[ https://issues.apache.org/jira/browse/HDFS-13636?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16498604#comment-16498604 ]
Daniel Templeton commented on HDFS-13636: ----------------------------------------- Tests aren't required here. Everything else looks good. I'll commit now. > Security Cross-Site Scripting issue in HDFS code > ------------------------------------------------ > > Key: HDFS-13636 > URL: https://issues.apache.org/jira/browse/HDFS-13636 > Project: Hadoop HDFS > Issue Type: Bug > Reporter: Haibo Yan > Assignee: Haibo Yan > Priority: Major > Attachments: HDFS-13636.1.patch, HDFS-13636.2.patch > > > A couple if CSS attack issues were found in our fortify test run. > One of example in > hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java > {code:java} > // code placeholder > if (servletContext.getAttribute(ADMINS_ACL) != null && > !userHasAdministratorAccess(servletContext, remoteUser)) { > response.sendError(HttpServletResponse.SC_FORBIDDEN, "User " > + remoteUser + " is unauthorized to access this page."); > return false; > }{code} > > Suggest fix is remove remoteUser from the page, and log it. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org