Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.22.0
    • Fix Version/s: 0.22.0
    • Component/s: io
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      In trunk the servlets like /stacks and /metrics are returning text/html content-type instead of text/plain. Security wise it's much safer to default to text/plain and require servlets to explicitly set the content-type to text/html when required.

      1. hadoop-7093.txt
        4 kB
        Todd Lipcon
      2. hadoop-7093.3.txt
        7 kB
        Todd Lipcon
      3. hadoop-7093.3.txt
        8 kB
        Todd Lipcon
      4. hadoop-7093.2.txt
        8 kB
        Todd Lipcon

        Issue Links

          Activity

          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12467943/hadoop-7093.txt
          against trunk revision 1056006.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 6 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          -1 release audit. The applied patch generated 2 release audit warnings (more than the trunk's current 1 warnings).

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/166//testReport/
          Release audit warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/166//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/166//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/166//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12467943/hadoop-7093.txt against trunk revision 1056006. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 6 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. -1 release audit. The applied patch generated 2 release audit warnings (more than the trunk's current 1 warnings). +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/166//testReport/ Release audit warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/166//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/166//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/166//console This message is automatically generated.
          Hide
          Tom White added a comment -

          A few comments:

          Show
          Tom White added a comment - A few comments: StackServlet shouldn't use HtmlQuoting since it is serving plain text. We need to be sure that StackServlet is serving UTF8-encoded text. Currently it is using the default platform encoding since it is using a writer constructed with new PrintWriter(response.getOutputStream()), see http://download.oracle.com/javase/6/docs/api/java/io/PrintWriter.html#PrintWriter%28java.io.OutputStream%29 . Rather we might use response.getWriter(), which uses the character encoding returned by ServletResponse#getCharacterEncoding(), which should pick it up from our earlier call to ServletResponse#setContentType, according to http://download.oracle.com/javaee/6/api/javax/servlet/ServletResponse.html#getWriter%28%29 . The other servlets need checking for this too. For JSON, MetricsServlet should set the content type to "application/json; charset=utf-8". It's not currently setting the content type. ConfServlet should set the charset explicitly too.
          Hide
          Todd Lipcon added a comment -

          Canceling patch to address Tom's comments. Thanks Tom

          Show
          Todd Lipcon added a comment - Canceling patch to address Tom's comments. Thanks Tom
          Hide
          Todd Lipcon added a comment -

          Updated based on review comments. I tested /stacks, /metrics, and /conf on a running NN and looks good:

          todd@todd-w510:~$ curl -s -I 'http://localhost:50070/metrics?format=json' | grep 'Content-Type'
          Content-Type: application/json; charset=utf-8
          todd@todd-w510:~$ curl -s -I 'http://localhost:50070/metrics' | grep 'Content-Type'
          Content-Type: text/plain; charset=utf-8
          todd@todd-w510:~$ curl -s -I 'http://localhost:50070/conf' | grep 'Content-Type'
          Content-Type: text/xml; charset=utf-8
          todd@todd-w510:~$ curl -s -I 'http://localhost:50070/stacks' | grep 'Content-Type'
          Content-Type: text/plain; charset=utf-8

          Show
          Todd Lipcon added a comment - Updated based on review comments. I tested /stacks, /metrics, and /conf on a running NN and looks good: todd@todd-w510:~$ curl -s -I 'http://localhost:50070/metrics?format=json' | grep 'Content-Type' Content-Type: application/json; charset=utf-8 todd@todd-w510:~$ curl -s -I 'http://localhost:50070/metrics' | grep 'Content-Type' Content-Type: text/plain; charset=utf-8 todd@todd-w510:~$ curl -s -I 'http://localhost:50070/conf' | grep 'Content-Type' Content-Type: text/xml; charset=utf-8 todd@todd-w510:~$ curl -s -I 'http://localhost:50070/stacks' | grep 'Content-Type' Content-Type: text/plain; charset=utf-8
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12468071/hadoop-7093.2.txt
          against trunk revision 1057970.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 6 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          -1 release audit. The applied patch generated 2 release audit warnings (more than the trunk's current 1 warnings).

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/174//testReport/
          Release audit warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/174//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/174//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/174//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12468071/hadoop-7093.2.txt against trunk revision 1057970. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 6 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. -1 release audit. The applied patch generated 2 release audit warnings (more than the trunk's current 1 warnings). +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/174//testReport/ Release audit warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/174//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/174//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/174//console This message is automatically generated.
          Hide
          Tom White added a comment -

          +1

          Nit: with this patch there are two mimetypes for JSON; we should use "application/json" in both cases (http://tools.ietf.org/html/rfc4627).

          Show
          Tom White added a comment - +1 Nit: with this patch there are two mimetypes for JSON; we should use "application/json" in both cases ( http://tools.ietf.org/html/rfc4627 ).
          Hide
          Todd Lipcon added a comment -

          Fixed the JSON content type nit that Tom pointed out, also fixed release audit warning.

          Show
          Todd Lipcon added a comment - Fixed the JSON content type nit that Tom pointed out, also fixed release audit warning.
          Hide
          Todd Lipcon added a comment -

          Oops, missed test.jsp in the previous patch

          Show
          Todd Lipcon added a comment - Oops, missed test.jsp in the previous patch
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12468324/hadoop-7093.3.txt
          against trunk revision 1058343.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 7 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/181//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/181//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/181//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12468324/hadoop-7093.3.txt against trunk revision 1058343. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 7 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/181//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/181//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/181//console This message is automatically generated.
          Hide
          Todd Lipcon added a comment -

          Committed in trunk and branch-0.22 (this is a bug fix since servlets were basically unviewable from web browsers with the html content type)

          Show
          Todd Lipcon added a comment - Committed in trunk and branch-0.22 (this is a bug fix since servlets were basically unviewable from web browsers with the html content type)
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-22-branch #15 (See https://hudson.apache.org/hudson/job/Hadoop-Common-22-branch/15/)
          HADOOP-7093. Servlets should default to text/plain. Contributed by Todd Lipcon

          Show
          Hudson added a comment - Integrated in Hadoop-Common-22-branch #15 (See https://hudson.apache.org/hudson/job/Hadoop-Common-22-branch/15/ ) HADOOP-7093 . Servlets should default to text/plain. Contributed by Todd Lipcon
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk #576 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk/576/)
          HADOOP-7093. Servlets should default to text/plain. Contributed by Todd Lipcon

          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk #576 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk/576/ ) HADOOP-7093 . Servlets should default to text/plain. Contributed by Todd Lipcon
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk-Commit #479 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk-Commit/479/)

          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #479 (See https://hudson.apache.org/hudson/job/Hadoop-Common-trunk-Commit/479/ )

            People

            • Assignee:
              Todd Lipcon
              Reporter:
              Todd Lipcon
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development