[ambari] branch branch-2.6 updated: [AMBARI-23694] Symlinks are not followed when requesting resources from Ambari's resources entry point

Wed, 25 Apr 2018 14:48:15 -0700 

This is an automated email from the ASF dual-hosted git repository.

rlevas pushed a commit to branch branch-2.6
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/branch-2.6 by this push:
     new d9df1c9  [AMBARI-23694] Symlinks are not followed when requesting 
resources from Ambari's resources entry point
d9df1c9 is described below

commit d9df1c9f180ce85a0a4afd4c7dc12e6877eb0ffc
Author: Robert Levas <[email protected]>
AuthorDate: Wed Apr 25 15:58:39 2018 -0400

    [AMBARI-23694] Symlinks are not followed when requesting resources from 
Ambari's resources entry point
---
 .../main/java/org/apache/ambari/server/controller/AmbariServer.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index 9f662ac..e336972 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -487,6 +487,12 @@ public class AmbariServer {
       File resourcesDirectory = new File(configs.getResourceDirPath());
       ServletHolder resources = new ServletHolder(DefaultServlet.class);
       resources.setInitParameter("resourceBase", 
resourcesDirectory.getParent());
+      // Allowing aliases can bypass some security constraints, but allows for 
following symlinks
+      // which are needed for mpacks. For example:
+      //   /var/lib/ambari-server/resources/stacks/HDP/2.6/services/BEACON ->
+      //   
/var/lib/ambari-server/resources/mpacks/beacon-engine.mpack-1.1.0.0/addon-services/BEACON/1.1.0
+      // NOTE: Enabling aliases does not re-introduce the vulnerability 
described in CVE-2018-8003.
+      resources.setInitParameter("aliases", "true");
       root.addServlet(resources, "/resources/*");
       resources.setInitOrder(5);
 

-- 
To stop receiving notification emails like this one, please contact
[email protected].

Reply via email to