You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ambari.apache.org by rl...@apache.org on 2018/04/25 21:47:55 UTC

[ambari] branch branch-2.6 updated: [AMBARI-23694] Symlinks are not followed when requesting resources from Ambari's resources entry point

This is an automated email from the ASF dual-hosted git repository.

rlevas pushed a commit to branch branch-2.6
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/branch-2.6 by this push:
     new d9df1c9  [AMBARI-23694] Symlinks are not followed when requesting resources from Ambari's resources entry point
d9df1c9 is described below

commit d9df1c9f180ce85a0a4afd4c7dc12e6877eb0ffc
Author: Robert Levas <rl...@hortonworks.com>
AuthorDate: Wed Apr 25 15:58:39 2018 -0400

    [AMBARI-23694] Symlinks are not followed when requesting resources from Ambari's resources entry point
---
 .../main/java/org/apache/ambari/server/controller/AmbariServer.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index 9f662ac..e336972 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -487,6 +487,12 @@ public class AmbariServer {
       File resourcesDirectory = new File(configs.getResourceDirPath());
       ServletHolder resources = new ServletHolder(DefaultServlet.class);
       resources.setInitParameter("resourceBase", resourcesDirectory.getParent());
+      // Allowing aliases can bypass some security constraints, but allows for following symlinks
+      // which are needed for mpacks. For example:
+      //   /var/lib/ambari-server/resources/stacks/HDP/2.6/services/BEACON ->
+      //   /var/lib/ambari-server/resources/mpacks/beacon-engine.mpack-1.1.0.0/addon-services/BEACON/1.1.0
+      // NOTE: Enabling aliases does not re-introduce the vulnerability described in CVE-2018-8003.
+      resources.setInitParameter("aliases", "true");
       root.addServlet(resources, "/resources/*");
       resources.setInitOrder(5);
 

-- 
To stop receiving notification emails like this one, please contact
rlevas@apache.org.