HADOOP-6441. Protect web ui from cross site scripting attacks (XSS) on

the host http header and using encoded utf-7. (omalley)


git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@891132 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -1222,6 +1222,9 @@ Release 0.21.0 - Unreleased
     HADOOP-6375. Sync documentation for FsShell du with its implementation.
     (Todd Lipcon via cdouglas)
 
+    HADOOP-6441. Protect web ui from cross site scripting attacks (XSS) on
+    the host http header and using encoded utf-7. (omalley)
+
 Release 0.20.2 - Unreleased
 
   NEW FEATURES

src/java/org/apache/hadoop/http/HttpServer.java

@@ -624,6 +624,25 @@ public class HttpServer implements FilterContainer {
         }
         return result;
       }
+      
+      /**
+       * Quote the url so that users specifying the HOST HTTP header
+       * can't inject attacks.
+       */
+      @Override
+      public StringBuffer getRequestURL(){
+        String url = rawRequest.getRequestURL().toString();
+        return new StringBuffer(HtmlQuoting.quoteHtmlChars(url));
+      }
+      
+      /**
+       * Quote the server name so that users specifying the HOST HTTP header
+       * can't inject attacks.
+       */
+      @Override
+      public String getServerName() {
+        return HtmlQuoting.quoteHtmlChars(rawRequest.getServerName());
+      }
     }
 
     @Override
@@ -641,6 +660,10 @@ public class HttpServer implements FilterContainer {
                          ) throws IOException, ServletException {
       HttpServletRequestWrapper quoted = 
         new RequestQuoter((HttpServletRequest) request);
+      final HttpServletResponse httpResponse = (HttpServletResponse) response;
+      // set the default to UTF-8 so that we don't need to worry about IE7
+      // choosing to interpret the special characters as UTF-7
+      httpResponse.setContentType("text/html;charset=utf-8");
       chain.doFilter(quoted, response);
     }