[YARN-10833] RM logs endpoint vulnerable to clickjacking - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.0
Fix Version/s: 3.4.0
Component/s: webapp
Labels:
- pull-request-available

Target Version/s:

3.4.0
Hadoop Flags:

Reviewed

Description

The /logs endpoint is missing the X-FRAME-OPTIONS in the response header, even though YARN is configured to do include it. This makes it vulnerable to clickjacking.

Request URL: http://{{rm_host}}:8088/logs/
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:8088
Referrer Policy: strict-origin-when-cross-origin

HTTP/1.1 200 OK
Date: Fri, 25 Jun 2021 17:38:38 GMT
Cache-Control: no-cache
Expires: Fri, 25 Jun 2021 17:38:38 GMT
Date: Fri, 25 Jun 2021 17:38:38 GMT
Pragma: no-cache
Content-Type: text/html;charset=utf-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 469

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

YARN-10833.001.patch
25/Jun/21 18:39
10 kB
Benjamin Teke
YARN-10833.002.patch
30/Jun/21 11:24
11 kB
Benjamin Teke

Issue Links

relates to

HADOOP-12964 Http server vulnerable to clickjacking

Resolved

links to

GitHub Pull Request #3203

Activity

People

Assignee:: Benjamin Teke

Reporter:: Benjamin Teke

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 25/Jun/21 17:40

Updated:: 11/Feb/24 14:24

Resolved:: 24/Jul/21 03:45

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

40m