[
https://issues.apache.org/jira/browse/HDFS-13636?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16498604#comment-16498604
]
Daniel Templeton commented on HDFS-13636:
-----------------------------------------
Tests aren't required here. Everything else looks good. I'll commit now.
> Security Cross-Site Scripting issue in HDFS code
> ------------------------------------------------
>
> Key: HDFS-13636
> URL: https://issues.apache.org/jira/browse/HDFS-13636
> Project: Hadoop HDFS
> Issue Type: Bug
> Reporter: Haibo Yan
> Assignee: Haibo Yan
> Priority: Major
> Attachments: HDFS-13636.1.patch, HDFS-13636.2.patch
>
>
> A couple if CSS attack issues were found in our fortify test run.
> One of example in
> hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
> {code:java}
> // code placeholder
> if (servletContext.getAttribute(ADMINS_ACL) != null &&
> !userHasAdministratorAccess(servletContext, remoteUser)) {
> response.sendError(HttpServletResponse.SC_FORBIDDEN, "User "
> + remoteUser + " is unauthorized to access this page.");
> return false;
> }{code}
>
> Suggest fix is remove remoteUser from the page, and log it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
