From 96f28d878ee4d768ec487957535e6c585d521b9c Mon Sep 17 00:00:00 2001 From: Eli Collins Date: Thu, 15 Nov 2012 20:37:41 +0000 Subject: [PATCH] HDFS-4100. Fix all findbug security warings. Contributed by Liang Xie git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1409995 13f79535-47bb-0310-9956-ffa450edef68 --- hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 2 ++ .../hadoop/hdfs/qjournal/server/GetJournalEditServlet.java | 6 ++++-- .../hadoop/hdfs/server/datanode/DatanodeJspHelper.java | 5 +++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt index 5e857700d23..954636c0bc4 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt +++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt @@ -598,6 +598,8 @@ Release 2.0.3-alpha - Unreleased HDFS-3623. BKJM: zkLatchWaitTimeout hard coded to 6000. Make use of ZKSessionTimeout instead. (umamahesh) + HDFS-4100. Fix all findbug security warings. (Liang Xie via eli) + Release 2.0.2-alpha - 2012-09-07 INCOMPATIBLE CHANGES diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/qjournal/server/GetJournalEditServlet.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/qjournal/server/GetJournalEditServlet.java index 6fac6a06861..36135cba648 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/qjournal/server/GetJournalEditServlet.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/qjournal/server/GetJournalEditServlet.java @@ -31,6 +31,7 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.classification.InterfaceAudience; @@ -139,8 +140,9 @@ public class GetJournalEditServlet extends HttpServlet { HttpServletRequest request, HttpServletResponse response) throws IOException { String myStorageInfoString = storage.toColonSeparatedString(); - String theirStorageInfoString = request.getParameter(STORAGEINFO_PARAM); - + String theirStorageInfoString = StringEscapeUtils.escapeHtml( + request.getParameter(STORAGEINFO_PARAM)); + if (theirStorageInfoString != null && !myStorageInfoString.equals(theirStorageInfoString)) { String msg = "This node has storage info '" + myStorageInfoString diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DatanodeJspHelper.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DatanodeJspHelper.java index 98dceceb5d3..d614e8745a4 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DatanodeJspHelper.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/DatanodeJspHelper.java @@ -259,7 +259,8 @@ public class DatanodeJspHelper { int namenodeInfoPort = -1; if (namenodeInfoPortStr != null) namenodeInfoPort = Integer.parseInt(namenodeInfoPortStr); - final String nnAddr = req.getParameter(JspHelper.NAMENODE_ADDRESS); + final String nnAddr = StringEscapeUtils.escapeHtml( + req.getParameter(JspHelper.NAMENODE_ADDRESS)); if (nnAddr == null){ out.print(JspHelper.NAMENODE_ADDRESS + " url param is null"); return; @@ -637,7 +638,7 @@ public class DatanodeJspHelper { UserGroupInformation ugi = JspHelper.getUGI(req, conf); String namenodeInfoPortStr = req.getParameter("namenodeInfoPort"); - String nnAddr = req.getParameter(JspHelper.NAMENODE_ADDRESS); + String nnAddr = StringEscapeUtils.escapeHtml(req.getParameter(JspHelper.NAMENODE_ADDRESS)); int namenodeInfoPort = -1; if (namenodeInfoPortStr != null) namenodeInfoPort = Integer.parseInt(namenodeInfoPortStr);