diff --git a/CHANGES.txt b/CHANGES.txt index b9b935d2d1..dca7ac2977 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1222,6 +1222,9 @@ Release 0.21.0 - Unreleased HADOOP-6375. Sync documentation for FsShell du with its implementation. (Todd Lipcon via cdouglas) + HADOOP-6441. Protect web ui from cross site scripting attacks (XSS) on + the host http header and using encoded utf-7. (omalley) + Release 0.20.2 - Unreleased NEW FEATURES diff --git a/src/java/org/apache/hadoop/http/HttpServer.java b/src/java/org/apache/hadoop/http/HttpServer.java index 0257141b8e..4123923abb 100644 --- a/src/java/org/apache/hadoop/http/HttpServer.java +++ b/src/java/org/apache/hadoop/http/HttpServer.java @@ -624,6 +624,25 @@ public Map getParameterMap() { } return result; } + + /** + * Quote the url so that users specifying the HOST HTTP header + * can't inject attacks. + */ + @Override + public StringBuffer getRequestURL(){ + String url = rawRequest.getRequestURL().toString(); + return new StringBuffer(HtmlQuoting.quoteHtmlChars(url)); + } + + /** + * Quote the server name so that users specifying the HOST HTTP header + * can't inject attacks. + */ + @Override + public String getServerName() { + return HtmlQuoting.quoteHtmlChars(rawRequest.getServerName()); + } } @Override @@ -641,6 +660,10 @@ public void doFilter(ServletRequest request, ) throws IOException, ServletException { HttpServletRequestWrapper quoted = new RequestQuoter((HttpServletRequest) request); + final HttpServletResponse httpResponse = (HttpServletResponse) response; + // set the default to UTF-8 so that we don't need to worry about IE7 + // choosing to interpret the special characters as UTF-7 + httpResponse.setContentType("text/html;charset=utf-8"); chain.doFilter(quoted, response); }