[
https://issues.apache.org/jira/browse/HADOOP-12584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15067368#comment-15067368
]
Robert Kanter commented on HADOOP-12584:
----------------------------------------
Those test failures were unrelated, and don't seem to be failing now when I run
it locally. I ran all of the tests in hadoop-common-project,
hadoop-yarn-project, hadoop-mapreduce-project, and hadoop-hdfs-project and they
all passed.
[~steve_l], [~varun_saxena], can one of your review the updated patch?
> Disable browsing the static directory in HttpServer2
> ----------------------------------------------------
>
> Key: HADOOP-12584
> URL: https://issues.apache.org/jira/browse/HADOOP-12584
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Fix For: 2.8.0
>
> Attachments: HADOOP-12584.001.patch, HADOOP-12584.002.patch,
> HADOOP-12584.003.patch, HADOOP-12584_branch-2.003.patch
>
>
> We found a minor security issue with the Yarn Web UIs (or anything using
> {{HttpServer2}}. Currently, you can list the contents of the {{/static}}
> directory for the RM, NM, and JHS. This isn't a huge deal, but there are
> some ways to abuse this to get access to files on the host, though it would
> be pretty difficult. It's also good practice to disable directory listing on
> web apps.
> Here are the URLs:
> - http://HOST:8088/static/
> - http://HOST:19888/static/
> - http://HOST:8042/static/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
