From bdf837a64a33b1ed051edeed6b9ed70b82b0a80e Mon Sep 17 00:00:00 2001 From: Robert Joseph Evans Date: Mon, 6 Feb 2012 22:34:28 +0000 Subject: [PATCH] MAPREDUCE-3804. yarn webapp interface vulnerable to cross scripting attacks (Dave Thompson via bobby) git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1241225 13f79535-47bb-0310-9956-ffa450edef68 --- hadoop-mapreduce-project/CHANGES.txt | 3 +++ .../main/java/org/apache/hadoop/yarn/webapp/Dispatcher.java | 4 +++- .../java/org/apache/hadoop/yarn/webapp/hamlet/HamletImpl.java | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/hadoop-mapreduce-project/CHANGES.txt b/hadoop-mapreduce-project/CHANGES.txt index 050af54fce..587fe5e953 100644 --- a/hadoop-mapreduce-project/CHANGES.txt +++ b/hadoop-mapreduce-project/CHANGES.txt @@ -54,6 +54,9 @@ Trunk (unreleased changes) MAPREDUCE-2944. Improve checking of input for JobClient.displayTasks() (XieXianshan via harsh) BUG FIXES + MAPREDUCE-3804. yarn webapp interface vulnerable to cross scripting attacks + (Dave Thompson via bobby) + MAPREDUCE-3194. "mapred mradmin" command is broken in mrv2 (Jason Lowe via bobby) diff --git a/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/Dispatcher.java b/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/Dispatcher.java index e404fe5a72..e6df346095 100644 --- a/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/Dispatcher.java +++ b/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/Dispatcher.java @@ -36,6 +36,7 @@ import org.apache.hadoop.yarn.webapp.Controller.RequestContext; import org.apache.hadoop.yarn.webapp.Router.Dest; import org.apache.hadoop.yarn.webapp.view.ErrorPage; +import org.apache.hadoop.http.HtmlQuoting; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -73,7 +74,8 @@ public void doOptions(HttpServletRequest req, HttpServletResponse res) { public void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { res.setCharacterEncoding("UTF-8"); - String uri = req.getRequestURI(); + String uri = HtmlQuoting.quoteHtmlChars(req.getRequestURI()); + if (uri == null) { uri = "/"; } diff --git a/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/hamlet/HamletImpl.java b/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/hamlet/HamletImpl.java index 126841b860..d792d31c38 100644 --- a/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/hamlet/HamletImpl.java +++ b/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/hamlet/HamletImpl.java @@ -307,7 +307,7 @@ protected void printAttr(String name, String value) { sb.setLength(0); sb.append(' ').append(name); if (value != null) { - sb.append("=\"").append(value).append("\""); + sb.append("=\"").append(escapeHtml(value)).append("\""); } out.print(sb.toString()); }