HDFS-13636. Cross-Site Scripting vulnerability in HttpServer2

(Contributed by Haibo Yan via Daniel Templeton) Change-Id: I28edde8125dd20d8d270f0e609d1c04d8173c8b7
author: Daniel Templeton <templedf@apache.org> 2018-06-01 14:42:39 -0700
committer: Daniel Templeton <templedf@apache.org> 2018-06-01 14:42:39 -0700
commit: cba319499822a2475c60c43ea71f8e78237e139f (patch)
tree: 0669de7de76fb12f21396eed6230c223b896da31
parent: 1be05a3623da22ed053ed9898df23c85981772e7 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
index c273c7852b..2435671a31 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
@@ -1420,8 +1420,11 @@ public final class HttpServer2 implements FilterContainer {
 
     if (servletContext.getAttribute(ADMINS_ACL) != null &&
         !userHasAdministratorAccess(servletContext, remoteUser)) {
-      response.sendError(HttpServletResponse.SC_FORBIDDEN, "User "
-          + remoteUser + " is unauthorized to access this page.");
+      response.sendError(HttpServletResponse.SC_FORBIDDEN,
+          "Unauthenticated users are not " +
+              "authorized to access this page.");
+      LOG.warn("User " + remoteUser + " is unauthorized to access the page "
+          + request.getRequestURI() + ".");
       return false;
     }
author	Daniel Templeton <templedf@apache.org>	2018-06-01 14:42:39 -0700
committer	Daniel Templeton <templedf@apache.org>	2018-06-01 14:42:39 -0700
commit	cba319499822a2475c60c43ea71f8e78237e139f (patch)
tree	0669de7de76fb12f21396eed6230c223b896da31
parent	1be05a3623da22ed053ed9898df23c85981772e7 (diff)