You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@atlas.apache.org by "Vipin Rathor (JIRA)" <ji...@apache.org> on 2016/11/05 14:55:58 UTC

[jira] [Created] (ATLAS-1270) Atlas web server allows user to browse webapp directory

Vipin Rathor created ATLAS-1270:
-----------------------------------

             Summary: Atlas web server allows user to browse webapp directory
                 Key: ATLAS-1270
                 URL: https://issues.apache.org/jira/browse/ATLAS-1270
             Project: Atlas
          Issue Type: Bug
    Affects Versions: 0.5-incubating, 0.7-incubating
         Environment: HDP 2.4.2 and HDP 2.5
            Reporter: Vipin Rathor


Currently any (even non-authenticated) user can access the webapp directory structure by pointing to URIs like http://localhost:21000/lib, http://localhost:21000/js and http://localhost:21000/img
This could lead to some serious exploits.

As a fix, the embedded Jetty server (including the secure one) should disable the directory listing.

I'm submitting a basic patch which I tested with non-secure embedded server only. Since this is my first patch, I'm looking for any feedback so that I can submit better patches in future.

Thanks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)