Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

svn merge -c 1588572 FIXES: YARN-1932. Javascript injection on the job status page. Contributed by Mit Desai 

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1588573 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Jason Darrell Lowe 2014-04-18 21:46:14 +00:00
parent c8d5d1f82a
commit 1b0ed842d0
3 changed files with 42 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hadoop-yarn-project/CHANGES.txt
View File

@ -132,6 +132,9 @@ Release 2.4.1 - UNRELEASED
YARN-1281. Fixed TestZKRMStateStoreZKClientConnections to not fail YARN-1281. Fixed TestZKRMStateStoreZKClientConnections to not fail
intermittently due to ZK-client timeouts. (Tsuyoshi Ozawa via vinodkv) intermittently due to ZK-client timeouts. (Tsuyoshi Ozawa via vinodkv)
YARN-1932. Javascript injection on the job status page (Mit Desai via
jlowe)
Release 2.4.0 - 2014-04-07 Release 2.4.0 - 2014-04-07
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

4
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java
View File

@ -62,11 +62,11 @@ public class InfoBlock extends HtmlBlock {
DIV<TD<TR<TABLE<DIV<Hamlet>>>>> singleLineDiv; DIV<TD<TR<TABLE<DIV<Hamlet>>>>> singleLineDiv;
for ( String line :lines) { for ( String line :lines) {
singleLineDiv = td.div(); singleLineDiv = td.div();
singleLineDiv._r(line); singleLineDiv._(line);
singleLineDiv._(); singleLineDiv._();
} }
} else { } else {
td._r(value); td._(value);
} }
td._(); td._();
} else { } else {

37
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java
View File

@ -21,6 +21,7 @@ package org.apache.hadoop.yarn.webapp.view;
import java.io.PrintWriter; import java.io.PrintWriter;
import java.io.StringWriter; import java.io.StringWriter;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import org.apache.hadoop.yarn.webapp.ResponseInfo; import org.apache.hadoop.yarn.webapp.ResponseInfo;
@ -34,6 +35,33 @@ public class TestInfoBlock {
public static PrintWriter pw; public static PrintWriter pw;
static final String JAVASCRIPT = "<script>alert('text')</script>";
static final String JAVASCRIPT_ESCAPED =
"&lt;script&gt;alert('text')&lt;/script&gt;";
public static class JavaScriptInfoBlock extends InfoBlock{
static ResponseInfo resInfo;
static {
resInfo = new ResponseInfo();
resInfo._("User_Name", JAVASCRIPT);
}
@Override
public PrintWriter writer() {
return TestInfoBlock.pw;
}
JavaScriptInfoBlock(ResponseInfo info) {
super(resInfo);
}
public JavaScriptInfoBlock() {
super(resInfo);
}
}
public static class MultilineInfoBlock extends InfoBlock{ public static class MultilineInfoBlock extends InfoBlock{
static ResponseInfo resInfo; static ResponseInfo resInfo;
@ -78,4 +106,13 @@ public class TestInfoBlock {
+ " This is second line.%n </div>%n"); + " This is second line.%n </div>%n");
assertTrue(output.contains(expectedSinglelineData) && output.contains(expectedMultilineData)); assertTrue(output.contains(expectedSinglelineData) && output.contains(expectedMultilineData));
} }
@Test(timeout=60000L)
public void testJavaScriptInfoBlock() throws Exception{
WebAppTests.testBlock(JavaScriptInfoBlock.class);
TestInfoBlock.pw.flush();
String output = TestInfoBlock.sw.toString();
assertFalse(output.contains("<script>"));
assertTrue(output.contains(JAVASCRIPT_ESCAPED));
}
} }