You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Dongjoon Hyun (Jira)" <ji...@apache.org> on 2019/10/22 21:23:00 UTC
[jira] [Updated] (SPARK-29556) Avoid including path in error
response from REST submission server
[ https://issues.apache.org/jira/browse/SPARK-29556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dongjoon Hyun updated SPARK-29556:
----------------------------------
Affects Version/s: 2.0.2
2.1.3
2.2.3
2.3.4
> Avoid including path in error response from REST submission server
> ------------------------------------------------------------------
>
> Key: SPARK-29556
> URL: https://issues.apache.org/jira/browse/SPARK-29556
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Affects Versions: 2.0.2, 2.1.3, 2.2.3, 2.3.4, 2.4.4, 3.0.0
> Reporter: Sean R. Owen
> Assignee: Sean R. Owen
> Priority: Minor
> Fix For: 2.4.5, 3.0.0
>
>
> I'm not sure if it's possible to exploit, but, the following code in RESTSubmissionServer's ErrorServlet.service is a little risky as it includes user-supplied path input in the error response. We don't want to let a link determine what's in the resulting HTML.
> {code}
> val path = request.getPathInfo
> ...
> var msg =
> parts match {
> ...
> case _ =>
> // never reached
> s"Malformed path $path."
> }
> msg += s" Please submit requests through http://[host]:[port]/$serverVersion/submissions/..."
> val error = handleError(msg)
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org