HDFS-13636. Cross-Site Scripting vulnerability in HttpServer2

(Contributed by Haibo Yan via Daniel Templeton)

Change-Id: I28edde8125dd20d8d270f0e609d1c04d8173c8b7
(cherry picked from commit cba3194998)
This commit is contained in:
Daniel Templeton 2018-06-01 14:42:39 -07:00
parent 58b5b3aa75
commit 09fd1348e8
1 changed files with 5 additions and 2 deletions

View File

@ -1415,8 +1415,11 @@ public final class HttpServer2 implements FilterContainer {
if (servletContext.getAttribute(ADMINS_ACL) != null &&
!userHasAdministratorAccess(servletContext, remoteUser)) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "User "
+ remoteUser + " is unauthorized to access this page.");
response.sendError(HttpServletResponse.SC_FORBIDDEN,
"Unauthenticated users are not " +
"authorized to access this page.");
LOG.warn("User " + remoteUser + " is unauthorized to access the page "
+ request.getRequestURI() + ".");
return false;
}