[YARN-1993] Cross-site scripting vulnerability in TextView.java - ASF JIRA

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.8.0, 3.0.0-alpha1
Component/s: webapp
Labels:
None

Target Version/s:

2.8.0
Hadoop Flags:

Reviewed

Description

In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java , method echo() e.g. :

    for (Object s : args) {
      out.print(s);
    }

Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized for context HTML attribute name.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

YARN-1993.patch
14/May/14 09:09
1 kB
Kenji Kikushima

Issue Links

Add Link

is related to

YARN-3589 RM and AH web UI display DOCTYPE wrongly

Resolved

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Kenji Kikushima

Reporter:: Ted Yu

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 28/Apr/14 17:07

Updated:: 30/Aug/16 01:31

Resolved:: 03/May/15 01:53

Agile

View on Board

Cross-site scripting vulnerability in TextView.java

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Agile

Slack

Issue deployment