MAPREDUCE-3804. yarn webapp interface vulnerable to cross scripting attacks (Dave Thompson via bobby)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1241225 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Robert Joseph Evans 2012-02-06 22:34:28 +00:00
parent 9f2b77aee4
commit bdf837a64a
3 changed files with 7 additions and 2 deletions

View File

@ -54,6 +54,9 @@ Trunk (unreleased changes)
MAPREDUCE-2944. Improve checking of input for JobClient.displayTasks() (XieXianshan via harsh) MAPREDUCE-2944. Improve checking of input for JobClient.displayTasks() (XieXianshan via harsh)
BUG FIXES BUG FIXES
MAPREDUCE-3804. yarn webapp interface vulnerable to cross scripting attacks
(Dave Thompson via bobby)
MAPREDUCE-3194. "mapred mradmin" command is broken in mrv2 MAPREDUCE-3194. "mapred mradmin" command is broken in mrv2
(Jason Lowe via bobby) (Jason Lowe via bobby)

View File

@ -36,6 +36,7 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.yarn.webapp.Controller.RequestContext; import org.apache.hadoop.yarn.webapp.Controller.RequestContext;
import org.apache.hadoop.yarn.webapp.Router.Dest; import org.apache.hadoop.yarn.webapp.Router.Dest;
import org.apache.hadoop.yarn.webapp.view.ErrorPage; import org.apache.hadoop.yarn.webapp.view.ErrorPage;
import org.apache.hadoop.http.HtmlQuoting;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -73,7 +74,8 @@ public class Dispatcher extends HttpServlet {
public void service(HttpServletRequest req, HttpServletResponse res) public void service(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException { throws ServletException, IOException {
res.setCharacterEncoding("UTF-8"); res.setCharacterEncoding("UTF-8");
String uri = req.getRequestURI(); String uri = HtmlQuoting.quoteHtmlChars(req.getRequestURI());
if (uri == null) { if (uri == null) {
uri = "/"; uri = "/";
} }

View File

@ -307,7 +307,7 @@ public class HamletImpl extends HamletSpec {
sb.setLength(0); sb.setLength(0);
sb.append(' ').append(name); sb.append(' ').append(name);
if (value != null) { if (value != null) {
sb.append("=\"").append(value).append("\""); sb.append("=\"").append(escapeHtml(value)).append("\"");
} }
out.print(sb.toString()); out.print(sb.toString());
} }