[HDFS-6368] TransferFsImage#receiveFile() should perform validation on fsImageName parameter - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Not A Problem
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Description

Currently only null check is performed:

          if (fsImageName == null) {
            throw new IOException("No filename header provided by server");
          }
          newLocalPaths.add(new File(localPath, fsImageName));

Value of fsImageName, obtained from HttpURLConnection header, may be tainted.
This may allow an attacker to access, modify, or test the existence of critical or sensitive files.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Ted Yu

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 10/May/14 22:58

Updated:: 12/Jun/14 20:50

Resolved:: 12/Jun/14 20:50