You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@storm.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2014/05/13 04:47:15 UTC

[jira] [Commented] (STORM-269) Any readable file exposed via UI log viewer

    [ https://issues.apache.org/jira/browse/STORM-269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13995974#comment-13995974 ] 

ASF GitHub Bot commented on STORM-269:
--------------------------------------

Github user xiaokang commented on the pull request:

    https://github.com/apache/incubator-storm/pull/91#issuecomment-42911844
  
    It's really a serious security hole. Thanks all guys to find and fix it. I'm really sorry to have introduced the problem when contributing the logviewer code.


> Any readable file exposed via UI log viewer
> -------------------------------------------
>
>                 Key: STORM-269
>                 URL: https://issues.apache.org/jira/browse/STORM-269
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>    Affects Versions: 0.9.2-incubating
>            Reporter: Jared Kuolt
>            Assignee: P. Taylor Goetz
>              Labels: security
>
> Note: This is actually version 0.9.0.1 but I couldn't choose that in the dropdown. I suspect that the problem still exists.
> I found that it's possible to access any readable file on the system via the UI worker log viewer. To reproduce, navigate to:
> http://<host:port>/log?file=../../../../../../../../etc/passwd



--
This message was sent by Atlassian JIRA
(v6.2#6252)