MAPREDUCE-3804. yarn webapp interface vulnerable to cross scripting attacks (Dave Thompson via bobby)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1241225 13f79535-47bb-0310-9956-ffa450edef68

hadoop-mapreduce-project/CHANGES.txt

@@ -54,6 +54,9 @@ Trunk (unreleased changes)
     MAPREDUCE-2944. Improve checking of input for JobClient.displayTasks() (XieXianshan via harsh)
 
   BUG FIXES
+    MAPREDUCE-3804. yarn webapp interface vulnerable to cross scripting attacks
+    (Dave Thompson via bobby)
+
     MAPREDUCE-3194. "mapred mradmin" command is broken in mrv2
                      (Jason Lowe via bobby)
 

hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/Dispatcher.java

@@ -36,6 +36,7 @@
 import org.apache.hadoop.yarn.webapp.Controller.RequestContext;
 import org.apache.hadoop.yarn.webapp.Router.Dest;
 import org.apache.hadoop.yarn.webapp.view.ErrorPage;
+import org.apache.hadoop.http.HtmlQuoting;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -73,7 +74,8 @@ public void doOptions(HttpServletRequest req, HttpServletResponse res) {
   public void service(HttpServletRequest req, HttpServletResponse res)
       throws ServletException, IOException {
     res.setCharacterEncoding("UTF-8");
-    String uri = req.getRequestURI();
+    String uri = HtmlQuoting.quoteHtmlChars(req.getRequestURI());
+
     if (uri == null) {
       uri = "/";
     }

hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/hamlet/HamletImpl.java

@@ -307,7 +307,7 @@ protected void printAttr(String name, String value) {
     sb.setLength(0);
     sb.append(' ').append(name);
     if (value != null) {
-      sb.append("=\"").append(value).append("\"");
+      sb.append("=\"").append(escapeHtml(value)).append("\"");
     }
     out.print(sb.toString());
   }