[
https://issues.apache.org/jira/browse/HBASE-15946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15325453#comment-15325453
]
Hudson commented on HBASE-15946:
--------------------------------
SUCCESS: Integrated in HBase-1.2 #647 (See
[https://builds.apache.org/job/HBase-1.2/647/])
HBASE-15946 Eliminate possible security concerns in RS web UI's store (antonov:
rev d2d3dcdaec0412614badf77f866b89256296d8f4)
* hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp
*
hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/HFilePrettyPrinter.java
> Eliminate possible security concerns in RS web UI's store file metrics
> ----------------------------------------------------------------------
>
> Key: HBASE-15946
> URL: https://issues.apache.org/jira/browse/HBASE-15946
> Project: HBase
> Issue Type: Bug
> Affects Versions: 1.3.0, 1.2.1
> Reporter: Sean Mackrory
> Assignee: Sean Mackrory
> Fix For: 1.3.0, 1.2.2
>
> Attachments: HBASE-15946-branch-1.3-mantonov.diff,
> HBASE-15946-v1.patch, HBASE-15946-v2.patch, HBASE-15946-v3.patch
>
>
> More from static code analysis: it warns about the invoking of a separate
> command ("hbase hfile -s -f ...") as a possible security issue in
> hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.
> It looks to me like one cannot inject arbitrary shell script or even
> arbitrary arguments: ProcessBuilder makes that fairly safe and only allows
> the user to specify the argument that comes after -f. However that does
> potentially allow them to have the daemon's user access files they shouldn't
> be able to touch, albeit only for reading.
> To more explicitly eliminate any threats here, we should add some validation
> that the file is at least within HBase's root directory and use the Java API
> directly instead of invoking a separate executable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
