hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Darrell Taylor (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MAPREDUCE-165) the map task output servlet doesn't protect against ".." attacks
Date Fri, 01 May 2015 07:56:06 GMT

    [ https://issues.apache.org/jira/browse/MAPREDUCE-165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14522903#comment-14522903
] 

Darrell Taylor commented on MAPREDUCE-165:
------------------------------------------

OK, I've had a quick look through this and the two places I can find where file.out and file.out.index
are created are in MROutputFiles.java and YarnOutputFiles.java, both of these push all their
work through LocalDirAllocator.java and ultimately Path.java.  

So I'd presume (maybe incorrectly) that LocalDirAllocator and Path both protect against ".."
attacks?  I'll spend a bit more time looking through them to try and understand how they work.
 But the map output classes look sensible.

The one thing that did make me wonder though is this piece of code that appears in the LocalDirAllocator,
it strips off the leading /, which could result in a ".." attack, but that may be picked up
in the Path class.

{code}
      //remove the leading slash from the path (to make sure that the uri
      //resolution results in a valid path on the dir being checked)
      if (pathStr.startsWith("/")) {
        pathStr = pathStr.substring(1);
      }
{code}


> the map task output servlet doesn't protect against ".." attacks
> ----------------------------------------------------------------
>
>                 Key: MAPREDUCE-165
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-165
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>            Reporter: Owen O'Malley
>              Labels: newbie, security
>
> The servlet we use to export the map outputs doesn't protect itself against ".." attacks.
However, because the code adds a /file.out.index and /file.out to it, it can only be used
to read files with those names.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message