[jira] [Commented] (STORM-269) Any readable file exposed via UI log viewer

ASF GitHub Bot (JIRA) Thu, 04 Dec 2014 23:24:04 -0800

    [ 
https://issues.apache.org/jira/browse/STORM-269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14235207#comment-14235207
 ]


ASF GitHub Bot commented on STORM-269:
--------------------------------------

Github user nothinking commented on the pull request:

    https://github.com/apache/storm/pull/91#issuecomment-65755713
  
    To someone like me.
    
    If you want to change log dir, add line to storm.yaml this line.
    > storm.log.dir=/some/real/dir/path
    
    Remember! No Symbolic Link!!
     


> Any readable file exposed via UI log viewer
> -------------------------------------------
>
>                 Key: STORM-269
>                 URL: https://issues.apache.org/jira/browse/STORM-269
>             Project: Apache Storm
>          Issue Type: Bug
>    Affects Versions: 0.9.2-incubating
>            Reporter: Jared Kuolt
>            Assignee: P. Taylor Goetz
>              Labels: security
>             Fix For: 0.9.2-incubating
>
>
> Note: This is actually version 0.9.0.1 but I couldn't choose that in the 
> dropdown. I suspect that the problem still exists.
> I found that it's possible to access any readable file on the system via the 
> UI worker log viewer. To reproduce, navigate to:
> http://<host:port>/log?file=../../../../../../../../etc/passwd



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (STORM-269) Any readable file exposed via UI log viewer

Reply via email to