Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-13636

Cross-Site Scripting vulnerability in HttpServer2

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.2.0, 3.1.1, 3.0.4
    • None
    • None
    • Reviewed

    Description

      A couple if CSS attack issues were found in our fortify test run.

      One of example in hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java

      // code placeholder
      if (servletContext.getAttribute(ADMINS_ACL) != null &&
      !userHasAdministratorAccess(servletContext, remoteUser)) {
      response.sendError(HttpServletResponse.SC_FORBIDDEN, "User "
      + remoteUser + " is unauthorized to access this page.");
      return false;
      }

       

      Suggest fix is remove remoteUser from the page, and log it.

      Attachments

        1. HDFS-13636.2.patch
          1 kB
          Haibo Yan
        2. HDFS-13636.1.patch
          1 kB
          Haibo Yan

        Activity

          People

            billyean Haibo Yan
            billyean Haibo Yan
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: