MAPREDUCE-3804. yarn webapp interface vulnerable to cross scripting attacks (Dave Thompson via bobby)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1241225 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
9f2b77aee4
commit
bdf837a64a
@ -54,6 +54,9 @@ Trunk (unreleased changes)
|
||||
MAPREDUCE-2944. Improve checking of input for JobClient.displayTasks() (XieXianshan via harsh)
|
||||
|
||||
BUG FIXES
|
||||
MAPREDUCE-3804. yarn webapp interface vulnerable to cross scripting attacks
|
||||
(Dave Thompson via bobby)
|
||||
|
||||
MAPREDUCE-3194. "mapred mradmin" command is broken in mrv2
|
||||
(Jason Lowe via bobby)
|
||||
|
||||
|
@ -36,6 +36,7 @@
|
||||
import org.apache.hadoop.yarn.webapp.Controller.RequestContext;
|
||||
import org.apache.hadoop.yarn.webapp.Router.Dest;
|
||||
import org.apache.hadoop.yarn.webapp.view.ErrorPage;
|
||||
import org.apache.hadoop.http.HtmlQuoting;
|
||||
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
@ -73,7 +74,8 @@ public void doOptions(HttpServletRequest req, HttpServletResponse res) {
|
||||
public void service(HttpServletRequest req, HttpServletResponse res)
|
||||
throws ServletException, IOException {
|
||||
res.setCharacterEncoding("UTF-8");
|
||||
String uri = req.getRequestURI();
|
||||
String uri = HtmlQuoting.quoteHtmlChars(req.getRequestURI());
|
||||
|
||||
if (uri == null) {
|
||||
uri = "/";
|
||||
}
|
||||
|
@ -307,7 +307,7 @@ protected void printAttr(String name, String value) {
|
||||
sb.setLength(0);
|
||||
sb.append(' ').append(name);
|
||||
if (value != null) {
|
||||
sb.append("=\"").append(value).append("\"");
|
||||
sb.append("=\"").append(escapeHtml(value)).append("\"");
|
||||
}
|
||||
out.print(sb.toString());
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user