hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tsuyoshi Ozawa (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1993) Cross-site scripting vulnerability in TextView.java
Date Sat, 02 May 2015 23:11:06 GMT

    [ https://issues.apache.org/jira/browse/YARN-1993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14525542#comment-14525542
] 

Tsuyoshi Ozawa commented on YARN-1993:
--------------------------------------

+1, committing this shortly.

> Cross-site scripting vulnerability in TextView.java
> ---------------------------------------------------
>
>                 Key: YARN-1993
>                 URL: https://issues.apache.org/jira/browse/YARN-1993
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: webapp
>            Reporter: Ted Yu
>            Assignee: Kenji Kikushima
>         Attachments: YARN-1993.patch
>
>
> In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
, method echo() e.g. :
> {code}
>     for (Object s : args) {
>       out.print(s);
>     }
> {code}
> Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized
for context HTML attribute name.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message