Skip to content

[SPARK-29556][CORE] Avoid putting request path in error response in ErrorServlet #26211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[SPARK-29556][CORE] Avoid putting request path in error response in ErrorServlet #26211

wants to merge 1 commit into from

Conversation

@srowen
Copy link
Member

@srowen srowen commented Oct 22, 2019

What changes were proposed in this pull request?

Don't include $path from user query in the error response.

Why are the changes needed?

The path could contain input that is then rendered as HTML in the error response. It's not clear whether it's exploitable, but better safe than sorry as the path info really isn't that important in this context.

Does this PR introduce any user-facing change?

No

How was this patch tested?

Existing tests.

@srowen srowen self-assigned this Oct 22, 2019
@SparkQA
Copy link

SparkQA commented Oct 22, 2019

Test build #112468 has finished for PR 26211 at commit 75719bc.

  • This patch passes all tests.
  • This patch merges cleanly.
  • This patch adds no public classes.

hvanhovell
hvanhovell approved these changes Oct 22, 2019
View reviewed changes
Copy link
Contributor

@hvanhovell hvanhovell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

dongjoon-hyun
dongjoon-hyun approved these changes Oct 22, 2019
View reviewed changes
Copy link
Member

@dongjoon-hyun dongjoon-hyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, LGTM. Merged to master/2.4

dongjoon-hyun pushed a commit that referenced this pull request Oct 22, 2019
@srowen @dongjoon-hyun
[SPARK-29556][CORE] Avoid putting request path in error response in E…
92b9706 
…rrorServlet

### What changes were proposed in this pull request?

Don't include `$path` from user query in the error response.

### Why are the changes needed?

The path could contain input that is then rendered as HTML in the error response. It's not clear whether it's exploitable, but better safe than sorry as the path info really isn't that important in this context.

### Does this PR introduce any user-facing change?

No

### How was this patch tested?

Existing tests.

Closes #26211 from srowen/SPARK-29556.

Authored-by: Sean Owen <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
(cherry picked from commit 8009468)
Signed-off-by: Dongjoon Hyun <[email protected]>
@srowen srowen deleted the SPARK-29556 branch October 26, 2019 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hvanhovell hvanhovell hvanhovell approved these changes

@dongjoon-hyun dongjoon-hyun dongjoon-hyun approved these changes

Assignees

@srowen srowen

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@srowen @SparkQA @hvanhovell @dongjoon-hyun