Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12584

Disable browsing the static directory in HttpServer2

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.8.0
    • 2.8.0, 3.0.0-alpha1
    • security
    • None
    • Reviewed

    Description

      We found a minor security issue with the Yarn Web UIs (or anything using HttpServer2. Currently, you can list the contents of the /static directory for the RM, NM, and JHS. This isn't a huge deal, but there are some ways to abuse this to get access to files on the host, though it would be pretty difficult. It's also good practice to disable directory listing on web apps.

      Here are the URLs:

      Attachments

        1. HADOOP-12584.003.patch
          2 kB
          Robert Kanter
        2. HADOOP-12584.002.patch
          0.9 kB
          Robert Kanter
        3. HADOOP-12584.001.patch
          0.8 kB
          Robert Kanter
        4. HADOOP-12584_branch-2.003.patch
          2 kB
          Robert Kanter

        Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. YARN-4379 TestWebApp failing in trunk

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              rkanter Robert Kanter
              rkanter Robert Kanter
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: