[
https://issues.apache.org/jira/browse/HADOOP-12584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran reopened HADOOP-12584:
-------------------------------------
I'm re-opening this briefly until a patch including the YARN-4379 diff is
merged in, with a test run against YARN too. Sorry, but I'm getting fed up with
the fact that hadoop jenkins builds are so unreliable that them and patch test
runs are essentially meaningless
> Disable browsing the static directory in HttpServer2
> ----------------------------------------------------
>
> Key: HADOOP-12584
> URL: https://issues.apache.org/jira/browse/HADOOP-12584
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Fix For: 2.8.0
>
> Attachments: HADOOP-12584.001.patch, HADOOP-12584.002.patch
>
>
> We found a minor security issue with the Yarn Web UIs (or anything using
> {{HttpServer2}}. Currently, you can list the contents of the {{/static}}
> directory for the RM, NM, and JHS. This isn't a huge deal, but there are
> some ways to abuse this to get access to files on the host, though it would
> be pretty difficult. It's also good practice to disable directory listing on
> web apps.
> Here are the URLs:
> - http://HOST:8088/static/
> - http://HOST:19888/static/
> - http://HOST:8042/static/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
