Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-269

Any readable file exposed via UI log viewer

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.9.2-incubating
    • Fix Version/s: 0.9.2-incubating
    • Component/s: storm-core
    • Labels:

      Description

      Note: This is actually version 0.9.0.1 but I couldn't choose that in the dropdown. I suspect that the problem still exists.

      I found that it's possible to access any readable file on the system via the UI worker log viewer. To reproduce, navigate to:

      http://<host:port>/log?file=../../../../../../../../etc/passwd

        Attachments

          Activity
          $i18n.getText('security.level.explanation', $currentSelection) Viewable by All Users
          Cancel

            People

            • Assignee:
              ptgoetz P. Taylor Goetz
              Reporter:
              jaredkuolt Jared Kuolt

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment