You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Kaxil Naik (Jira)" <ji...@apache.org> on 2019/08/30 11:55:00 UTC
[jira] [Created] (AIRFLOW-5357) Fix Content-Type for exported
variables.json file
Kaxil Naik created AIRFLOW-5357:
-----------------------------------
Summary: Fix Content-Type for exported variables.json file
Key: AIRFLOW-5357
URL: https://issues.apache.org/jira/browse/AIRFLOW-5357
Project: Apache Airflow
Issue Type: Improvement
Components: webserver
Affects Versions: 1.10.4
Reporter: Kaxil Naik
Assignee: Kaxil Naik
Fix For: 1.10.5
Credits to Anurag Jain for reporting this:
It was observed that the content type is set incorrectly while exporting variables in Apache Airflow. This allows an Attacker to run malicious scripts on anyone who decides to export the variables and later open the export file.
>>>
>>> Steps:
>>>
>>> 1. Open the Apache Airflow
>>> 2. Create a new variable at /admin/variable/
>>> 3. Keep the key as <input> and value as <input>
>>> 4. Save this variable
>>> 5. Export this variable using Mozilla Firefox Browser
>>> 6. Observe that the downloaded file is saved as <name>.json.htm instead of <name>.json. This happens since Apache airflow sets Response Content-Type as text/html instead of application/json which causes Browser to interpret it as a HTML
--
This message was sent by Atlassian Jira
(v8.3.2#803003)