[
https://issues.apache.org/jira/browse/STORM-2015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15406384#comment-15406384
]
Robert Joseph Evans commented on STORM-2015:
--------------------------------------------
Actually this is a security issue. We only allow downloading of files that are
under a specific known log directory. Otherwise a worker could link to a file
that it cannot actually read, but the logviewer can.
I think the fix would be to make the a configurable whitelist of allowed
subdirectories.
> logviewer does not download file when the directory is a symbolic link fails
> with 404 page not found
> ----------------------------------------------------------------------------------------------------
>
> Key: STORM-2015
> URL: https://issues.apache.org/jira/browse/STORM-2015
> Project: Apache Storm
> Issue Type: Bug
> Reporter: saurabh mishra
>
> logviewer does not download file when the directory is a symbolic link it
> fails with 404 page not found.
> (defn download-log-file [fname req resp user ^String root-dir]
> (let [file (.getCanonicalFile (File. root-dir fname))]
> (if (.exists file)
> (-> (resp/response "Page not found")
> (resp/status 404)))))
> Replace storm root-dir as an actual directory it succeeds to download the
> file.
> Symbolic link for log locations is standard practice.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
