[jira] [Created] (HDFS-13636) Security Cross-Site Scripting issue in HDFS code
Haibo Yan created HDFS-13636:
Summary: Security Cross-Site Scripting issue in HDFS code
Key: HDFS-13636
URL: https://issues.apache.org/jira/browse/HDFS-13636
Project: Hadoop HDFS
Issue Type: Bug
Reporter: Haibo Yan
Assignee: Haibo Yan
A couple if CSS attack issues were found in our fortify test run.
One of example in
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
{code:java}
// code placeholder
if (servletContext.getAttribute(ADMINS_ACL) != null &&
!userHasAdministratorAccess(servletContext, remoteUser)) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "User "
+ remoteUser + " is unauthorized to access this page.");
return false;
}{code}
List of issues also were found at
hadoop-common-project/hadoop-auth-examples/src/main/java/org/apache/hadoop/security/authentication/examples/WhoServlet.java
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
Suggest fix is remove remoteUser from the page, and log it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
[jira] [Created] (HDFS-13231) Extend visualization for Maintenance Mode under Datanode tab in the NameNode UI
Haibo Yan created HDFS-13231:
Summary: Extend visualization for Maintenance Mode under Datanode
tab in the NameNode UI
Key: HDFS-13231
URL: https://issues.apache.org/jira/browse/HDFS-13231
Project: Hadoop HDFS
Issue Type: Bug
Components: datanode, namenode
Affects Versions: 3.0.1
Reporter: Haibo Yan
With HDFS-9391, table view is using css dynamic class name to match the state
{code:html|title=hadoop/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html}
{name} ({xferaddr})
{code}
Some css is missing when the datanode is going to
{code:javascript|title=hadoop/hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.js}
if (n.adminState === "In Service") {
n.state = "alive";
} else if (nodes[i].adminState === "Decommission In Progress") {
n.state = "decommissioning";
} else if (nodes[i].adminState === "Decommissioned") {
n.state = "decommissioned";
} else if (nodes[i].adminState === "Entering Maintenance") {
n.state = "entering-maintenance";
} else if (nodes[i].adminState === "In Maintenance") {
n.state = "in-maintenance";
}
{code}
dfshealth-node-decommissioning, dfshealth-node-entering-maintenance,
dfshealth-node-in-maintenance should be added into hadoop.css
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
[jira] [Created] (HDFS-13106) Need to exercise all HDFS APIs for EC
Haibo Yan created HDFS-13106: Summary: Need to exercise all HDFS APIs for EC Key: HDFS-13106 URL: https://issues.apache.org/jira/browse/HDFS-13106 Project: Hadoop HDFS Issue Type: Bug Components: hdfs Reporter: Haibo Yan Exercise FileSystem API to make sure all APIs works as expected under Erasure Coding feature enabled -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
