[YARN-266] RM and JHS Web UIs are blank because AppsBlock is not escaping string properly - ASF JIRA

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.0.2-alpha, 0.23.5, 3.0.0-alpha1
Fix Version/s: 2.0.3-alpha, 0.23.6
Component/s: resourcemanager
Labels:
- webui

Target Version/s:

2.0.3-alpha, 0.23.6

Description

e.g. Job names with a line feed "\n" are causing a line feed in the JSON array being written out (since we are only using StringEscapeUtils.escapeHtml() ) and the Javascript parser complains that string quotes are unclosed. This

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending

Attachments

YARN-266.patch

11/Dec/12 00:16

3 kB

Ravi Prakash

Issue Links

is broken by

MAPREDUCE-4720 Browser thinks History Server main page JS is taking too long

Closed

YARN-151 Browser thinks RM main page JS is taking too long

Closed

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Ravi Prakash added a comment - 11/Dec/12 00:16

Simple patch to fix the issue.

Show

Ravi Prakash added a comment - 11/Dec/12 00:16 Simple patch to fix the issue.

Hide

Permalink

Sandy Ryza added a comment - 11/Dec/12 00:20

Just encountered this

+1!

Show

Sandy Ryza added a comment - 11/Dec/12 00:20 Just encountered this +1!

Hide

Permalink

Ravi Prakash added a comment - 11/Dec/12 05:46

I tested by submitting a bad job name (with a new line and an embedded image HTML tag).
1. With only escapeHtml, the new line causes the Javascript parser to throw an error
2. With only escapeJavascript, the embedded HTML image was rendered. This could lead to XSS
3. Javascript escaping the Html escaped string (as in the patch), got the correct behavior.

Show

Ravi Prakash added a comment - 11/Dec/12 05:46 I tested by submitting a bad job name (with a new line and an embedded image HTML tag). 1. With only escapeHtml, the new line causes the Javascript parser to throw an error 2. With only escapeJavascript, the embedded HTML image was rendered. This could lead to XSS 3. Javascript escaping the Html escaped string (as in the patch), got the correct behavior.

Hide

Permalink

Hadoop QA added a comment - 11/Dec/12 06:09

-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12560316/YARN-266.patch
against trunk revision .

+1 @author. The patch does not contain any @author tags.

-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.

+1 javac. The applied patch does not increase the total number of javac compiler warnings.

+1 javadoc. The javadoc tool did not generate any warning messages.

+1 eclipse:eclipse. The patch built with eclipse:eclipse.

+1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

+1 release audit. The applied patch does not increase the total number of release audit warnings.

+1 core tests. The patch passed unit tests in hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager.

+1 contrib tests. The patch passed contrib unit tests.

Test results: https://builds.apache.org/job/PreCommit-YARN-Build/213//testReport/
Console output: https://builds.apache.org/job/PreCommit-YARN-Build/213//console

This message is automatically generated.

Show

Hadoop QA added a comment - 11/Dec/12 06:09 -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12560316/YARN-266.patch against trunk revision . +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . The javadoc tool did not generate any warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-YARN-Build/213//testReport/ Console output: https://builds.apache.org/job/PreCommit-YARN-Build/213//console This message is automatically generated.

Hide

Permalink

Jason Lowe added a comment - 11/Dec/12 15:39

+1, will commit shortly.

Show

Jason Lowe added a comment - 11/Dec/12 15:39 +1, will commit shortly.

Hide

Permalink

Jason Lowe added a comment - 11/Dec/12 15:52

Thanks, Ravi. I committed this to trunk, branch-2, and branch-0.23.

Show

Jason Lowe added a comment - 11/Dec/12 15:52 Thanks, Ravi. I committed this to trunk, branch-2, and branch-0.23.

Hide

Permalink

Hudson added a comment - 11/Dec/12 16:03

Integrated in Hadoop-trunk-Commit #3111 (See https://builds.apache.org/job/Hadoop-trunk-Commit/3111/)
~~YARN-266~~. RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420232)

Result = SUCCESS
jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420232
Files :

/hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
/hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt
/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Show

Hudson added a comment - 11/Dec/12 16:03 Integrated in Hadoop-trunk-Commit #3111 (See https://builds.apache.org/job/Hadoop-trunk-Commit/3111/ ) YARN-266 . RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420232) Result = SUCCESS jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420232 Files : /hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java /hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Hide

Permalink

Hudson added a comment - 12/Dec/12 10:51

Integrated in Hadoop-Yarn-trunk #63 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/63/)
~~YARN-266~~. RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420232)

Result = SUCCESS
jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420232
Files :

/hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
/hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt
/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Show

Hudson added a comment - 12/Dec/12 10:51 Integrated in Hadoop-Yarn-trunk #63 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/63/ ) YARN-266 . RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420232) Result = SUCCESS jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420232 Files : /hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java /hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Hide

Permalink

Hudson added a comment - 12/Dec/12 12:44

Integrated in Hadoop-Hdfs-0.23-Build #461 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Build/461/)
svn merge -c 1420232 FIXES: ~~YARN-266~~. RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420234)

Result = SUCCESS
jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420234
Files :

/hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
/hadoop/common/branches/branch-0.23/hadoop-yarn-project/CHANGES.txt
/hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Show

Hudson added a comment - 12/Dec/12 12:44 Integrated in Hadoop-Hdfs-0.23-Build #461 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Build/461/ ) svn merge -c 1420232 FIXES: YARN-266 . RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420234) Result = SUCCESS jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420234 Files : /hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java /hadoop/common/branches/branch-0.23/hadoop-yarn-project/CHANGES.txt /hadoop/common/branches/branch-0.23/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Hide

Permalink

Hudson added a comment - 12/Dec/12 13:11

Integrated in Hadoop-Hdfs-trunk #1252 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1252/)
~~YARN-266~~. RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420232)

Result = FAILURE
jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420232
Files :

/hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
/hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt
/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Show

Hudson added a comment - 12/Dec/12 13:11 Integrated in Hadoop-Hdfs-trunk #1252 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1252/ ) YARN-266 . RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420232) Result = FAILURE jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420232 Files : /hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java /hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Hide

Permalink

Hudson added a comment - 12/Dec/12 14:08

Integrated in Hadoop-Mapreduce-trunk #1283 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1283/)
~~YARN-266~~. RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420232)

Result = SUCCESS
jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420232
Files :

/hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
/hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt
/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

Show

Hudson added a comment - 12/Dec/12 14:08 Integrated in Hadoop-Mapreduce-trunk #1283 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1283/ ) YARN-266 . RM and JHS Web UIs are blank because AppsBlock is not escaping string properly. Contributed by Ravi Prakash (Revision 1420232) Result = SUCCESS jlowe : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1420232 Files : /hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java /hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/AppsBlock.java

People

Assignee:

Ravi Prakash

Reporter:

Ravi Prakash

Votes:

0 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

11/Dec/12 00:15

Updated:

12/May/16 18:30

Resolved:

11/Dec/12 15:52

Development

Agile

View on Board