From 875c9d62c6db32aca16201c369d972bcf4a38dbd Mon Sep 17 00:00:00 2001
From: Owen O'Malley <omalley@apache.org>
Date: Wed, 16 Dec 2009 06:31:51 +0000
Subject: [PATCH] HADOOP-6441. Protect web ui from cross site scripting attacks
 (XSS) on the host http header and using encoded utf-7. (omalley)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@891132 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES.txt                                   |  3 +++
 .../org/apache/hadoop/http/HttpServer.java    | 23 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/CHANGES.txt b/CHANGES.txt
index b9b935d2d1..dca7ac2977 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1222,6 +1222,9 @@ Release 0.21.0 - Unreleased
     HADOOP-6375. Sync documentation for FsShell du with its implementation.
     (Todd Lipcon via cdouglas)
 
+    HADOOP-6441. Protect web ui from cross site scripting attacks (XSS) on
+    the host http header and using encoded utf-7. (omalley)
+
 Release 0.20.2 - Unreleased
 
   NEW FEATURES
diff --git a/src/java/org/apache/hadoop/http/HttpServer.java b/src/java/org/apache/hadoop/http/HttpServer.java
index 0257141b8e..4123923abb 100644
--- a/src/java/org/apache/hadoop/http/HttpServer.java
+++ b/src/java/org/apache/hadoop/http/HttpServer.java
@@ -624,6 +624,25 @@ public Map<String, String[]> getParameterMap() {
         }
         return result;
       }
+      
+      /**
+       * Quote the url so that users specifying the HOST HTTP header
+       * can't inject attacks.
+       */
+      @Override
+      public StringBuffer getRequestURL(){
+        String url = rawRequest.getRequestURL().toString();
+        return new StringBuffer(HtmlQuoting.quoteHtmlChars(url));
+      }
+      
+      /**
+       * Quote the server name so that users specifying the HOST HTTP header
+       * can't inject attacks.
+       */
+      @Override
+      public String getServerName() {
+        return HtmlQuoting.quoteHtmlChars(rawRequest.getServerName());
+      }
     }
 
     @Override
@@ -641,6 +660,10 @@ public void doFilter(ServletRequest request,
                          ) throws IOException, ServletException {
       HttpServletRequestWrapper quoted = 
         new RequestQuoter((HttpServletRequest) request);
+      final HttpServletResponse httpResponse = (HttpServletResponse) response;
+      // set the default to UTF-8 so that we don't need to worry about IE7
+      // choosing to interpret the special characters as UTF-7
+      httpResponse.setContentType("text/html;charset=utf-8");
       chain.doFilter(quoted, response);
     }