[ 
https://issues.apache.org/jira/browse/HDDS-2110?focusedWorklogId=313599&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-313599
 ]

ASF GitHub Bot logged work on HDDS-2110:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 17/Sep/19 10:15
            Start Date: 17/Sep/19 10:15
    Worklog Time Spent: 10m 
      Work Description: elek commented on issue #1448: HDDS-2110. Arbitrary 
file can be downloaded with the help of ProfilerServlet
URL: https://github.com/apache/hadoop/pull/1448#issuecomment-532157442
 
 
   I made it more safe (strict validation of the file name based on the 
original pattern). Now the HTTP headers are also safe (until now we printed out 
the file name in the header even if it contained a new line char).
   
   And we don't need to suppress any findbugs warning.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 313599)
    Time Spent: 1h  (was: 50m)

> Arbitrary file can be downloaded with the help of ProfilerServlet
> -----------------------------------------------------------------
>
>                 Key: HDDS-2110
>                 URL: https://issues.apache.org/jira/browse/HDDS-2110
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>          Components: Native
>            Reporter: Aayush
>            Assignee: Elek, Marton
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> The LOC 324 in the file 
> [ProfileServlet.java|https://github.com/apache/hadoop/blob/217bdbd940a96986df3b96899b43caae2b5a9ed2/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java]
>  is prone to an arbitrary file download:-
> {code:java}
> protected void doGetDownload(String fileName, final HttpServletRequest req,   
>    final HttpServletResponse resp) throws IOException {
> File requestedFile = 
> ProfileServlet.OUTPUT_DIR.resolve(fileName).toAbsolutePath().toFile();{code}
> As the String fileName is directly considered as the requested file.
>  
> Which is called at LOC 180 with HTTP request directly passed:-
> {code:java}
> if (req.getParameter("file") != null) {      
> doGetDownload(req.getParameter("file"), req, resp);      
> return;    
> }
> {code}
>  



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to