You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by rl...@apache.org on 2018/04/25 21:47:55 UTC
[ambari] branch branch-2.6 updated: [AMBARI-23694] Symlinks are not
followed when requesting resources from Ambari's resources entry point
This is an automated email from the ASF dual-hosted git repository.
rlevas pushed a commit to branch branch-2.6
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.6 by this push:
new d9df1c9 [AMBARI-23694] Symlinks are not followed when requesting resources from Ambari's resources entry point
d9df1c9 is described below
commit d9df1c9f180ce85a0a4afd4c7dc12e6877eb0ffc
Author: Robert Levas <rl...@hortonworks.com>
AuthorDate: Wed Apr 25 15:58:39 2018 -0400
[AMBARI-23694] Symlinks are not followed when requesting resources from Ambari's resources entry point
---
.../main/java/org/apache/ambari/server/controller/AmbariServer.java | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index 9f662ac..e336972 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -487,6 +487,12 @@ public class AmbariServer {
File resourcesDirectory = new File(configs.getResourceDirPath());
ServletHolder resources = new ServletHolder(DefaultServlet.class);
resources.setInitParameter("resourceBase", resourcesDirectory.getParent());
+ // Allowing aliases can bypass some security constraints, but allows for following symlinks
+ // which are needed for mpacks. For example:
+ // /var/lib/ambari-server/resources/stacks/HDP/2.6/services/BEACON ->
+ // /var/lib/ambari-server/resources/mpacks/beacon-engine.mpack-1.1.0.0/addon-services/BEACON/1.1.0
+ // NOTE: Enabling aliases does not re-introduce the vulnerability described in CVE-2018-8003.
+ resources.setInitParameter("aliases", "true");
root.addServlet(resources, "/resources/*");
resources.setInitOrder(5);
--
To stop receiving notification emails like this one, please contact
rlevas@apache.org.