You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Owen O'Malley (JIRA)" <ji...@apache.org> on 2009/12/14 23:35:18 UTC
[jira] Created: (HADOOP-6441) Prevent remote CSS attacks in
Hostname and UTF-7.
Prevent remote CSS attacks in Hostname and UTF-7.
-------------------------------------------------
Key: HADOOP-6441
URL: https://issues.apache.org/jira/browse/HADOOP-6441
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Owen O'Malley
Assignee: Owen O'Malley
Fix For: 0.21.0
There are currently vulnerabilities for CSS in Hadoop's Web UI that allow CSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6441) Prevent remote CSS attacks in
Hostname and UTF-7.
Posted by "Arun C Murthy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12791212#action_12791212 ]
Arun C Murthy commented on HADOOP-6441:
---------------------------------------
+1
> Prevent remote CSS attacks in Hostname and UTF-7.
> -------------------------------------------------
>
> Key: HADOOP-6441
> URL: https://issues.apache.org/jira/browse/HADOOP-6441
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Fix For: 0.21.0
>
> Attachments: h-6441.patch
>
>
> There are currently vulnerabilities for CSS in Hadoop's Web UI that allow CSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6441) Prevent remote CSS attacks in
Hostname and UTF-7.
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6441:
----------------------------------
Attachment: h-6441.20.patch
This is the patch for the yahoo 20 branch that includes HADOOP-6151, HADOOP-6281, HADOOP-6285, and HADOOP-6441. It should not be applied to Apache.
> Prevent remote CSS attacks in Hostname and UTF-7.
> -------------------------------------------------
>
> Key: HADOOP-6441
> URL: https://issues.apache.org/jira/browse/HADOOP-6441
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Fix For: 0.21.0
>
> Attachments: h-6441.20.patch, h-6441.patch
>
>
> There are currently vulnerabilities for CSS in Hadoop's Web UI that allow CSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6441) Prevent remote CSS attacks in
Hostname and UTF-7.
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12791323#action_12791323 ]
Hudson commented on HADOOP-6441:
--------------------------------
Integrated in Hadoop-Common-trunk #189 (See [http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/189/])
. Protect web ui from cross site scripting attacks (XSS) on
the host http header and using encoded utf-7. (omalley)
> Prevent remote CSS attacks in Hostname and UTF-7.
> -------------------------------------------------
>
> Key: HADOOP-6441
> URL: https://issues.apache.org/jira/browse/HADOOP-6441
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Fix For: 0.21.0
>
> Attachments: h-6441.20.patch, h-6441.patch
>
>
> There are currently vulnerabilities for CSS in Hadoop's Web UI that allow CSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6441) Prevent remote CSS attacks in
Hostname and UTF-7.
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12791234#action_12791234 ]
Hudson commented on HADOOP-6441:
--------------------------------
Integrated in Hadoop-Common-trunk-Commit #118 (See [http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/118/])
. Protect web ui from cross site scripting attacks (XSS) on
the host http header and using encoded utf-7. (omalley)
> Prevent remote CSS attacks in Hostname and UTF-7.
> -------------------------------------------------
>
> Key: HADOOP-6441
> URL: https://issues.apache.org/jira/browse/HADOOP-6441
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Fix For: 0.21.0
>
> Attachments: h-6441.20.patch, h-6441.patch
>
>
> There are currently vulnerabilities for CSS in Hadoop's Web UI that allow CSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6441) Prevent remote CSS attacks in
Hostname and UTF-7.
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6441:
----------------------------------
Resolution: Fixed
Hadoop Flags: [Reviewed]
Status: Resolved (was: Patch Available)
This patch passes all of the unit tests on my dev box.
> Prevent remote CSS attacks in Hostname and UTF-7.
> -------------------------------------------------
>
> Key: HADOOP-6441
> URL: https://issues.apache.org/jira/browse/HADOOP-6441
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Fix For: 0.21.0
>
> Attachments: h-6441.20.patch, h-6441.patch
>
>
> There are currently vulnerabilities for CSS in Hadoop's Web UI that allow CSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6441) Prevent remote CSS attacks in
Hostname and UTF-7.
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6441:
----------------------------------
Status: Patch Available (was: Open)
> Prevent remote CSS attacks in Hostname and UTF-7.
> -------------------------------------------------
>
> Key: HADOOP-6441
> URL: https://issues.apache.org/jira/browse/HADOOP-6441
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Fix For: 0.21.0
>
> Attachments: h-6441.patch
>
>
> There are currently vulnerabilities for CSS in Hadoop's Web UI that allow CSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6441) Prevent remote CSS attacks in
Hostname and UTF-7.
Posted by "Devaraj Das (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Devaraj Das updated HADOOP-6441:
--------------------------------
Release Note: Quotes the characters coming out of getRequestUrl and getServerName in HttpServer.java as per the specification in HADOOP-6151.
> Prevent remote CSS attacks in Hostname and UTF-7.
> -------------------------------------------------
>
> Key: HADOOP-6441
> URL: https://issues.apache.org/jira/browse/HADOOP-6441
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Fix For: 0.21.0
>
> Attachments: h-6441.20.patch, h-6441.patch
>
>
> There are currently vulnerabilities for CSS in Hadoop's Web UI that allow CSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6441) Prevent remote CSS attacks in
Hostname and UTF-7.
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6441:
----------------------------------
Attachment: h-6441.patch
This patch quotes the HTTP host header and sets the default encoding to UTF-8.
> Prevent remote CSS attacks in Hostname and UTF-7.
> -------------------------------------------------
>
> Key: HADOOP-6441
> URL: https://issues.apache.org/jira/browse/HADOOP-6441
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Fix For: 0.21.0
>
> Attachments: h-6441.patch
>
>
> There are currently vulnerabilities for CSS in Hadoop's Web UI that allow CSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.