MAPREDUCE-3804. yarn webapp interface vulnerable to cross scripting attacks (Dave Thompson via bobby)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1241225 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Robert Joseph Evans 2012-02-06 22:34:28 +00:00
parent 9f2b77aee4
commit bdf837a64a
3 changed files with 7 additions and 2 deletions

View File

@ -54,6 +54,9 @@ Trunk (unreleased changes)
MAPREDUCE-2944. Improve checking of input for JobClient.displayTasks() (XieXianshan via harsh)
BUG FIXES
MAPREDUCE-3804. yarn webapp interface vulnerable to cross scripting attacks
(Dave Thompson via bobby)
MAPREDUCE-3194. "mapred mradmin" command is broken in mrv2
(Jason Lowe via bobby)

View File

@ -36,6 +36,7 @@
import org.apache.hadoop.yarn.webapp.Controller.RequestContext;
import org.apache.hadoop.yarn.webapp.Router.Dest;
import org.apache.hadoop.yarn.webapp.view.ErrorPage;
import org.apache.hadoop.http.HtmlQuoting;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -73,7 +74,8 @@ public void doOptions(HttpServletRequest req, HttpServletResponse res) {
public void service(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
res.setCharacterEncoding("UTF-8");
String uri = req.getRequestURI();
String uri = HtmlQuoting.quoteHtmlChars(req.getRequestURI());
if (uri == null) {
uri = "/";
}

View File

@ -307,7 +307,7 @@ protected void printAttr(String name, String value) {
sb.setLength(0);
sb.append(' ').append(name);
if (value != null) {
sb.append("=\"").append(value).append("\"");
sb.append("=\"").append(escapeHtml(value)).append("\"");
}
out.print(sb.toString());
}