hadoop-hdfs-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@apache.org
Subject svn commit: r985393 - in /hadoop/hdfs/trunk: ./ src/java/org/apache/hadoop/hdfs/server/common/ src/java/org/apache/hadoop/hdfs/server/datanode/ src/test/hdfs/org/apache/hadoop/hdfs/server/common/
Date Fri, 13 Aug 2010 22:50:40 GMT
Author: ddas
Date: Fri Aug 13 22:50:40 2010
New Revision: 985393

URL: http://svn.apache.org/viewvc?rev=985393&view=rev
Log:
HDFS-1340. When security is turned off, there is a potential XSS attack. This patch fixes
it by removing delegationtoken string from the URL, before returning a response to the client.
Contributed by Jitendra Pandey.

Modified:
    hadoop/hdfs/trunk/CHANGES.txt
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
    hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/datanode/DatanodeJspHelper.java
    hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/server/common/TestJspHelper.java

Modified: hadoop/hdfs/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/CHANGES.txt?rev=985393&r1=985392&r2=985393&view=diff
==============================================================================
--- hadoop/hdfs/trunk/CHANGES.txt (original)
+++ hadoop/hdfs/trunk/CHANGES.txt Fri Aug 13 22:50:40 2010
@@ -204,6 +204,10 @@ Trunk (unreleased changes)
     HDFS-1301.  TestHDFSProxy need to use server side conf for ProxyUser 
     stuff. (boryas)
 
+    HDFS-1340. When security is turned off, there is a potential XSS attack. 
+    This patch fixes it by removing delegationtoken string from the URL, 
+    before returning a response to the client. (Jitendra Pandey via ddas)
+
 Release 0.21.0 - Unreleased
 
   INCOMPATIBLE CHANGES

Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/common/JspHelper.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/common/JspHelper.java?rev=985393&r1=985392&r2=985393&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/common/JspHelper.java (original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/common/JspHelper.java Fri Aug
13 22:50:40 2010
@@ -354,15 +354,16 @@ public class JspHelper {
       String[] parts = dir.split(Path.SEPARATOR);
       StringBuilder tempPath = new StringBuilder(dir.length());
       out.print("<a href=\"browseDirectory.jsp" + "?dir="+ Path.SEPARATOR
-          + "&namenodeInfoPort=" + namenodeInfoPort + SET_DELEGATION
-          + tokenString + "\">" + Path.SEPARATOR + "</a>");
+          + "&namenodeInfoPort=" + namenodeInfoPort
+          + getDelegationTokenUrlParam(tokenString) + "\">" + Path.SEPARATOR
+          + "</a>");
       tempPath.append(Path.SEPARATOR);
       for (int i = 0; i < parts.length-1; i++) {
         if (!parts[i].equals("")) {
           tempPath.append(parts[i]);
           out.print("<a href=\"browseDirectory.jsp" + "?dir="
               + tempPath.toString() + "&namenodeInfoPort=" + namenodeInfoPort
-              + SET_DELEGATION + tokenString);
+              + getDelegationTokenUrlParam(tokenString));
           out.print("\">" + parts[i] + "</a>" + Path.SEPARATOR);
           tempPath.append(Path.SEPARATOR);
         }
@@ -386,8 +387,10 @@ public class JspHelper {
     out.print("<input name=\"go\" type=\"submit\" value=\"go\">");
     out.print("<input name=\"namenodeInfoPort\" type=\"hidden\" "
         + "value=\"" + namenodeInfoPort  + "\">");
-    out.print("<input name=\"" + DELEGATION_PARAMETER_NAME +
-              "\" type=\"hidden\" value=\"" + tokenString + "\">");
+    if (UserGroupInformation.isSecurityEnabled()) {
+      out.print("<input name=\"" + DELEGATION_PARAMETER_NAME
+          + "\" type=\"hidden\" value=\"" + tokenString + "\">");
+    }
     out.print("</form>");
   }
   
@@ -518,6 +521,22 @@ public class JspHelper {
       LOG.debug("getUGI is returning: " + ugi.getShortUserName());
     return ugi;
   }
+  
+  /**
+   * Returns the url parameter for the given token string.
+   * @param tokenString
+   * @return url parameter
+   */
+  public static String getDelegationTokenUrlParam(String tokenString) {
+    if (tokenString == null ) {
+      return "";
+    }
+    if (UserGroupInformation.isSecurityEnabled()) {
+      return SET_DELEGATION + tokenString;
+    } else {
+      return "";
+    }
+  }
 
 
 }

Modified: hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/datanode/DatanodeJspHelper.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/datanode/DatanodeJspHelper.java?rev=985393&r1=985392&r2=985393&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/datanode/DatanodeJspHelper.java
(original)
+++ hadoop/hdfs/trunk/src/java/org/apache/hadoop/hdfs/server/datanode/DatanodeJspHelper.java
Fri Aug 13 22:50:40 2010
@@ -124,7 +124,7 @@ public class DatanodeJspHelper {
               + firstBlock.getBlock().getGenerationStamp() + "&filename="
               + URLEncoder.encode(dir, "UTF-8") + "&datanodePort="
               + datanodePort + "&namenodeInfoPort=" + namenodeInfoPort
-              + JspHelper.SET_DELEGATION + tokenString;
+              + JspHelper.getDelegationTokenUrlParam(tokenString);
           resp.sendRedirect(redirectLocation);
         }
         return;
@@ -144,7 +144,7 @@ public class DatanodeJspHelper {
       if ((parent = f.getParent()) != null)
         out.print("<a href=\"" + req.getRequestURL() + "?dir=" + parent
             + "&namenodeInfoPort=" + namenodeInfoPort
-            + JspHelper.SET_DELEGATION + tokenString
+            + JspHelper.getDelegationTokenUrlParam(tokenString)
             + "\">Go to parent directory</a><br>");
 
