hadoop/CVE-2020-9492.patch

From c5ed4ec13dcc2e3bf6e7033ebfe9f5c9508e9236 Mon Sep 17 00:00:00 2001
From: Eric Yang <eyang@apache.org>
Date: Mon, 15 Jun 2020 10:55:26 +0900
Subject: [PATCH] SPNEGO TLS verification

Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
---
 .../org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java     | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
index b316bf1..b34ce82 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
@@ -144,6 +144,7 @@ public class WebHdfsFileSystem extends FileSystem
       + "/v" + VERSION;
   public static final String EZ_HEADER = "X-Hadoop-Accept-EZ";
   public static final String FEFINFO_HEADER = "X-Hadoop-feInfo";
+  public static final String DFS_HTTP_POLICY_KEY = "dfs.http.policy";
 
   /**
    * Default connection factory may be overridden in tests to use smaller
@@ -172,6 +173,7 @@ public class WebHdfsFileSystem extends FileSystem
 
   private DFSOpsCountStatistics storageStatistics;
   private KeyProvider testProvider;
+  private boolean isTLSKrb;
 
   /**
    * Return the protocol scheme for the FileSystem.
@@ -233,6 +235,7 @@ public class WebHdfsFileSystem extends FileSystem
           .newDefaultURLConnectionFactory(connectTimeout, readTimeout, conf);
     }
 
+    this.isTLSKrb = "HTTPS_ONLY".equals(conf.get(DFS_HTTP_POLICY_KEY));
 
     ugi = UserGroupInformation.getCurrentUser();
     this.uri = URI.create(uri.getScheme() + "://" + uri.getAuthority());
@@ -683,6 +686,11 @@ public class WebHdfsFileSystem extends FileSystem
       //redirect hostname and port
       redirectHost = null;
 
+      if (url.getProtocol().equals("http") &&
+        UserGroupInformation.isSecurityEnabled() &&
+        isTLSKrb) {
+        throw new IOException("Access denied: dfs.http.policy is HTTPS_ONLY.");
+      }
 
       // resolve redirects for a DN operation unless already resolved
       if (op.getRedirect() && !redirected) {
-- 
2.23.0
fix CVE-2020-9492 2021-05-14 14:33:52 +08:00			`From c5ed4ec13dcc2e3bf6e7033ebfe9f5c9508e9236 Mon Sep 17 00:00:00 2001`
			`From: Eric Yang <eyang@apache.org>`
			`Date: Mon, 15 Jun 2020 10:55:26 +0900`
			`Subject: [PATCH] SPNEGO TLS verification`

			`Signed-off-by: Akira Ajisaka <aajisaka@apache.org>`
			`---`
			`.../org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java \| 8 ++++++++`
			`1 file changed, 8 insertions(+)`

			`diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java`
			`index b316bf1..b34ce82 100644`
			`--- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java`
			`+++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java`
			`@@ -144,6 +144,7 @@ public class WebHdfsFileSystem extends FileSystem`
			`+ "/v" + VERSION;`
			`public static final String EZ_HEADER = "X-Hadoop-Accept-EZ";`
			`public static final String FEFINFO_HEADER = "X-Hadoop-feInfo";`
			`+ public static final String DFS_HTTP_POLICY_KEY = "dfs.http.policy";`

			`/**`
			`* Default connection factory may be overridden in tests to use smaller`
			`@@ -172,6 +173,7 @@ public class WebHdfsFileSystem extends FileSystem`

			`private DFSOpsCountStatistics storageStatistics;`
			`private KeyProvider testProvider;`
			`+ private boolean isTLSKrb;`

			`/**`
			`* Return the protocol scheme for the FileSystem.`
			`@@ -233,6 +235,7 @@ public class WebHdfsFileSystem extends FileSystem`
			`.newDefaultURLConnectionFactory(connectTimeout, readTimeout, conf);`
			`}`

			`+ this.isTLSKrb = "HTTPS_ONLY".equals(conf.get(DFS_HTTP_POLICY_KEY));`

			`ugi = UserGroupInformation.getCurrentUser();`
			`this.uri = URI.create(uri.getScheme() + "://" + uri.getAuthority());`
			`@@ -683,6 +686,11 @@ public class WebHdfsFileSystem extends FileSystem`
			`//redirect hostname and port`
			`redirectHost = null;`

			`+ if (url.getProtocol().equals("http") &&`
			`+ UserGroupInformation.isSecurityEnabled() &&`
			`+ isTLSKrb) {`
			`+ throw new IOException("Access denied: dfs.http.policy is HTTPS_ONLY.");`
			`+ }`

			`// resolve redirects for a DN operation unless already resolved`
			`if (op.getRedirect() && !redirected) {`
			`--`
			`2.23.0`