[
https://issues.apache.org/jira/browse/STORM-269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13982061#comment-13982061
]
ASF GitHub Bot commented on STORM-269:
--------------------------------------
Github user harshach commented on the pull request:
https://github.com/apache/incubator-storm/pull/91#issuecomment-41476622
I don't think log-root can be sent as http param its being read from storm
config .
https://github.com/apache/incubator-storm/blob/master/storm-core/src/clj/backtype/storm/daemon/logviewer.clj#L108
with @ptgoetz fix logviewer not able to read any other files apart from the
ones in storm.log.dir and log-root is not accepted via http param. I tested the
fix in centos 6.3 and windows 7, os x it works in plugging the security hole.
> Any readable file exposed via UI log viewer
> -------------------------------------------
>
> Key: STORM-269
> URL: https://issues.apache.org/jira/browse/STORM-269
> Project: Apache Storm (Incubating)
> Issue Type: Bug
> Affects Versions: 0.9.2-incubating
> Reporter: Jared Kuolt
> Assignee: P. Taylor Goetz
> Labels: security
>
> Note: This is actually version 0.9.0.1 but I couldn't choose that in the
> dropdown. I suspect that the problem still exists.
> I found that it's possible to access any readable file on the system via the
> UI worker log viewer. To reproduce, navigate to:
> http://<host:port>/log?file=../../../../../../../../etc/passwd
--
This message was sent by Atlassian JIRA
(v6.2#6252)
