Author: omalley
Date: Wed Dec 16 07:01:02 2009
New Revision: 891134
URL: http://svn.apache.org/viewvc?rev=891134&view=rev
Log:
HADOOP-6441. Protect web ui from cross site scripting attacks (XSS) on
the host http header and using encoded utf-7. (omalley)
Modified:
hadoop/common/branches/branch-0.21/ (props changed)
hadoop/common/branches/branch-0.21/CHANGES.txt (contents, props changed)
hadoop/common/branches/branch-0.21/src/contrib/ec2/ (props changed)
hadoop/common/branches/branch-0.21/src/docs/ (props changed)
hadoop/common/branches/branch-0.21/src/java/ (props changed)
hadoop/common/branches/branch-0.21/src/java/org/apache/hadoop/http/HttpServer.java
hadoop/common/branches/branch-0.21/src/test/core/ (props changed)
Propchange: hadoop/common/branches/branch-0.21/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 16 07:01:02 2009
@@ -1,2 +1,2 @@
-/hadoop/common/trunk:818543,819670,824900-824942,831032,831070,832157,884428,885534,888565,889378
+/hadoop/common/trunk:818543,819670,824900-824942,831032,831070,832157,884428,885534,888565,889378,891132
/hadoop/core/branches/branch-0.19/core:713112
Modified: hadoop/common/branches/branch-0.21/CHANGES.txt
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.21/CHANGES.txt?rev=891134&r1=891133&r2=891134&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.21/CHANGES.txt (original)
+++ hadoop/common/branches/branch-0.21/CHANGES.txt Wed Dec 16 07:01:02 2009
@@ -1,6 +1,6 @@
Hadoop Change Log
-Trunk (unreleased changes)
+Release 0.21.0 - Unreleased
INCOMPATIBLE CHANGES
@@ -1136,6 +1136,9 @@
HADOOP-6428. HttpServer sleeps with negative values. (cos)
+ HADOOP-6441. Protect web ui from cross site scripting attacks (XSS) on
+ the host http header and using encoded utf-7. (omalley)
+
Release 0.20.2 - Unreleased
NEW FEATURES
Propchange: hadoop/common/branches/branch-0.21/CHANGES.txt
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 16 07:01:02 2009
@@ -1,4 +1,4 @@
-/hadoop/common/trunk/CHANGES.txt:818543,819670,823756,824900-824942,831032,831070,832157,884428,888565,889378
+/hadoop/common/trunk/CHANGES.txt:818543,819670,823756,824900-824942,831032,831070,832157,884428,888565,889378,891132
/hadoop/core/branches/branch-0.18/CHANGES.txt:727226
/hadoop/core/branches/branch-0.19/CHANGES.txt:713112
/hadoop/core/trunk/CHANGES.txt:776175-785643,785929-786278
Propchange: hadoop/common/branches/branch-0.21/src/contrib/ec2/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 16 07:01:02 2009
@@ -1,3 +1,3 @@
-/hadoop/common/trunk/src/contrib/ec2:818543,819670,831032,831070,832157,884428,885534,888565,889378
+/hadoop/common/trunk/src/contrib/ec2:818543,819670,831032,831070,832157,884428,885534,888565,889378,891132
/hadoop/core/branches/branch-0.19/core/src/contrib/ec2:713112
/hadoop/core/trunk/src/contrib/ec2:776175-784663
Propchange: hadoop/common/branches/branch-0.21/src/docs/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 16 07:01:02 2009
@@ -1,2 +1,2 @@
-/hadoop/common/trunk/src/docs:818543,819670,831032,831070,832157,884428,885534,888565,889378
+/hadoop/common/trunk/src/docs:818543,819670,831032,831070,832157,884428,885534,888565,889378,891132
/hadoop/core/branches/branch-0.19/src/docs:713112
Propchange: hadoop/common/branches/branch-0.21/src/java/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 16 07:01:02 2009
@@ -1,3 +1,3 @@
-/hadoop/common/trunk/src/java:818543,819670,831032,831070,832157,884428,885534,888565,889378
+/hadoop/common/trunk/src/java:818543,819670,831032,831070,832157,884428,885534,888565,889378,891132
/hadoop/core/branches/branch-0.19/core/src/java:713112
/hadoop/core/trunk/src/core:776175-785643,785929-786278
Modified:
hadoop/common/branches/branch-0.21/src/java/org/apache/hadoop/http/HttpServer.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.21/src/java/org/apache/hadoop/http/HttpServer.java?rev=891134&r1=891133&r2=891134&view=diff
==============================================================================
---
hadoop/common/branches/branch-0.21/src/java/org/apache/hadoop/http/HttpServer.java
(original)
+++
hadoop/common/branches/branch-0.21/src/java/org/apache/hadoop/http/HttpServer.java
Wed Dec 16 07:01:02 2009
@@ -624,6 +624,25 @@
}
return result;
}
+
+ /**
+ * Quote the url so that users specifying the HOST HTTP header
+ * can't inject attacks.
+ */
+ @Override
+ public StringBuffer getRequestURL(){
+ String url = rawRequest.getRequestURL().toString();
+ return new StringBuffer(HtmlQuoting.quoteHtmlChars(url));
+ }
+
+ /**
+ * Quote the server name so that users specifying the HOST HTTP header
+ * can't inject attacks.
+ */
+ @Override
+ public String getServerName() {
+ return HtmlQuoting.quoteHtmlChars(rawRequest.getServerName());
+ }
}
@Override
@@ -641,6 +660,10 @@
) throws IOException, ServletException {
HttpServletRequestWrapper quoted =
new RequestQuoter((HttpServletRequest) request);
+ final HttpServletResponse httpResponse = (HttpServletResponse) response;
+ // set the default to UTF-8 so that we don't need to worry about IE7
+ // choosing to interpret the special characters as UTF-7
+ httpResponse.setContentType("text/html;charset=utf-8");
chain.doFilter(quoted, response);
}
Propchange: hadoop/common/branches/branch-0.21/src/test/core/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 16 07:01:02 2009
@@ -1,3 +1,3 @@
-/hadoop/common/trunk/src/test/core:818543,819670,831032,831070,832157,884428,885534,888565,889378
+/hadoop/common/trunk/src/test/core:818543,819670,831032,831070,832157,884428,885534,888565,889378,891132
/hadoop/core/branches/branch-0.19/core/src/test/core:713112
/hadoop/core/trunk/src/test/core:776175-785643,785929-786278