[
https://issues.apache.org/jira/browse/HDFS-4901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13813708#comment-13813708
]
Junping Du commented on HDFS-4901:
----------------------------------
I think the answer is probably no. Basically, you should switch branch from
trunk to branch-1 and setup build env by following:
http://wiki.apache.org/hadoop/BuildingHadoopFromSVN. When your env is ready to
go, do changes and run ant test and paste your test results (not increasing new
failures or warnings) in JIRA. The committer will review your patch based on
your changes and result. I think this is current branch-1 process.
> Site Scripting and Phishing Through Frames in browseDirectory.jsp
> -----------------------------------------------------------------
>
> Key: HDFS-4901
> URL: https://issues.apache.org/jira/browse/HDFS-4901
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security, webhdfs
> Affects Versions: 1.2.1
> Reporter: Jeffrey E Rodriguez
> Assignee: Vivek Ganesan
> Priority: Blocker
> Attachments: HDFS-4901.patch, HDFS-4901.patch.1
>
> Original Estimate: 24h
> Time Spent: 24h
> Remaining Estimate: 0h
>
> It is possible to steal or manipulate customer session and cookies, which
> might be used to impersonate a legitimate user,
> allowing the hacker to view or alter user records, and to perform
> transactions as that user.
> e.g.
> GET /browseDirectory.jsp? dir=%2Fhadoop'"/><script>alert(759)</script>
> &namenodeInfoPort=50070
> Also;
> Phishing Through Frames
> Try:
> GET /browseDirectory.jsp?
> dir=%2Fhadoop%27%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fdemo.testfire.net%2Fphishing.html%3E
> &namenodeInfoPort=50070 HTTP/1.1
> Cookie: JSESSIONID=qd9i8tuccuam1cme71swr9nfi
> Accept-Language: en-US
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
--
This message was sent by Atlassian JIRA
(v6.1#6144)
