Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

YARN-1993. Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima.

This commit is contained in:
Tsuyoshi Ozawa 2015-05-03 10:51:17 +09:00
parent 6ae2a0d048
commit e8d0ee5fc9
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hadoop-yarn-project/CHANGES.txt
View File

@ -293,6 +293,10 @@ Release 2.8.0 - UNRELEASED
YARN-2454. Fix compareTo of variable UNBOUNDED in o.a.h.y.util.resource.Resources. YARN-2454. Fix compareTo of variable UNBOUNDED in o.a.h.y.util.resource.Resources.
(Xu Yang via junping_du) (Xu Yang via junping_du)
YARN-1993. Cross-site scripting vulnerability in TextView.java. (Kenji Kikushima
via ozawa)
Release 2.7.1 - UNRELEASED Release 2.7.1 - UNRELEASED
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

5
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
View File

@ -20,6 +20,7 @@ package org.apache.hadoop.yarn.webapp.view;
import java.io.PrintWriter; import java.io.PrintWriter;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.yarn.webapp.View; import org.apache.hadoop.yarn.webapp.View;
@ -45,7 +46,9 @@ public abstract class TextView extends View {
public void echo(Object... args) { public void echo(Object... args) {
PrintWriter out = writer(); PrintWriter out = writer();
for (Object s : args) { for (Object s : args) {
out.print(s); String escapedString = StringEscapeUtils.escapeJavaScript(
StringEscapeUtils.escapeHtml(s.toString()));
out.print(escapedString);
} }
} }