Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-13636

Cross-Site Scripting vulnerability in HttpServer2

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.2.0, 3.1.1, 3.0.4
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      A couple if CSS attack issues were found in our fortify test run.

      One of example in hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java

      // code placeholder
      if (servletContext.getAttribute(ADMINS_ACL) != null &&
      !userHasAdministratorAccess(servletContext, remoteUser)) {
      response.sendError(HttpServletResponse.SC_FORBIDDEN, "User "
      + remoteUser + " is unauthorized to access this page.");
      return false;
      }

       

      Suggest fix is remove remoteUser from the page, and log it.

        Attachments

        1. HDFS-13636.1.patch
          1 kB
          Haibo Yan
        2. HDFS-13636.2.patch
          1 kB
          Haibo Yan

          Activity

            People

            • Assignee:
              billyean Haibo Yan
              Reporter:
              billyean Haibo Yan
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: