Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-6368

TransferFsImage#receiveFile() should perform validation on fsImageName parameter

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Not a Problem
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Currently only null check is performed:

                if (fsImageName == null) {
                  throw new IOException("No filename header provided by server");
                }
                newLocalPaths.add(new File(localPath, fsImageName));
      

      Value of fsImageName, obtained from HttpURLConnection header, may be tainted.
      This may allow an attacker to access, modify, or test the existence of critical or sensitive files.

        Activity

        Ted Yu created issue -
        Andrew Wang made changes -
        Field Original Value New Value
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Andrew Wang made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Andrew Wang made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Resolution Not a Problem [ 8 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Ted Yu
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development