MAPREDUCE-3804. yarn webapp interface vulnerable to cross scripting attacks (Dave Thompson via bobby)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1241225 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
9f2b77aee4
commit
bdf837a64a
|
@ -54,6 +54,9 @@ Trunk (unreleased changes)
|
||||||
MAPREDUCE-2944. Improve checking of input for JobClient.displayTasks() (XieXianshan via harsh)
|
MAPREDUCE-2944. Improve checking of input for JobClient.displayTasks() (XieXianshan via harsh)
|
||||||
|
|
||||||
BUG FIXES
|
BUG FIXES
|
||||||
|
MAPREDUCE-3804. yarn webapp interface vulnerable to cross scripting attacks
|
||||||
|
(Dave Thompson via bobby)
|
||||||
|
|
||||||
MAPREDUCE-3194. "mapred mradmin" command is broken in mrv2
|
MAPREDUCE-3194. "mapred mradmin" command is broken in mrv2
|
||||||
(Jason Lowe via bobby)
|
(Jason Lowe via bobby)
|
||||||
|
|
||||||
|
|
|
@ -36,6 +36,7 @@ import javax.servlet.http.HttpServletResponse;
|
||||||
import org.apache.hadoop.yarn.webapp.Controller.RequestContext;
|
import org.apache.hadoop.yarn.webapp.Controller.RequestContext;
|
||||||
import org.apache.hadoop.yarn.webapp.Router.Dest;
|
import org.apache.hadoop.yarn.webapp.Router.Dest;
|
||||||
import org.apache.hadoop.yarn.webapp.view.ErrorPage;
|
import org.apache.hadoop.yarn.webapp.view.ErrorPage;
|
||||||
|
import org.apache.hadoop.http.HtmlQuoting;
|
||||||
|
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
@ -73,7 +74,8 @@ public class Dispatcher extends HttpServlet {
|
||||||
public void service(HttpServletRequest req, HttpServletResponse res)
|
public void service(HttpServletRequest req, HttpServletResponse res)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
res.setCharacterEncoding("UTF-8");
|
res.setCharacterEncoding("UTF-8");
|
||||||
String uri = req.getRequestURI();
|
String uri = HtmlQuoting.quoteHtmlChars(req.getRequestURI());
|
||||||
|
|
||||||
if (uri == null) {
|
if (uri == null) {
|
||||||
uri = "/";
|
uri = "/";
|
||||||
}
|
}
|
||||||
|
|
|
@ -307,7 +307,7 @@ public class HamletImpl extends HamletSpec {
|
||||||
sb.setLength(0);
|
sb.setLength(0);
|
||||||
sb.append(' ').append(name);
|
sb.append(' ').append(name);
|
||||||
if (value != null) {
|
if (value != null) {
|
||||||
sb.append("=\"").append(value).append("\"");
|
sb.append("=\"").append(escapeHtml(value)).append("\"");
|
||||||
}
|
}
|
||||||
out.print(sb.toString());
|
out.print(sb.toString());
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue