Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-6368

TransferFsImage#receiveFile() should perform validation on fsImageName parameter

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Not A Problem
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Currently only null check is performed:

                if (fsImageName == null) {
                  throw new IOException("No filename header provided by server");
                }
                newLocalPaths.add(new File(localPath, fsImageName));
      

      Value of fsImageName, obtained from HttpURLConnection header, may be tainted.
      This may allow an attacker to access, modify, or test the existence of critical or sensitive files.

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Unassigned
            Reporter:
            Ted Yu
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development