[jira] [Commented] (HADOOP-15722) regression: Hadoop 2.7.7 release breaks spark submit

Fri, 07 Sep 2018 09:36:16 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-15722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16607336#comment-16607336
 ] 

Jason Lowe commented on HADOOP-15722:
-------------------------------------

The getRestrictedParserDefault method was added to address CVE-2017-15713 and 
shipped as part of 2.7.5.  The idea behind the fix is to restrict the parsing 
of XML entities from a configuration Resource when that Resource may not be 
trusted.  Untrusted resources that are parsed from Resources that come from the 
classpath are trusted, but resources that come from file streams as a proxy 
user are not.  When parsing configs outside of the classpath as a proxy user, 
the contents are likely coming from conf data provided by a cluster user, and 
we would need to restrict certain XML entities in those cases.  Failing to do 
so could expose the contents of local files on the server to the cluster user 
which is the crux of the CVE.

I'll try to work through the repro steps listed in SPARK-25330 to see if I can 
reproduce the issue locally.  If successful it should be relatively 
straightforward to see where the suspect conf is coming from and why it breaks 
when parsing of that conf is restricted. Note that restricted parsing doesn't 
mean the contents are not parsed at all, rather that the parser won't honor 
certain requested directives in the XML stream.


> regression: Hadoop 2.7.7 release breaks spark submit
> ----------------------------------------------------
>
>                 Key: HADOOP-15722
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15722
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: build, conf, security
>    Affects Versions: 2.7.7
>            Reporter: Steve Loughran
>            Priority: Major
>
> SPARK-25330 highlights that upgrading spark to hadoop 2.7.7 is causing a 
> regression in client setup, with things only working when 
> {{Configuration.getRestrictParserDefault(Object resource)}} = false.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to