HADOOP-12584. Disable browsing the static directory in HttpServer2. Contributed by Robert Kanter.

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -1583,6 +1583,9 @@ Release 2.8.0 - UNRELEASED
     HADOOP-12551. Introduce FileNotFoundException for WASB FileSystem API
     (Dushyanth via cnauroth)
 
+    HADOOP-12584. Disable browsing the static directory in HttpServer2.
+    (Robert Kanter via aajisaka)
+
 Release 2.7.3 - UNRELEASED
 
   INCOMPATIBLE CHANGES

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java

@@ -543,6 +543,9 @@ public final class HttpServer2 implements FilterContainer {
     staticContext.setResourceBase(appDir + "/static");
     staticContext.addServlet(DefaultServlet.class, "/*");
     staticContext.setDisplayName("static");
+    @SuppressWarnings("unchecked")
+    Map<String, String> params = staticContext.getInitParams();
+    params.put("org.mortbay.jetty.servlet.Default.dirAllowed", "false");
     SessionHandler handler = new SessionHandler();
     SessionManager sm = handler.getSessionManager();
     if (sm instanceof AbstractSessionManager) {

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/TestWebApp.java

@@ -261,7 +261,7 @@ public class TestWebApp {
   }
 
   // This is to test the GuiceFilter should only be applied to webAppContext,
-  // not to staticContext  and logContext;
+  // not to logContext;
   @Test public void testYARNWebAppContext() throws Exception {
     // setting up the log context
     System.setProperty("hadoop.log.dir", "/Not/Existing/dir");
@@ -272,8 +272,6 @@ public class TestWebApp {
     });
     String baseUrl = baseUrl(app);
     try {
-      // should not redirect to foo
-      assertFalse("foo".equals(getContent(baseUrl +"static").trim()));
       // Not able to access a non-existing dir, should not redirect to foo.
       assertEquals(404, getResponseCode(baseUrl +"logs"));
       // should be able to redirect to foo.