Hadoop Common
  1. Hadoop Common
  2. HADOOP-6441

Prevent remote CSS attacks in Hostname and UTF-7.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.21.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      Quotes the characters coming out of getRequestUrl and getServerName in HttpServer.java as per the specification in HADOOP-6151.
      Show
      Quotes the characters coming out of getRequestUrl and getServerName in HttpServer.java as per the specification in HADOOP-6151 .

      Description

      There are currently vulnerabilities for CSS in Hadoop's Web UI that allow CSS attacks.

      1. h-6441.patch
        2 kB
        Owen O'Malley
      2. h-6441.20.patch
        21 kB
        Owen O'Malley

        Activity

        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Patch Available Patch Available
        9h 53m 1 Owen O'Malley 15/Dec/09 08:27
        Patch Available Patch Available Resolved Resolved
        22h 34m 1 Owen O'Malley 16/Dec/09 07:01
        Resolved Resolved Closed Closed
        251d 13h 39m 1 Tom White 24/Aug/10 21:41
        Tom White made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Devaraj Das made changes -
        Release Note Quotes the characters coming out of getRequestUrl and getServerName in HttpServer.java as per the specification in HADOOP-6151.
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk #189 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/189/)
        . Protect web ui from cross site scripting attacks (XSS) on
        the host http header and using encoded utf-7. (omalley)

        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk #189 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/189/ ) . Protect web ui from cross site scripting attacks (XSS) on the host http header and using encoded utf-7. (omalley)
        Owen O'Malley made changes -
        Status Patch Available [ 10002 ] Resolved [ 5 ]
        Hadoop Flags [Reviewed]
        Resolution Fixed [ 1 ]
        Hide
        Owen O'Malley added a comment -

        This patch passes all of the unit tests on my dev box.

        Show
        Owen O'Malley added a comment - This patch passes all of the unit tests on my dev box.
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk-Commit #118 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/118/)
        . Protect web ui from cross site scripting attacks (XSS) on
        the host http header and using encoded utf-7. (omalley)

        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #118 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/118/ ) . Protect web ui from cross site scripting attacks (XSS) on the host http header and using encoded utf-7. (omalley)
        Owen O'Malley made changes -
        Attachment h-6441.20.patch [ 12428133 ]
        Hide
        Owen O'Malley added a comment -

        This is the patch for the yahoo 20 branch that includes HADOOP-6151, HADOOP-6281, HADOOP-6285, and HADOOP-6441. It should not be applied to Apache.

        Show
        Owen O'Malley added a comment - This is the patch for the yahoo 20 branch that includes HADOOP-6151 , HADOOP-6281 , HADOOP-6285 , and HADOOP-6441 . It should not be applied to Apache.
        Hide
        Arun C Murthy added a comment -

        +1

        Show
        Arun C Murthy added a comment - +1
        Owen O'Malley made changes -
        Status Open [ 1 ] Patch Available [ 10002 ]
        Owen O'Malley made changes -
        Field Original Value New Value
        Attachment h-6441.patch [ 12428016 ]
        Hide
        Owen O'Malley added a comment -

        This patch quotes the HTTP host header and sets the default encoding to UTF-8.

        Show
        Owen O'Malley added a comment - This patch quotes the HTTP host header and sets the default encoding to UTF-8.
        Owen O'Malley created issue -

          People

          • Assignee:
            Owen O'Malley
            Reporter:
            Owen O'Malley
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development