YARN-1993. Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/4b999c74 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/4b999c74 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/4b999c74 Branch: refs/heads/YARN-2928 Commit: 4b999c74cee3aabb5d4e7aff9f4fb953dcce7eac Parents: b125d0d Author: Tsuyoshi Ozawa <[email protected]> Authored: Sun May 3 10:51:17 2015 +0900 Committer: Zhijie Shen <[email protected]> Committed: Mon May 4 12:59:00 2015 -0700 ---------------------------------------------------------------------- hadoop-yarn-project/CHANGES.txt | 4 ++++ .../main/java/org/apache/hadoop/yarn/webapp/view/TextView.java | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/4b999c74/hadoop-yarn-project/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt index 511ddb7..fde0168 100644 --- a/hadoop-yarn-project/CHANGES.txt +++ b/hadoop-yarn-project/CHANGES.txt @@ -357,6 +357,10 @@ Release 2.8.0 - UNRELEASED YARN-2454. Fix compareTo of variable UNBOUNDED in o.a.h.y.util.resource.Resources. (Xu Yang via junping_du) + YARN-1993. Cross-site scripting vulnerability in TextView.java. (Kenji Kikushima + via ozawa) + + Release 2.7.1 - UNRELEASED INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/4b999c74/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java index 16efa4e..4983dac 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java @@ -20,6 +20,7 @@ package org.apache.hadoop.yarn.webapp.view; import java.io.PrintWriter; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.yarn.webapp.View; @@ -45,7 +46,9 @@ public abstract class TextView extends View { public void echo(Object... args) { PrintWriter out = writer(); for (Object s : args) { - out.print(s); + String escapedString = StringEscapeUtils.escapeJavaScript( + StringEscapeUtils.escapeHtml(s.toString())); + out.print(escapedString); } }
