Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-1993

Cross-site scripting vulnerability in TextView.java

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.8.0, 3.0.0-alpha1
    • Component/s: webapp
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java , method echo() e.g. :

          for (Object s : args) {
            out.print(s);
          }
      

      Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized for context HTML attribute name.

      1. YARN-1993.patch
        1 kB
        Kenji Kikushima

        Issue Links

          Activity

          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Hadoop-Hdfs-trunk-Java8 #173 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/173/)
          YARN-1993. Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092)

          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-Hdfs-trunk-Java8 #173 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/173/ ) YARN-1993 . Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092) hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Hadoop-Mapreduce-trunk #2132 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2132/)
          YARN-1993. Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092)

          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-Mapreduce-trunk #2132 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2132/ ) YARN-1993 . Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092) hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Hadoop-Hdfs-trunk #2114 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/2114/)
          YARN-1993. Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
          • hadoop-yarn-project/CHANGES.txt
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-Hdfs-trunk #2114 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/2114/ ) YARN-1993 . Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java hadoop-yarn-project/CHANGES.txt
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Mapreduce-trunk-Java8 #183 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/183/)
          YARN-1993. Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
          • hadoop-yarn-project/CHANGES.txt
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Mapreduce-trunk-Java8 #183 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/183/ ) YARN-1993 . Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java hadoop-yarn-project/CHANGES.txt
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #182 (See https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/182/)
          YARN-1993. Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092)

          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #182 (See https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/182/ ) YARN-1993 . Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092) hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Yarn-trunk #916 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/916/)
          YARN-1993. Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092)

          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Yarn-trunk #916 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/916/ ) YARN-1993 . Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092) hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-trunk-Commit #7718 (See https://builds.apache.org/job/Hadoop-trunk-Commit/7718/)
          YARN-1993. Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092)

          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-trunk-Commit #7718 (See https://builds.apache.org/job/Hadoop-trunk-Commit/7718/ ) YARN-1993 . Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima. (ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092) hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
          Hide
          ozawa Tsuyoshi Ozawa added a comment -

          Committed this to trunk and branch-2. Thanks Kenji Kikushima for your contribution and thanks Ted Yu for your reporting!

          Show
          ozawa Tsuyoshi Ozawa added a comment - Committed this to trunk and branch-2. Thanks Kenji Kikushima for your contribution and thanks Ted Yu for your reporting!
          Hide
          ozawa Tsuyoshi Ozawa added a comment -

          Warnings by javac and javadoc are not related to the patch.

          Show
          ozawa Tsuyoshi Ozawa added a comment - Warnings by javac and javadoc are not related to the patch.
          Hide
          ozawa Tsuyoshi Ozawa added a comment -

          +1, committing this shortly.

          Show
          ozawa Tsuyoshi Ozawa added a comment - +1, committing this shortly.
          Hide
          hadoopqa Hadoop QA added a comment -



          -1 overall



          Vote Subsystem Runtime Comment
          0 pre-patch 15m 13s Pre-patch trunk compilation is healthy.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 tests included 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          -1 javac 7m 47s The applied patch generated 173 additional warning messages.
          -1 javadoc 10m 4s The applied patch generated 14 additional warning messages.
          +1 release audit 0m 23s The applied patch does not increase the total number of release audit warnings.
          +1 checkstyle 0m 53s There were no new checkstyle issues.
          +1 whitespace 0m 0s The patch has no lines that end in whitespace.
          +1 install 1m 32s mvn install still works.
          +1 eclipse:eclipse 0m 33s The patch built with eclipse:eclipse.
          +1 findbugs 1m 24s The patch does not introduce any new Findbugs (version 2.0.3) warnings.
          +1 yarn tests 1m 58s Tests passed in hadoop-yarn-common.
              39m 51s  



          Subsystem Report/Notes
          Patch URL http://issues.apache.org/jira/secure/attachment/12644792/YARN-1993.patch
          Optional Tests javadoc javac unit findbugs checkstyle
          git revision trunk / 6ae2a0d
          javac https://builds.apache.org/job/PreCommit-YARN-Build/7663/artifact/patchprocess/diffJavacWarnings.txt
          javadoc https://builds.apache.org/job/PreCommit-YARN-Build/7663/artifact/patchprocess/diffJavadocWarnings.txt
          hadoop-yarn-common test log https://builds.apache.org/job/PreCommit-YARN-Build/7663/artifact/patchprocess/testrun_hadoop-yarn-common.txt
          Test Results https://builds.apache.org/job/PreCommit-YARN-Build/7663/testReport/
          Java 1.7.0_55
          uname Linux asf903.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
          Console output https://builds.apache.org/job/PreCommit-YARN-Build/7663/console

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 pre-patch 15m 13s Pre-patch trunk compilation is healthy. +1 @author 0m 0s The patch does not contain any @author tags. -1 tests included 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. -1 javac 7m 47s The applied patch generated 173 additional warning messages. -1 javadoc 10m 4s The applied patch generated 14 additional warning messages. +1 release audit 0m 23s The applied patch does not increase the total number of release audit warnings. +1 checkstyle 0m 53s There were no new checkstyle issues. +1 whitespace 0m 0s The patch has no lines that end in whitespace. +1 install 1m 32s mvn install still works. +1 eclipse:eclipse 0m 33s The patch built with eclipse:eclipse. +1 findbugs 1m 24s The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 yarn tests 1m 58s Tests passed in hadoop-yarn-common.     39m 51s   Subsystem Report/Notes Patch URL http://issues.apache.org/jira/secure/attachment/12644792/YARN-1993.patch Optional Tests javadoc javac unit findbugs checkstyle git revision trunk / 6ae2a0d javac https://builds.apache.org/job/PreCommit-YARN-Build/7663/artifact/patchprocess/diffJavacWarnings.txt javadoc https://builds.apache.org/job/PreCommit-YARN-Build/7663/artifact/patchprocess/diffJavadocWarnings.txt hadoop-yarn-common test log https://builds.apache.org/job/PreCommit-YARN-Build/7663/artifact/patchprocess/testrun_hadoop-yarn-common.txt Test Results https://builds.apache.org/job/PreCommit-YARN-Build/7663/testReport/ Java 1.7.0_55 uname Linux asf903.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Console output https://builds.apache.org/job/PreCommit-YARN-Build/7663/console This message was automatically generated.
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12644792/YARN-1993.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. There were no new javadoc warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-YARN-Build/3765//testReport/
          Console output: https://builds.apache.org/job/PreCommit-YARN-Build/3765//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12644792/YARN-1993.patch against trunk revision . +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-YARN-Build/3765//testReport/ Console output: https://builds.apache.org/job/PreCommit-YARN-Build/3765//console This message is automatically generated.
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12644792/YARN-1993.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. There were no new javadoc warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-YARN-Build/3762//testReport/
          Console output: https://builds.apache.org/job/PreCommit-YARN-Build/3762//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12644792/YARN-1993.patch against trunk revision . +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-YARN-Build/3762//testReport/ Console output: https://builds.apache.org/job/PreCommit-YARN-Build/3762//console This message is automatically generated.
          Hide
          kj-ki Kenji Kikushima added a comment -

          For example, how about to use StringEscapeUtils like this patch?

          Show
          kj-ki Kenji Kikushima added a comment - For example, how about to use StringEscapeUtils like this patch?

            People

            • Assignee:
              kj-ki Kenji Kikushima
              Reporter:
              yuzhihong@gmail.com Ted Yu
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development