Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-1993

Cross-site scripting vulnerability in TextView.java

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.8.0, 3.0.0-alpha1
    • Component/s: webapp
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java , method echo() e.g. :

          for (Object s : args) {
            out.print(s);
          }
      

      Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized for context HTML attribute name.

        Attachments

        1. YARN-1993.patch
          1 kB
          Kenji Kikushima

          Issue Links

            Activity

              People

              • Assignee:
                kj-ki Kenji Kikushima
                Reporter:
                yuzhihong@gmail.com Ted Yu
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: