hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From omal...@apache.org
Subject svn commit: r891134 - in /hadoop/common/branches/branch-0.21: ./ CHANGES.txt src/contrib/ec2/ src/docs/ src/java/ src/java/org/apache/hadoop/http/HttpServer.java src/test/core/
Date Wed, 16 Dec 2009 07:01:03 GMT
Author: omalley
Date: Wed Dec 16 07:01:02 2009
New Revision: 891134

URL: http://svn.apache.org/viewvc?rev=891134&view=rev
Log:
HADOOP-6441. Protect web ui from cross site scripting attacks (XSS) on
the host http header and using encoded utf-7. (omalley)

Modified:
    hadoop/common/branches/branch-0.21/   (props changed)
    hadoop/common/branches/branch-0.21/CHANGES.txt   (contents, props changed)
    hadoop/common/branches/branch-0.21/src/contrib/ec2/   (props changed)
    hadoop/common/branches/branch-0.21/src/docs/   (props changed)
    hadoop/common/branches/branch-0.21/src/java/   (props changed)
    hadoop/common/branches/branch-0.21/src/java/org/apache/hadoop/http/HttpServer.java
    hadoop/common/branches/branch-0.21/src/test/core/   (props changed)

Propchange: hadoop/common/branches/branch-0.21/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 16 07:01:02 2009
@@ -1,2 +1,2 @@
-/hadoop/common/trunk:818543,819670,824900-824942,831032,831070,832157,884428,885534,888565,889378
+/hadoop/common/trunk:818543,819670,824900-824942,831032,831070,832157,884428,885534,888565,889378,891132
 /hadoop/core/branches/branch-0.19/core:713112

Modified: hadoop/common/branches/branch-0.21/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.21/CHANGES.txt?rev=891134&r1=891133&r2=891134&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.21/CHANGES.txt (original)
+++ hadoop/common/branches/branch-0.21/CHANGES.txt Wed Dec 16 07:01:02 2009
@@ -1,6 +1,6 @@
 Hadoop Change Log
 
-Trunk (unreleased changes)
+Release 0.21.0 - Unreleased
 
   INCOMPATIBLE CHANGES
 
@@ -1136,6 +1136,9 @@
 
     HADOOP-6428. HttpServer sleeps with negative values. (cos)
 
+    HADOOP-6441. Protect web ui from cross site scripting attacks (XSS) on
+    the host http header and using encoded utf-7. (omalley)
+
 Release 0.20.2 - Unreleased
 
   NEW FEATURES

Propchange: hadoop/common/branches/branch-0.21/CHANGES.txt
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 16 07:01:02 2009
@@ -1,4 +1,4 @@
-/hadoop/common/trunk/CHANGES.txt:818543,819670,823756,824900-824942,831032,831070,832157,884428,888565,889378
+/hadoop/common/trunk/CHANGES.txt:818543,819670,823756,824900-824942,831032,831070,832157,884428,888565,889378,891132
 /hadoop/core/branches/branch-0.18/CHANGES.txt:727226
 /hadoop/core/branches/branch-0.19/CHANGES.txt:713112
 /hadoop/core/trunk/CHANGES.txt:776175-785643,785929-786278

Propchange: hadoop/common/branches/branch-0.21/src/contrib/ec2/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 16 07:01:02 2009
@@ -1,3 +1,3 @@
-/hadoop/common/trunk/src/contrib/ec2:818543,819670,831032,831070,832157,884428,885534,888565,889378
+/hadoop/common/trunk/src/contrib/ec2:818543,819670,831032,831070,832157,884428,885534,888565,889378,891132
 /hadoop/core/branches/branch-0.19/core/src/contrib/ec2:713112
 /hadoop/core/trunk/src/contrib/ec2:776175-784663

Propchange: hadoop/common/branches/branch-0.21/src/docs/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 16 07:01:02 2009
@@ -1,2 +1,2 @@
-/hadoop/common/trunk/src/docs:818543,819670,831032,831070,832157,884428,885534,888565,889378
+/hadoop/common/trunk/src/docs:818543,819670,831032,831070,832157,884428,885534,888565,889378,891132
 /hadoop/core/branches/branch-0.19/src/docs:713112

Propchange: hadoop/common/branches/branch-0.21/src/java/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 16 07:01:02 2009
@@ -1,3 +1,3 @@
-/hadoop/common/trunk/src/java:818543,819670,831032,831070,832157,884428,885534,888565,889378
+/hadoop/common/trunk/src/java:818543,819670,831032,831070,832157,884428,885534,888565,889378,891132
 /hadoop/core/branches/branch-0.19/core/src/java:713112
 /hadoop/core/trunk/src/core:776175-785643,785929-786278

Modified: hadoop/common/branches/branch-0.21/src/java/org/apache/hadoop/http/HttpServer.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.21/src/java/org/apache/hadoop/http/HttpServer.java?rev=891134&r1=891133&r2=891134&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.21/src/java/org/apache/hadoop/http/HttpServer.java (original)
+++ hadoop/common/branches/branch-0.21/src/java/org/apache/hadoop/http/HttpServer.java Wed
Dec 16 07:01:02 2009
@@ -624,6 +624,25 @@
         }
         return result;
       }
+      
+      /**
+       * Quote the url so that users specifying the HOST HTTP header
+       * can't inject attacks.
+       */
+      @Override
+      public StringBuffer getRequestURL(){
+        String url = rawRequest.getRequestURL().toString();
+        return new StringBuffer(HtmlQuoting.quoteHtmlChars(url));
+      }
+      
+      /**
+       * Quote the server name so that users specifying the HOST HTTP header
+       * can't inject attacks.
+       */
+      @Override
+      public String getServerName() {
+        return HtmlQuoting.quoteHtmlChars(rawRequest.getServerName());
+      }
     }
 
     @Override
@@ -641,6 +660,10 @@
                          ) throws IOException, ServletException {
       HttpServletRequestWrapper quoted = 
         new RequestQuoter((HttpServletRequest) request);
+      final HttpServletResponse httpResponse = (HttpServletResponse) response;
+      // set the default to UTF-8 so that we don't need to worry about IE7
+      // choosing to interpret the special characters as UTF-7
+      httpResponse.setContentType("text/html;charset=utf-8");
       chain.doFilter(quoted, response);
     }
 

Propchange: hadoop/common/branches/branch-0.21/src/test/core/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 16 07:01:02 2009
@@ -1,3 +1,3 @@
-/hadoop/common/trunk/src/test/core:818543,819670,831032,831070,832157,884428,885534,888565,889378
+/hadoop/common/trunk/src/test/core:818543,819670,831032,831070,832157,884428,885534,888565,889378,891132
 /hadoop/core/branches/branch-0.19/core/src/test/core:713112
 /hadoop/core/trunk/src/test/core:776175-785643,785929-786278



Mime
View raw message