[
https://issues.apache.org/jira/browse/HDFS-13636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Templeton updated HDFS-13636:
------------------------------------
Resolution: Fixed
Hadoop Flags: Reviewed
Fix Version/s: 3.0.4
3.1.1
3.2.0
Status: Resolved (was: Patch Available)
Thanks for the patch, [~billyean]! Committed to trunk, branch-3.1, and
branch-3.0.
> Cross-Site Scripting vulnerability in HttpServer2
> -------------------------------------------------
>
> Key: HDFS-13636
> URL: https://issues.apache.org/jira/browse/HDFS-13636
> Project: Hadoop HDFS
> Issue Type: Bug
> Reporter: Haibo Yan
> Assignee: Haibo Yan
> Priority: Major
> Fix For: 3.2.0, 3.1.1, 3.0.4
>
> Attachments: HDFS-13636.1.patch, HDFS-13636.2.patch
>
>
> A couple if CSS attack issues were found in our fortify test run.
> One of example in
> hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
> {code:java}
> // code placeholder
> if (servletContext.getAttribute(ADMINS_ACL) != null &&
> !userHasAdministratorAccess(servletContext, remoteUser)) {
> response.sendError(HttpServletResponse.SC_FORBIDDEN, "User "
> + remoteUser + " is unauthorized to access this page.");
> return false;
> }{code}
>
> Suggest fix is remove remoteUser from the page, and log it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
