Author: omalley
Date: Wed Dec 16 06:31:51 2009
New Revision: 891132
URL: http://svn.apache.org/viewvc?rev=891132&view=rev
Log:
HADOOP-6441. Protect web ui from cross site scripting attacks (XSS) on
the host http header and using encoded utf-7. (omalley)
Modified:
hadoop/common/trunk/CHANGES.txt
hadoop/common/trunk/src/java/org/apache/hadoop/http/HttpServer.java
Modified: hadoop/common/trunk/CHANGES.txt
URL:
http://svn.apache.org/viewvc/hadoop/common/trunk/CHANGES.txt?rev=891132&r1=891131&r2=891132&view=diff
==============================================================================
--- hadoop/common/trunk/CHANGES.txt (original)
+++ hadoop/common/trunk/CHANGES.txt Wed Dec 16 06:31:51 2009
@@ -1222,6 +1222,9 @@
HADOOP-6375. Sync documentation for FsShell du with its implementation.
(Todd Lipcon via cdouglas)
+ HADOOP-6441. Protect web ui from cross site scripting attacks (XSS) on
+ the host http header and using encoded utf-7. (omalley)
+
Release 0.20.2 - Unreleased
NEW FEATURES
Modified: hadoop/common/trunk/src/java/org/apache/hadoop/http/HttpServer.java
URL:
http://svn.apache.org/viewvc/hadoop/common/trunk/src/java/org/apache/hadoop/http/HttpServer.java?rev=891132&r1=891131&r2=891132&view=diff
==============================================================================
--- hadoop/common/trunk/src/java/org/apache/hadoop/http/HttpServer.java
(original)
+++ hadoop/common/trunk/src/java/org/apache/hadoop/http/HttpServer.java Wed Dec
16 06:31:51 2009
@@ -624,6 +624,25 @@
}
return result;
}
+
+ /**
+ * Quote the url so that users specifying the HOST HTTP header
+ * can't inject attacks.
+ */
+ @Override
+ public StringBuffer getRequestURL(){
+ String url = rawRequest.getRequestURL().toString();
+ return new StringBuffer(HtmlQuoting.quoteHtmlChars(url));
+ }
+
+ /**
+ * Quote the server name so that users specifying the HOST HTTP header
+ * can't inject attacks.
+ */
+ @Override
+ public String getServerName() {
+ return HtmlQuoting.quoteHtmlChars(rawRequest.getServerName());
+ }
}
@Override
@@ -641,6 +660,10 @@
) throws IOException, ServletException {
HttpServletRequestWrapper quoted =
new RequestQuoter((HttpServletRequest) request);
+ final HttpServletResponse httpResponse = (HttpServletResponse) response;
+ // set the default to UTF-8 so that we don't need to worry about IE7
+ // choosing to interpret the special characters as UTF-7
+ httpResponse.setContentType("text/html;charset=utf-8");
chain.doFilter(quoted, response);
}