hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ravi Prakash (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-266) RM and JHS Web UIs are blank because AppsBlock is not escaping string properly
Date Tue, 11 Dec 2012 05:47:23 GMT

    [ https://issues.apache.org/jira/browse/YARN-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13528696#comment-13528696
] 

Ravi Prakash commented on YARN-266:
-----------------------------------

I tested by submitting a bad job name (with a new line and an embedded image HTML tag).
1. With only escapeHtml, the new line causes the Javascript parser to throw an error
2. With only escapeJavascript, the embedded HTML image was rendered. This could lead to XSS
3. Javascript escaping the Html escaped string (as in the patch), got the correct behavior.

                
> RM and JHS Web UIs are blank because AppsBlock is not escaping string properly
> ------------------------------------------------------------------------------
>
>                 Key: YARN-266
>                 URL: https://issues.apache.org/jira/browse/YARN-266
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>    Affects Versions: 2.0.2-alpha, 3.0.0, 0.23.5
>            Reporter: Ravi Prakash
>            Assignee: Ravi Prakash
>            Priority: Critical
>              Labels: webui
>         Attachments: YARN-266.patch
>
>
> e.g. Job names with a line feed "\n" are causing a line feed in the JSON array being
written out (since we are only using StringEscapeUtils.escapeHtml() ) and the Javascript parser
complains that string quotes are unclosed. This 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message