Ted Yu created HDFS-6368: ---------------------------- Summary: TransferFsImage#receiveFile() should perform validation on fsImageName parameter Key: HDFS-6368 URL: https://issues.apache.org/jira/browse/HDFS-6368 Project: Hadoop HDFS Issue Type: Bug Reporter: Ted Yu Priority: Minor
Currently only null check is performed: {code} if (fsImageName == null) { throw new IOException("No filename header provided by server"); } newLocalPaths.add(new File(localPath, fsImageName)); {code} Value of fsImageName, obtained from HttpURLConnection header, may be tainted. This may allow an attacker to access, modify, or test the existence of critical or sensitive files. -- This message was sent by Atlassian JIRA (v6.2#6252)