived, has a number of very
>    serious security considerations. Content-Disposition is not part of
>    the HTTP standard, but since it is widely implemented, we are
>    documenting its use and risks for implementors. See RFC 2183 [49]
>    (which updates RFC 1806) for details.
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org