hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1993) Cross-site scripting vulnerability in TextView.java
Date Sat, 02 May 2015 22:26:06 GMT

    [ https://issues.apache.org/jira/browse/YARN-1993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14525526#comment-14525526
] 

Hadoop QA commented on YARN-1993:
---------------------------------

\\
\\
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | pre-patch |  15m 13s | Pre-patch trunk compilation is healthy. |
| {color:green}+1{color} | @author |   0m  0s | The patch does not contain any @author tags.
|
| {color:red}-1{color} | tests included |   0m  0s | The patch doesn't appear to include any
new or modified tests.  Please justify why no new tests are needed for this patch. Also please
list what manual steps were performed to verify this patch. |
| {color:red}-1{color} | javac |   7m 47s | The applied patch generated  173  additional warning
messages. |
| {color:red}-1{color} | javadoc |  10m  4s | The applied patch generated  14  additional
warning messages. |
| {color:green}+1{color} | release audit |   0m 23s | The applied patch does not increase
the total number of release audit warnings. |
| {color:green}+1{color} | checkstyle |   0m 53s | There were no new checkstyle issues. |
| {color:green}+1{color} | whitespace |   0m  0s | The patch has no lines that end in whitespace.
|
| {color:green}+1{color} | install |   1m 32s | mvn install still works. |
| {color:green}+1{color} | eclipse:eclipse |   0m 33s | The patch built with eclipse:eclipse.
|
| {color:green}+1{color} | findbugs |   1m 24s | The patch does not introduce any new Findbugs
(version 2.0.3) warnings. |
| {color:green}+1{color} | yarn tests |   1m 58s | Tests passed in hadoop-yarn-common. |
| | |  39m 51s | |
\\
\\
|| Subsystem || Report/Notes ||
| Patch URL | http://issues.apache.org/jira/secure/attachment/12644792/YARN-1993.patch |
| Optional Tests | javadoc javac unit findbugs checkstyle |
| git revision | trunk / 6ae2a0d |
| javac | https://builds.apache.org/job/PreCommit-YARN-Build/7663/artifact/patchprocess/diffJavacWarnings.txt
|
| javadoc | https://builds.apache.org/job/PreCommit-YARN-Build/7663/artifact/patchprocess/diffJavadocWarnings.txt
|
| hadoop-yarn-common test log | https://builds.apache.org/job/PreCommit-YARN-Build/7663/artifact/patchprocess/testrun_hadoop-yarn-common.txt
|
| Test Results | https://builds.apache.org/job/PreCommit-YARN-Build/7663/testReport/ |
| Java | 1.7.0_55 |
| uname | Linux asf903.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep
3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Console output | https://builds.apache.org/job/PreCommit-YARN-Build/7663/console |


This message was automatically generated.

> Cross-site scripting vulnerability in TextView.java
> ---------------------------------------------------
>
>                 Key: YARN-1993
>                 URL: https://issues.apache.org/jira/browse/YARN-1993
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: webapp
>            Reporter: Ted Yu
>         Attachments: YARN-1993.patch
>
>
> In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
, method echo() e.g. :
> {code}
>     for (Object s : args) {
>       out.print(s);
>     }
> {code}
> Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized
for context HTML attribute name.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message