Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-4162

Some malformed and unquoted HTML strings are returned from datanode web ui

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 0.23.4
    • Fix Version/s: 2.0.3-alpha, 0.23.5
    • Component/s: datanode
    • Labels:
      None

      Description

      When browsing to the datanode at /browseDirectory.jsp, if a path with HTML characters is requested, the resulting error page echos back the input unquoted.

      Example:

      http://localhost:50075/browseDirectory.jsp?dir=/<xss>&go=go&namenodeInfoPort=50070&nnaddr=localhost%3A9000

      Writes an input element as part of the response:

      <input name="dir" type="text" width="50" id"dir" value="/<xss>">

      • The value of the "value" attribute is not quoted.
      • An = must follow the "id" attribute name.
      • Element "input" should have a closing tag.

      The output should be something like:

      <input name="dir" type="text" width="50" id="dir" value="/<xss>"/>

      In addition, if one creates a directory:

      hdfs dfs -put '/some/path/to/<xss>'

      Then browsing to the parent of directory '<xss>' prints unquoted HTML in the directory names.

        Attachments

        1. HDFS-4162-branch-0.23.patch
          7 kB
          Derek Dagit
        2. HDFS-4162.patch
          7 kB
          Derek Dagit

          Activity

            People

            • Assignee:
              dagit Derek Dagit
              Reporter:
              dagit Derek Dagit
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: