Ted Yu created HDFS-6368:
----------------------------
Summary: TransferFsImage#receiveFile() should perform validation
on fsImageName parameter
Key: HDFS-6368
URL: https://issues.apache.org/jira/browse/HDFS-6368
Project: Hadoop HDFS
Issue Type: Bug
Reporter: Ted Yu
Priority: Minor
Currently only null check is performed:
{code}
if (fsImageName == null) {
throw new IOException("No filename header provided by server");
}
newLocalPaths.add(new File(localPath, fsImageName));
{code}
Value of fsImageName, obtained from HttpURLConnection header, may be tainted.
This may allow an attacker to access, modify, or test the existence of critical
or sensitive files.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
