You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Kaxil Naik (Jira)" <ji...@apache.org> on 2019/08/30 11:55:00 UTC

[jira] [Created] (AIRFLOW-5357) Fix Content-Type for exported variables.json file

Kaxil Naik created AIRFLOW-5357:
-----------------------------------

             Summary: Fix Content-Type for exported variables.json file
                 Key: AIRFLOW-5357
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-5357
             Project: Apache Airflow
          Issue Type: Improvement
          Components: webserver
    Affects Versions: 1.10.4
            Reporter: Kaxil Naik
            Assignee: Kaxil Naik
             Fix For: 1.10.5


Credits to Anurag Jain for reporting this:

It was observed that the content type is set incorrectly while exporting variables in Apache Airflow. This allows an Attacker to run malicious scripts on anyone who decides to export the variables and later open the export file.

>>> 
>>> Steps:
>>> 
>>> 1. Open the Apache Airflow
>>> 2. Create a new variable at /admin/variable/
>>> 3. Keep the key as <input> and value as <input>
>>> 4. Save this variable
>>> 5. Export this variable using Mozilla Firefox Browser
>>> 6. Observe that the downloaded file is saved as <name>.json.htm instead of <name>.json. This happens since Apache airflow sets Response Content-Type as text/html instead of application/json which causes Browser to interpret it as a HTML 



--
This message was sent by Atlassian Jira
(v8.3.2#803003)