[jira] [Commented] (MAPREDUCE-165) the map task output servlet doesn't protect against ".." attacks

["Darrell Taylor (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/MAPREDUCE-165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14522903#comment-14522903 ] 

Darrell Taylor commented on MAPREDUCE-165:
------------------------------------------

OK, I've had a quick look through this and the two places I can find where file.out and file.out.index are created are in MROutputFiles.java and YarnOutputFiles.java, both of these push all their work through LocalDirAllocator.java and ultimately Path.java.  

So I'd presume (maybe incorrectly) that LocalDirAllocator and Path both protect against ".." attacks?  I'll spend a bit more time looking through them to try and understand how they work.  But the map output classes look sensible.

The one thing that did make me wonder though is this piece of code that appears in the LocalDirAllocator, it strips off the leading /, which could result in a ".." attack, but that may be picked up in the Path class.

{code}
      //remove the leading slash from the path (to make sure that the uri
      //resolution results in a valid path on the dir being checked)
      if (pathStr.startsWith("/")) {
        pathStr = pathStr.substring(1);
      }
{code}


> the map task output servlet doesn't protect against ".." attacks
> ----------------------------------------------------------------
>
>                 Key: MAPREDUCE-165
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-165
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>            Reporter: Owen O'Malley
>              Labels: newbie, security
>
> The servlet we use to export the map outputs doesn't protect itself against ".." attacks. However, because the code adds a /file.out.index and /file.out to it, it can only be used to read files with those names.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)