YARN-1993. Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima.

2015-05-03 10:51:17 +09:00 · 2015-05-03 10:51:17 +09:00 · e8d0ee5fc9
parent 6ae2a0d048
commit e8d0ee5fc9
2 changed files with 8 additions and 1 deletions
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@ -293,6 +293,10 @@ Release 2.8.0 - UNRELEASED
    YARN-2454. Fix compareTo of variable UNBOUNDED in o.a.h.y.util.resource.Resources.
    (Xu Yang via junping_du)

+    YARN-1993. Cross-site scripting vulnerability in TextView.java. (Kenji Kikushima
+    via ozawa)
+
+
 Release 2.7.1 - UNRELEASED

  INCOMPATIBLE CHANGES
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
@ -20,6 +20,7 @@ package org.apache.hadoop.yarn.webapp.view;

 import java.io.PrintWriter;

+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.yarn.webapp.View;

@ -45,7 +46,9 @@ public abstract class TextView extends View {
  public void echo(Object... args) {
    PrintWriter out = writer();
    for (Object s : args) {
-      out.print(s);
+      String escapedString = StringEscapeUtils.escapeJavaScript(
+          StringEscapeUtils.escapeHtml(s.toString()));
+      out.print(escapedString);
    }
  }