       DirectoryListing thisListing = 
@@ -175,7 +175,7 @@ public class DatanodeJspHelper {
             String datanodeUrl = req.getRequestURL() + "?dir="
               + URLEncoder.encode(files[i].getFullName(target), "UTF-8")
               + "&namenodeInfoPort=" + namenodeInfoPort
-              + JspHelper.SET_DELEGATION + tokenString;
+              + JspHelper.getDelegationTokenUrlParam(tokenString);
             cols[0] = "<a href=\"" + datanodeUrl + "\">"
               + localFileName + "</a>";
             cols[5] = FsShell.dateForm.format(new Date((files[i]
@@ -262,7 +262,7 @@ public class DatanodeJspHelper {
     String downloadUrl = "http://" + req.getServerName() + ":"
         + req.getServerPort() + "/streamFile?" + "filename="
         + URLEncoder.encode(filename, "UTF-8")
-        + JspHelper.SET_DELEGATION + tokenString;
+        + JspHelper.getDelegationTokenUrlParam(tokenString);
     out.print("<a name=\"viewOptions\"></a>");
     out.print("<a href=\"" + downloadUrl + "\">Download this file</a><br>");
 
@@ -282,7 +282,7 @@ public class DatanodeJspHelper {
         + "/tail.jsp?filename=" + URLEncoder.encode(filename, "UTF-8")
         + "&namenodeInfoPort=" + namenodeInfoPort
         + "&chunkSizeToView=" + chunkSizeToView
-        + JspHelper.SET_DELEGATION + tokenString
+        + JspHelper.getDelegationTokenUrlParam(tokenString)
         + "&referrer=" + URLEncoder.encode(
             req.getRequestURL() + "?" + req.getQueryString(), "UTF-8");
     out.print("<a href=\"" + tailUrl + "\">Tail this file</a><br>");
@@ -333,7 +333,7 @@ public class DatanodeJspHelper {
             + "&genstamp=" + cur.getBlock().getGenerationStamp()
             + "&namenodeInfoPort=" + namenodeInfoPort
             + "&chunkSizeToView=" + chunkSizeToView
-            + JspHelper.SET_DELEGATION + tokenString;
+            + JspHelper.getDelegationTokenUrlParam(tokenString);
 
         String blockInfoUrl = "http://" + namenodeHostName + ":"
             + namenodeInfoPort
@@ -441,7 +441,7 @@ public class DatanodeJspHelper {
         + req.getServerName() + ":" + req.getServerPort()
         + "/browseDirectory.jsp?dir=" + URLEncoder.encode(parent, "UTF-8")
         + "&namenodeInfoPort=" + namenodeInfoPort
-        + JspHelper.SET_DELEGATION + tokenString
+        + JspHelper.getDelegationTokenUrlParam(tokenString)
         + "\"><i>Go back to dir listing</i></a><br>");
     out.print("<a href=\"#viewOptions\">Advanced view/download options</a><br>");
     out.print("<hr>");
@@ -496,7 +496,7 @@ public class DatanodeJspHelper {
           + "&chunkSizeToView=" + chunkSizeToView
           + "&datanodePort=" + nextDatanodePort
           + "&namenodeInfoPort=" + namenodeInfoPort
-          + JspHelper.SET_DELEGATION + tokenString;
+          + JspHelper.getDelegationTokenUrlParam(tokenString);
       out.print("<a href=\"" + nextUrl + "\">View Next chunk</a>&nbsp;&nbsp;");
     }
     // determine data for the prev link
@@ -553,7 +553,7 @@ public class DatanodeJspHelper {
           + "&genstamp=" + prevGenStamp
           + "&datanodePort=" + prevDatanodePort
           + "&namenodeInfoPort=" + namenodeInfoPort
-          + JspHelper.SET_DELEGATION + tokenString;
+          + JspHelper.getDelegationTokenUrlParam(tokenString);
       out.print("<a href=\"" + prevUrl + "\">View Prev chunk</a>&nbsp;&nbsp;");
     }
     out.print("<hr>");

Modified: hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/server/common/TestJspHelper.java
URL: http://svn.apache.org/viewvc/hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/server/common/TestJspHelper.java?rev=985393&r1=985392&r2=985393&view=diff
==============================================================================
--- hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/server/common/TestJspHelper.java
(original)
+++ hadoop/hdfs/trunk/src/test/hdfs/org/apache/hadoop/hdfs/server/common/TestJspHelper.java
Fri Aug 13 22:50:40 2010
@@ -90,5 +90,23 @@ public class TestJspHelper {
         .next();
     Assert.assertEquals(tokenInUgi.getService(), tokenService);
   }
+  
+  @Test
+  public void testDelegationTokenUrlParam() {
+    conf.set(DFSConfigKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
+    UserGroupInformation.setConfiguration(conf);
+    String tokenString = "xyzabc";
+    String delegationTokenParam = JspHelper
+        .getDelegationTokenUrlParam(tokenString);
+    //Security is enabled
+    Assert.assertEquals(JspHelper.SET_DELEGATION + "xyzabc",
+        delegationTokenParam);
+    conf.set(DFSConfigKeys.HADOOP_SECURITY_AUTHENTICATION, "simple");
+    UserGroupInformation.setConfiguration(conf);
+    delegationTokenParam = JspHelper
+        .getDelegationTokenUrlParam(tokenString);
+    //Empty string must be returned because security is disabled.
+    Assert.assertEquals("", delegationTokenParam);
+  }
 
 }



Mime
View raw message