hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Mitic (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8456) Support spaces in user names and group names in results returned via winutils
Date Fri, 26 Oct 2012 22:15:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13485242#comment-13485242

Ivan Mitic commented on HADOOP-8456:

bq. Quotes aren't adequate if the shell is involved. Ex. A typical exploit is to pass constructs
like ";malicious-cmd;" or $(malicious-cmd). If the shell is completely bypassed, as it should
be, the list of args can be passed through execve with no quotes. The shell should never be
involved in command execution unless you actually want it to possibly mangle your parameters
which is almost never the case.
I see, thanks for clarifying. I don't think we have this problem here as windows shell is
not involved. The quoted strings go thru the following stack: Java#ProcessBuilder->Win32#CreateProcess->Winutils.exe#argc/argv.
On the other hand, we have to place username under quotes, as it won't be passed as a single
argument to underlying winutils exe. For example:
{{winutils groups user name}}
does not work (4 args), while
{{winutils groups "user name"}}
works. Make sense, or am I missing something?
> Support spaces in user names and group names in results returned via winutils
> -----------------------------------------------------------------------------
>                 Key: HADOOP-8456
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8456
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: native
>    Affects Versions: 1-win
>            Reporter: Chuan Liu
>            Assignee: Ivan Mitic
>            Priority: Minor
>         Attachments: HADOOP-8456.branch-1-win.spaces.patch
> When parsing results returned by ‘ls’, we made implicit assumption that user and
group names cannot contain spaces. On Linux, spaces are not allowed in user names and group
names. This is not the case for Windows. We need to find a way to fix the problem for Windows.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message