[
https://issues.apache.org/jira/browse/HADOOP-12584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15020987#comment-15020987
]
Hudson commented on HADOOP-12584:
---------------------------------
FAILURE: Integrated in Hadoop-Mapreduce-trunk #2635 (See
[https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2635/])
Revert "HADOOP-12584. Disable browsing the static directory in (stevel: rev
a6f20d80de3adbebacd586a534b474030ff608e9)
* hadoop-common-project/hadoop-common/CHANGES.txt
*
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
> Disable browsing the static directory in HttpServer2
> ----------------------------------------------------
>
> Key: HADOOP-12584
> URL: https://issues.apache.org/jira/browse/HADOOP-12584
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Fix For: 2.8.0
>
> Attachments: HADOOP-12584.001.patch, HADOOP-12584.002.patch
>
>
> We found a minor security issue with the Yarn Web UIs (or anything using
> {{HttpServer2}}. Currently, you can list the contents of the {{/static}}
> directory for the RM, NM, and JHS. This isn't a huge deal, but there are
> some ways to abuse this to get access to files on the host, though it would
> be pretty difficult. It's also good practice to disable directory listing on
> web apps.
> Here are the URLs:
> - http://HOST:8088/static/
> - http://HOST:19888/static/
> - http://HOST:8042/static/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
