Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-4162

Some malformed and unquoted HTML strings are returned from datanode web ui

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 0.23.4
    • Fix Version/s: 2.0.3-alpha, 0.23.5
    • Component/s: datanode
    • Labels:
      None

      Description

      When browsing to the datanode at /browseDirectory.jsp, if a path with HTML characters is requested, the resulting error page echos back the input unquoted.

      Example:

      http://localhost:50075/browseDirectory.jsp?dir=/<xss>&go=go&namenodeInfoPort=50070&nnaddr=localhost%3A9000

      Writes an input element as part of the response:

      <input name="dir" type="text" width="50" id"dir" value="/<xss>">

      • The value of the "value" attribute is not quoted.
      • An = must follow the "id" attribute name.
      • Element "input" should have a closing tag.

      The output should be something like:

      <input name="dir" type="text" width="50" id="dir" value="/<xss>"/>

      In addition, if one creates a directory:

      hdfs dfs -put '/some/path/to/<xss>'

      Then browsing to the parent of directory '<xss>' prints unquoted HTML in the directory names.

      1. HDFS-4162.patch
        7 kB
        Derek Dagit
      2. HDFS-4162-branch-0.23.patch
        7 kB
        Derek Dagit

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Derek Dagit
            Reporter:
            Derek Dagit
          • Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development