You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-dev@hadoop.apache.org by "Andrew Wang (JIRA)" <ji...@apache.org> on 2014/06/12 22:51:02 UTC

[jira] [Reopened] (HDFS-6368) TransferFsImage#receiveFile() should perform validation on fsImageName parameter

     [ https://issues.apache.org/jira/browse/HDFS-6368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Wang reopened HDFS-6368:
-------------------------------


> TransferFsImage#receiveFile() should perform validation on fsImageName parameter
> --------------------------------------------------------------------------------
>
>                 Key: HDFS-6368
>                 URL: https://issues.apache.org/jira/browse/HDFS-6368
>             Project: Hadoop HDFS
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Priority: Minor
>
> Currently only null check is performed:
> {code}
>           if (fsImageName == null) {
>             throw new IOException("No filename header provided by server");
>           }
>           newLocalPaths.add(new File(localPath, fsImageName));
> {code}
> Value of fsImageName, obtained from HttpURLConnection header, may be tainted.
> This may allow an attacker to access, modify, or test the existence of critical or sensitive files.



--
This message was sent by Atlassian JIRA
(v6.2#6252)