[
https://issues.apache.org/jira/browse/MAPREDUCE-165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14522903#comment-14522903
]
Darrell Taylor commented on MAPREDUCE-165:
------------------------------------------
OK, I've had a quick look through this and the two places I can find where
file.out and file.out.index are created are in MROutputFiles.java and
YarnOutputFiles.java, both of these push all their work through
LocalDirAllocator.java and ultimately Path.java.
So I'd presume (maybe incorrectly) that LocalDirAllocator and Path both protect
against ".." attacks? I'll spend a bit more time looking through them to try
and understand how they work. But the map output classes look sensible.
The one thing that did make me wonder though is this piece of code that appears
in the LocalDirAllocator, it strips off the leading /, which could result in a
".." attack, but that may be picked up in the Path class.
{code}
//remove the leading slash from the path (to make sure that the uri
//resolution results in a valid path on the dir being checked)
if (pathStr.startsWith("/")) {
pathStr = pathStr.substring(1);
}
{code}
> the map task output servlet doesn't protect against ".." attacks
> ----------------------------------------------------------------
>
> Key: MAPREDUCE-165
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-165
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Reporter: Owen O'Malley
> Labels: newbie, security
>
> The servlet we use to export the map outputs doesn't protect itself against
> ".." attacks. However, because the code adds a /file.out.index and /file.out
> to it, it can only be used to read files with those names.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
