You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ae...@apache.org on 2019/09/16 22:48:33 UTC
[hadoop] branch trunk updated: HDDS-2111. XSS fragments can be
injected to the S3g landing page
This is an automated email from the ASF dual-hosted git repository.
aengineer pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new 2358e53 HDDS-2111. XSS fragments can be injected to the S3g landing page
2358e53 is described below
commit 2358e53e9c9f8489b24648b1017eb856d4bd42b0
Author: Márton Elek <el...@apache.org>
AuthorDate: Sat Sep 14 05:33:05 2019 +0200
HDDS-2111. XSS fragments can be injected to the S3g landing page
Signed-off-by: Anu Engineer <ae...@apache.org>
---
.../src/main/resources/webapps/static/index.html | 8 ++++++--
.../src/main/resources/webapps/static/s3g.js | 23 ++++++++++++++++++++++
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/hadoop-ozone/s3gateway/src/main/resources/webapps/static/index.html b/hadoop-ozone/s3gateway/src/main/resources/webapps/static/index.html
index 68939ef..b20bf35 100644
--- a/hadoop-ozone/s3gateway/src/main/resources/webapps/static/index.html
+++ b/hadoop-ozone/s3gateway/src/main/resources/webapps/static/index.html
@@ -21,6 +21,7 @@
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
+ <meta http-equiv="Content-Security-Policy" content="script-src 'self';">
<!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
<meta name="description" content="Apache Hadoop Ozone S3 gateway">
@@ -68,12 +69,15 @@
<p>For example with aws-cli:</p>
- <pre>aws s3api --endpoint <script>document.write(window.location.href.replace("static/", ""))</script> create-bucket --bucket=wordcount</pre>
+ <pre>aws s3api --endpoint <span id="s3gurl"></span> create-bucket --bucket=wordcount</pre>
<p>For more information, please check the <a href="docs">documentation.</a>
</p>
</div><!-- /.container -->
-<script src="static/bootstrap-3.4.1/js/bootstrap.min.js"></script>
+<script src="jquery-3.4.1.min.js"></script>
+<script src="bootstrap-3.4.1/js/bootstrap.min.js"></script>
+<script src="s3g.js"></script>
+
</body>
</html>
diff --git a/hadoop-ozone/s3gateway/src/main/resources/webapps/static/s3g.js b/hadoop-ozone/s3gateway/src/main/resources/webapps/static/s3g.js
new file mode 100644
index 0000000..8b1e977
--- /dev/null
+++ b/hadoop-ozone/s3gateway/src/main/resources/webapps/static/s3g.js
@@ -0,0 +1,23 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+window.onload = function () {
+ var safeurl = window.location.protocol + "//" + window.location.host + window.location.pathname;
+ safeurl = safeurl.replace("static/", "");
+ document.getElementById('s3gurl').innerHTML = safeurl;
+};
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org