[ https://issues.apache.org/jira/browse/HADOOP-12584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Haohui Mai updated HADOOP-12584: -------------------------------- Resolution: Fixed Hadoop Flags: Reviewed Fix Version/s: 2.8.0 Status: Resolved (was: Patch Available) I've committed the patch to trunk and branch-2. Thanks [~rkanter] for the contribution. > Disable browsing the static directory in HttpServer2 > ---------------------------------------------------- > > Key: HADOOP-12584 > URL: https://issues.apache.org/jira/browse/HADOOP-12584 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.8.0 > Reporter: Robert Kanter > Assignee: Robert Kanter > Fix For: 2.8.0 > > Attachments: HADOOP-12584.001.patch, HADOOP-12584.002.patch > > > We found a minor security issue with the Yarn Web UIs (or anything using > {{HttpServer2}}. Currently, you can list the contents of the {{/static}} > directory for the RM, NM, and JHS. This isn't a huge deal, but there are > some ways to abuse this to get access to files on the host, though it would > be pretty difficult. It's also good practice to disable directory listing on > web apps. > Here are the URLs: > - http://HOST:8088/static/ > - http://HOST:19888/static/ > - http://HOST:8042/static/ -- This message was sent by Atlassian JIRA (v6.3.4#6332)