Github user ptgoetz commented on a diff in the pull request:
https://github.com/apache/incubator-storm/pull/91#discussion_r12020070
--- Diff: storm-core/src/clj/backtype/storm/daemon/logviewer.clj ---
@@ -30,9 +30,10 @@
[clojure.string :as string])
(:gen-class))
-(defn tail-file [path tail]
+(defn tail-file [path tail root-dir]
(let [flen (.length (clojure.java.io/file path))
skip (- flen tail)]
+ (if (.startsWith path root-dir)
--- End diff --
Yeah, good catch. This thing is an open http server for the entire file
system. Thankfully it doesn't support POST or PUT.
There's no reason we should allow the root-dir to be specified as a request
parameter. That's insane. I pity the fool running this as root.
Whatever the fix, I think it needs to be a high priority. I would also
consider back porting the fix to earlier releases.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
