Repository: hadoop Updated Branches: refs/heads/branch-3.1 58b5b3aa7 -> 09fd1348e
HDFS-13636. Cross-Site Scripting vulnerability in HttpServer2 (Contributed by Haibo Yan via Daniel Templeton) Change-Id: I28edde8125dd20d8d270f0e609d1c04d8173c8b7 (cherry picked from commit cba319499822a2475c60c43ea71f8e78237e139f) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/09fd1348 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/09fd1348 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/09fd1348 Branch: refs/heads/branch-3.1 Commit: 09fd1348e855302f6f238917a98997d935c373c8 Parents: 58b5b3a Author: Daniel Templeton <[email protected]> Authored: Fri Jun 1 14:42:39 2018 -0700 Committer: Daniel Templeton <[email protected]> Committed: Fri Jun 1 14:44:22 2018 -0700 ---------------------------------------------------------------------- .../src/main/java/org/apache/hadoop/http/HttpServer2.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/09fd1348/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java index 47ca841..3e2063a 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java @@ -1415,8 +1415,11 @@ public final class HttpServer2 implements FilterContainer { if (servletContext.getAttribute(ADMINS_ACL) != null && !userHasAdministratorAccess(servletContext, remoteUser)) { - response.sendError(HttpServletResponse.SC_FORBIDDEN, "User " - + remoteUser + " is unauthorized to access this page."); + response.sendError(HttpServletResponse.SC_FORBIDDEN, + "Unauthenticated users are not " + + "authorized to access this page."); + LOG.warn("User " + remoteUser + " is unauthorized to access the page " + + request.getRequestURI() + "."); return false; } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
