You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "Haibo Yan (JIRA)" <ji...@apache.org> on 2018/05/29 21:07:00 UTC
[jira] [Created] (HDFS-13636) Security Cross-Site Scripting issue
in HDFS code
Haibo Yan created HDFS-13636:
--------------------------------
Summary: Security Cross-Site Scripting issue in HDFS code
Key: HDFS-13636
URL: https://issues.apache.org/jira/browse/HDFS-13636
Project: Hadoop HDFS
Issue Type: Bug
Reporter: Haibo Yan
Assignee: Haibo Yan
A couple if CSS attack issues were found in our fortify test run.
One of example in hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
{code:java}
// code placeholder
if (servletContext.getAttribute(ADMINS_ACL) != null &&
!userHasAdministratorAccess(servletContext, remoteUser)) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "User "
+ remoteUser + " is unauthorized to access this page.");
return false;
}{code}
List of issues also were found at
hadoop-common-project/hadoop-auth-examples/src/main/java/org/apache/hadoop/security/authentication/examples/WhoServlet.java
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
Suggest fix is remove remoteUser from the page, and log it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org