[
https://issues.apache.org/jira/browse/FLINK-3478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15159325#comment-15159325
]
ASF GitHub Bot commented on FLINK-3478:
---------------------------------------
GitHub user uce opened a pull request:
https://github.com/apache/flink/pull/1697
[FLINK-3478] [runtime-web] Don't serve files outside of web folder
Previously it was possible to request arbitrary files via the web interface
by specifying a relative file path (this usually does not work with curl,
browsers etc., which resolve the relative paths before sending the GET request)
or copying any loadable resources (like Flink config) to the tmp directory.
This fix tries to ensure that it does not happen any more.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/uce/flink 3478-oh_oh
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/flink/pull/1697.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1697
----
commit db39687abb4c17e71e46e98aeb618d175fd06680
Author: Ufuk Celebi <[email protected]>
Date: 2016-02-23T18:01:05Z
[FLINK-3478] [runtime-web] Don't serve files outside of web folder
----
> Flink serves arbitary files through the web interface
> -----------------------------------------------------
>
> Key: FLINK-3478
> URL: https://issues.apache.org/jira/browse/FLINK-3478
> Project: Flink
> Issue Type: Bug
> Components: Webfrontend
> Affects Versions: 0.10.0, 1.0.0, 0.10.1
> Reporter: Maximilian Michels
> Assignee: Ufuk Celebi
> Priority: Blocker
> Fix For: 1.0.0, 0.10.3
>
>
> Flink serves arbitrary files through the web server of the 8081 port, e.g.
> {{../../../../../../../../../../etc/passwd}}.
> The requested path needs to be validated before it is served.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
