You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Kaxil Naik (Jira)" <ji...@apache.org> on 2019/08/30 11:56:00 UTC

[jira] [Updated] (AIRFLOW-5357) Fix Content-Type for exported variables.json file

     [ https://issues.apache.org/jira/browse/AIRFLOW-5357?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kaxil Naik updated AIRFLOW-5357:
--------------------------------
    Description: 
Credits to Anurag Jain for reporting this:

It was observed that the content type is set incorrectly while exporting variables in Apache Airflow. 

>>> 
>>> Steps:
>>> 
>>> 1. Open the Apache Airflow
>>> 2. Create a new variable at /admin/variable/
>>> 3. Keep the key as <input> and value as <input>
>>> 4. Save this variable
>>> 5. Export this variable using Mozilla Firefox Browser
>>> 6. Observe that the downloaded file is saved as <name>.json.htm instead of <name>.json. This happens since Apache airflow sets Response Content-Type as text/html instead of application/json which causes Browser to interpret it as a HTML 

  was:
Credits to Anurag Jain for reporting this:

It was observed that the content type is set incorrectly while exporting variables in Apache Airflow. This allows an Attacker to run malicious scripts on anyone who decides to export the variables and later open the export file.

>>> 
>>> Steps:
>>> 
>>> 1. Open the Apache Airflow
>>> 2. Create a new variable at /admin/variable/
>>> 3. Keep the key as <input> and value as <input>
>>> 4. Save this variable
>>> 5. Export this variable using Mozilla Firefox Browser
>>> 6. Observe that the downloaded file is saved as <name>.json.htm instead of <name>.json. This happens since Apache airflow sets Response Content-Type as text/html instead of application/json which causes Browser to interpret it as a HTML 


> Fix Content-Type for exported variables.json file
> -------------------------------------------------
>
>                 Key: AIRFLOW-5357
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-5357
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: webserver
>    Affects Versions: 1.10.4
>            Reporter: Kaxil Naik
>            Assignee: Kaxil Naik
>            Priority: Major
>             Fix For: 1.10.5
>
>
> Credits to Anurag Jain for reporting this:
> It was observed that the content type is set incorrectly while exporting variables in Apache Airflow. 
> >>> 
> >>> Steps:
> >>> 
> >>> 1. Open the Apache Airflow
> >>> 2. Create a new variable at /admin/variable/
> >>> 3. Keep the key as <input> and value as <input>
> >>> 4. Save this variable
> >>> 5. Export this variable using Mozilla Firefox Browser
> >>> 6. Observe that the downloaded file is saved as <name>.json.htm instead of <name>.json. This happens since Apache airflow sets Response Content-Type as text/html instead of application/json which causes Browser to interpret it as a HTML 



--
This message was sent by Atlassian Jira
(v8.3.2#803003)