[HDFS-13636] Cross-Site Scripting vulnerability in HttpServer2 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.2.0, 3.1.1, 3.0.4
Component/s: None
Labels:
None

Hadoop Flags:

Reviewed

Description

A couple if CSS attack issues were found in our fortify test run.

One of example in hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java

// code placeholder
if (servletContext.getAttribute(ADMINS_ACL) != null &&
!userHasAdministratorAccess(servletContext, remoteUser)) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "User "
+ remoteUser + " is unauthorized to access this page.");
return false;
}

Suggest fix is remove remoteUser from the page, and log it.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HDFS-13636.1.patch
30/May/18 07:01
1 kB
Haibo Yan
HDFS-13636.2.patch
31/May/18 02:10
1 kB
Haibo Yan

Activity

People

Assignee:: Haibo Yan

Reporter:: Haibo Yan

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 29/May/18 21:06

Updated:: 01/Jun/18 22:13

Resolved:: 01/Jun/18 21:50