[
https://issues.apache.org/jira/browse/HDFS-6368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Wang reopened HDFS-6368:
-------------------------------
> TransferFsImage#receiveFile() should perform validation on fsImageName
> parameter
> --------------------------------------------------------------------------------
>
> Key: HDFS-6368
> URL: https://issues.apache.org/jira/browse/HDFS-6368
> Project: Hadoop HDFS
> Issue Type: Bug
> Reporter: Ted Yu
> Priority: Minor
>
> Currently only null check is performed:
> {code}
> if (fsImageName == null) {
> throw new IOException("No filename header provided by server");
> }
> newLocalPaths.add(new File(localPath, fsImageName));
> {code}
> Value of fsImageName, obtained from HttpURLConnection header, may be tainted.
> This may allow an attacker to access, modify, or test the existence of
> critical or sensitive files.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
