Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-4162

Some malformed and unquoted HTML strings are returned from datanode web ui

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 0.23.4
    • 2.0.3-alpha, 0.23.5
    • datanode
    • None

    Description

      When browsing to the datanode at /browseDirectory.jsp, if a path with HTML characters is requested, the resulting error page echos back the input unquoted.

      Example:

      http://localhost:50075/browseDirectory.jsp?dir=/<xss>&go=go&namenodeInfoPort=50070&nnaddr=localhost%3A9000

      Writes an input element as part of the response:

      <input name="dir" type="text" width="50" id"dir" value="/<xss>">

      • The value of the "value" attribute is not quoted.
      • An = must follow the "id" attribute name.
      • Element "input" should have a closing tag.

      The output should be something like:

      <input name="dir" type="text" width="50" id="dir" value="/<xss>"/>

      In addition, if one creates a directory:

      hdfs dfs -put '/some/path/to/<xss>'

      Then browsing to the parent of directory '<xss>' prints unquoted HTML in the directory names.

      Attachments

        1. HDFS-4162.patch
          7 kB
          Derek Dagit
        2. HDFS-4162-branch-0.23.patch
          7 kB
          Derek Dagit

        Activity

          People

            dagit Derek Dagit
            dagit Derek Dagit
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: