Haibo Yan created HDFS-13636: -------------------------------- Summary: Security Cross-Site Scripting issue in HDFS code Key: HDFS-13636 URL: https://issues.apache.org/jira/browse/HDFS-13636 Project: Hadoop HDFS Issue Type: Bug Reporter: Haibo Yan Assignee: Haibo Yan
A couple if CSS attack issues were found in our fortify test run. One of example in hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java {code:java} // code placeholder if (servletContext.getAttribute(ADMINS_ACL) != null && !userHasAdministratorAccess(servletContext, remoteUser)) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User " + remoteUser + " is unauthorized to access this page."); return false; }{code} List of issues also were found at hadoop-common-project/hadoop-auth-examples/src/main/java/org/apache/hadoop/security/authentication/examples/WhoServlet.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java Suggest fix is remove remoteUser from the page, and log it. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org