Derek Dagit created HDFS-4162:
---------------------------------
Summary: Some malformed and unquoted HTML strings are returned
from datanode web ui
Key: HDFS-4162
URL: https://issues.apache.org/jira/browse/HDFS-4162
Project: Hadoop HDFS
Issue Type: Bug
Components: data-node
Affects Versions: 0.23.4
Reporter: Derek Dagit
Priority: Minor
When browsing to the datanode at /browseDirectory.jsp, if a path with HTML
characters is requested, the resulting error page echos back the input unquoted.
Example:
http://localhost:50075/browseDirectory.jsp?dir=/<xss>&go=go&namenodeInfoPort=50070&nnaddr=localhost%3A9000
Writes an input element as part of the response:
<input name="dir" type="text" width="50" id"dir" value="/<xss>">
- The value of the "value" attribute is not quoted.
- An = must follow the "id" attribute name.
- Element "input" should have a closing tag.
The output should be something like:
<input name="dir" type="text" width="50" id="dir" value="/<xss>"/>
In addition, if one creates a directory:
hdfs dfs -put '/some/path/to/<xss>'
Then browsing to the parent of directory '<xss>' prints unquoted HTML in the
directory names.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
