You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "Andrew Wang (JIRA)" <ji...@apache.org> on 2014/06/12 22:51:02 UTC
[jira] [Reopened] (HDFS-6368) TransferFsImage#receiveFile() should
perform validation on fsImageName parameter
[ https://issues.apache.org/jira/browse/HDFS-6368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Wang reopened HDFS-6368:
-------------------------------
> TransferFsImage#receiveFile() should perform validation on fsImageName parameter
> --------------------------------------------------------------------------------
>
> Key: HDFS-6368
> URL: https://issues.apache.org/jira/browse/HDFS-6368
> Project: Hadoop HDFS
> Issue Type: Bug
> Reporter: Ted Yu
> Priority: Minor
>
> Currently only null check is performed:
> {code}
> if (fsImageName == null) {
> throw new IOException("No filename header provided by server");
> }
> newLocalPaths.add(new File(localPath, fsImageName));
> {code}
> Value of fsImageName, obtained from HttpURLConnection header, may be tainted.
> This may allow an attacker to access, modify, or test the existence of critical or sensitive files.
--
This message was sent by Atlassian JIRA
(v6.2#6252)