[
https://issues.apache.org/jira/browse/HADOOP-12584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15093291#comment-15093291
]
Hudson commented on HADOOP-12584:
---------------------------------
FAILURE: Integrated in Hadoop-trunk-Commit #9089 (See
[https://builds.apache.org/job/Hadoop-trunk-Commit/9089/])
HADOOP-12584. Disable browsing the static directory in HttpServer2. (aajisaka:
rev 56b9500bbd44b79c3c3be84a17c97502f923c6f8)
*
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/TestWebApp.java
*
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
* hadoop-common-project/hadoop-common/CHANGES.txt
> Disable browsing the static directory in HttpServer2
> ----------------------------------------------------
>
> Key: HADOOP-12584
> URL: https://issues.apache.org/jira/browse/HADOOP-12584
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Fix For: 2.8.0
>
> Attachments: HADOOP-12584.001.patch, HADOOP-12584.002.patch,
> HADOOP-12584.003.patch, HADOOP-12584_branch-2.003.patch
>
>
> We found a minor security issue with the Yarn Web UIs (or anything using
> {{HttpServer2}}. Currently, you can list the contents of the {{/static}}
> directory for the RM, NM, and JHS. This isn't a huge deal, but there are
> some ways to abuse this to get access to files on the host, though it would
> be pretty difficult. It's also good practice to disable directory listing on
> web apps.
> Here are the URLs:
> - http://HOST:8088/static/
> - http://HOST:19888/static/
> - http://HOST:8042/static/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
