[ https://issues.apache.org/jira/browse/HBASE-15946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15351424#comment-15351424 ]
Hudson commented on HBASE-15946: -------------------------------- FAILURE: Integrated in HBase-0.98-on-Hadoop-1.1 #1231 (See [https://builds.apache.org/job/HBase-0.98-on-Hadoop-1.1/1231/]) HBASE-15946 Eliminate possible security concerns in RS web UI's store (apurtell: rev 947e74efa7eb92eec9b8b02cf2c73d5391be0ab1) * hbase-server/src/main/resources/hbase-webapps/rest/rest.jsp * hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/HFilePrettyPrinter.java > Eliminate possible security concerns in RS web UI's store file metrics > ---------------------------------------------------------------------- > > Key: HBASE-15946 > URL: https://issues.apache.org/jira/browse/HBASE-15946 > Project: HBase > Issue Type: Bug > Affects Versions: 1.3.0, 1.2.1 > Reporter: Sean Mackrory > Assignee: Sean Mackrory > Fix For: 2.0.0, 1.3.0, 1.4.0, 1.2.2, 0.98.21 > > Attachments: HBASE-15946-branch-1.3-mantonov.diff, > HBASE-15946-v1.patch, HBASE-15946-v2.patch, HBASE-15946-v3.patch > > > More from static code analysis: it warns about the invoking of a separate > command ("hbase hfile -s -f ...") as a possible security issue in > hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp. > It looks to me like one cannot inject arbitrary shell script or even > arbitrary arguments: ProcessBuilder makes that fairly safe and only allows > the user to specify the argument that comes after -f. However that does > potentially allow them to have the daemon's user access files they shouldn't > be able to touch, albeit only for reading. > To more explicitly eliminate any threats here, we should add some validation > that the file is at least within HBase's root directory and use the Java API > directly instead of invoking a separate executable. -- This message was sent by Atlassian JIRA (v6.3.4#6332)