hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1993) Cross-site scripting vulnerability in TextView.java
Date Sun, 03 May 2015 12:57:07 GMT

    [ https://issues.apache.org/jira/browse/YARN-1993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14525817#comment-14525817
] 

Hudson commented on YARN-1993:
------------------------------

FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #182 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/182/])
YARN-1993. Cross-site scripting vulnerability in TextView.java. Contributed byKenji Kikushima.
(ozawa: rev e8d0ee5fc9af612d7abc9ab2c201434e7102d092)
* hadoop-yarn-project/CHANGES.txt
* hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java


> Cross-site scripting vulnerability in TextView.java
> ---------------------------------------------------
>
>                 Key: YARN-1993
>                 URL: https://issues.apache.org/jira/browse/YARN-1993
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: webapp
>            Reporter: Ted Yu
>            Assignee: Kenji Kikushima
>             Fix For: 2.8.0
>
>         Attachments: YARN-1993.patch
>
>
> In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java
, method echo() e.g. :
> {code}
>     for (Object s : args) {
>       out.print(s);
>     }
> {code}
> Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized
for context HTML attribute name.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message