elek opened a new pull request #1448: HDDS-2110. Arbitrary file can be downloaded with the help of ProfilerServlet URL: https://github.com/apache/hadoop/pull/1448 The LOC 324 in the file [ProfileServlet.java|https://github.com/apache/hadoop/blob/217bdbd940a96986df3b96899b43caae2b5a9ed2/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java] is prone to an arbitrary file download:- {code:java} protected void doGetDownload(String fileName, final HttpServletRequest req, final HttpServletResponse resp) throws IOException { File requestedFile = ProfileServlet.OUTPUT_DIR.resolve(fileName).toAbsolutePath().toFile();{code} As the String fileName is directly considered as the requested file. Which is called at LOC 180 with HTTP request directly passed:- {code:java} if (req.getParameter("file") != null) { doGetDownload(req.getParameter("file"), req, resp); return; } {code} See: https://issues.apache.org/jira/browse/HDDS-2110
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
