Hadoop Common
  1. Hadoop Common
  2. HADOOP-6441

Prevent remote CSS attacks in Hostname and UTF-7.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.21.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      Quotes the characters coming out of getRequestUrl and getServerName in HttpServer.java as per the specification in HADOOP-6151.
      Show
      Quotes the characters coming out of getRequestUrl and getServerName in HttpServer.java as per the specification in HADOOP-6151 .

      Description

      There are currently vulnerabilities for CSS in Hadoop's Web UI that allow CSS attacks.

      1. h-6441.patch
        2 kB
        Owen O'Malley
      2. h-6441.20.patch
        21 kB
        Owen O'Malley

        Activity

        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk #189 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/189/)
        . Protect web ui from cross site scripting attacks (XSS) on
        the host http header and using encoded utf-7. (omalley)

        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk #189 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/189/ ) . Protect web ui from cross site scripting attacks (XSS) on the host http header and using encoded utf-7. (omalley)
        Hide
        Owen O'Malley added a comment -

        This patch passes all of the unit tests on my dev box.

        Show
        Owen O'Malley added a comment - This patch passes all of the unit tests on my dev box.
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk-Commit #118 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/118/)
        . Protect web ui from cross site scripting attacks (XSS) on
        the host http header and using encoded utf-7. (omalley)

        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #118 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/118/ ) . Protect web ui from cross site scripting attacks (XSS) on the host http header and using encoded utf-7. (omalley)
        Hide
        Owen O'Malley added a comment -

        This is the patch for the yahoo 20 branch that includes HADOOP-6151, HADOOP-6281, HADOOP-6285, and HADOOP-6441. It should not be applied to Apache.

        Show
        Owen O'Malley added a comment - This is the patch for the yahoo 20 branch that includes HADOOP-6151 , HADOOP-6281 , HADOOP-6285 , and HADOOP-6441 . It should not be applied to Apache.
        Hide
        Arun C Murthy added a comment -

        +1

        Show
        Arun C Murthy added a comment - +1
        Hide
        Owen O'Malley added a comment -

        This patch quotes the HTTP host header and sets the default encoding to UTF-8.

        Show
        Owen O'Malley added a comment - This patch quotes the HTTP host header and sets the default encoding to UTF-8.

          People

          • Assignee:
            Owen O'Malley
            Reporter:
            Owen O'Malley
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development