[jira] [Commented] (FLINK-3478) Flink serves arbitary files through the web interface

ASF GitHub Bot (JIRA) Tue, 23 Feb 2016 16:13:32 -0800

    [ 
https://issues.apache.org/jira/browse/FLINK-3478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15159931#comment-15159931
 ]


ASF GitHub Bot commented on FLINK-3478:
---------------------------------------

Github user uce commented on the pull request:

    https://github.com/apache/flink/pull/1697#issuecomment-187979852
  
    Just verified via telnet that this fixes the issue by comparing behaviour 
in 1.0.0 RC0 and this PR.
    
    Would be nice if someone confirms this. The error happens when you specify 
a get request like 
    
    ```
    GET ../../../../../../../Users/ufuk/.travis/config.yml HTTP/1.1
    Host: localhost
    ```
    
    The path is relative to the temp directory used for the web server files.


> Flink serves arbitary files through the web interface
> -----------------------------------------------------
>
>                 Key: FLINK-3478
>                 URL: https://issues.apache.org/jira/browse/FLINK-3478
>             Project: Flink
>          Issue Type: Bug
>          Components: Webfrontend
>    Affects Versions: 0.10.0, 1.0.0, 0.10.1
>            Reporter: Maximilian Michels
>            Assignee: Ufuk Celebi
>            Priority: Blocker
>             Fix For: 1.0.0, 0.10.3
>
>
> Flink serves arbitrary files through the web server of the 8081 port, e.g. 
> {{../../../../../../../../../../etc/passwd}}.
> The requested path needs to be validated before it is served.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-3478) Flink serves arbitary files through the web interface

Reply via email to