[jira] [Closed] (FLINK-20916) JobManagerCustomLogHandlerTest.testGetJobManagerCustomLogsExistingButForbiddenFileWithObfuscatedPath can be deleted

Robert Metzger (Jira) Wed, 13 Jan 2021 07:06:07 -0800


     [ 
https://issues.apache.org/jira/browse/FLINK-20916?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Robert Metzger closed FLINK-20916.
----------------------------------
    Fix Version/s: 1.13.0
       Resolution: Fixed

Thanks for catching and fixing this.

Merged to master in 
https://github.com/apache/flink/commit/37dc5b9da90d770c60adcfdd40bc9504e79b4814.

> JobManagerCustomLogHandlerTest.testGetJobManagerCustomLogsExistingButForbiddenFileWithObfuscatedPath
>  can be deleted
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: FLINK-20916
>                 URL: https://issues.apache.org/jira/browse/FLINK-20916
>             Project: Flink
>          Issue Type: Bug
>          Components: Runtime / REST
>            Reporter: nate
>            Assignee: Matthias
>            Priority: Trivial
>              Labels: pull-request-available
>             Fix For: 1.13.0
>
>
>  
> The 
> [testGetJobManagerCustomLogsExistingButForbiddenFileWithObfuscatedPath|https://github.com/apache/flink/blob/b561010b0ee741543c3953306037f00d7a9f0801/flink-runtime/src/test/java/org/apache/flink/runtime/rest/handler/cluster/JobManagerCustomLogHandlerTest.java#L149]
>  test for CVE-2020-17519 Path Traversal has a typo that causes it to 
> inaccurately test for the vuln. 
> It uses for format string "..%%252%s" when it should be "..%%252f%s".



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (FLINK-20916) JobManagerCustomLogHandlerTest.testGetJobManagerCustomLogsExistingButForbiddenFileWithObfuscatedPath can be deleted

Reply via email to