!21 fix CVE-2020-9492

From: @wangxiao65
Reviewed-by: @wang_yue111,@small_leek,@zhengzhenyu
Signed-off-by: @zhengzhenyu

CVE-2020-9492.patch

@@ -0,0 +1,53 @@
+From c5ed4ec13dcc2e3bf6e7033ebfe9f5c9508e9236 Mon Sep 17 00:00:00 2001
+From: Eric Yang <eyang@apache.org>
+Date: Mon, 15 Jun 2020 10:55:26 +0900
+Subject: [PATCH] SPNEGO TLS verification
+
+Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
+---
+ .../org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java     | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
+index b316bf1..b34ce82 100644
+--- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
++++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
+@@ -144,6 +144,7 @@ public class WebHdfsFileSystem extends FileSystem
+       + "/v" + VERSION;
+   public static final String EZ_HEADER = "X-Hadoop-Accept-EZ";
+   public static final String FEFINFO_HEADER = "X-Hadoop-feInfo";
++  public static final String DFS_HTTP_POLICY_KEY = "dfs.http.policy";
+ 
+   /**
+    * Default connection factory may be overridden in tests to use smaller
+@@ -172,6 +173,7 @@ public class WebHdfsFileSystem extends FileSystem
+ 
+   private DFSOpsCountStatistics storageStatistics;
+   private KeyProvider testProvider;
++  private boolean isTLSKrb;
+ 
+   /**
+    * Return the protocol scheme for the FileSystem.
+@@ -233,6 +235,7 @@ public class WebHdfsFileSystem extends FileSystem
+           .newDefaultURLConnectionFactory(connectTimeout, readTimeout, conf);
+     }
+ 
++    this.isTLSKrb = "HTTPS_ONLY".equals(conf.get(DFS_HTTP_POLICY_KEY));
+ 
+     ugi = UserGroupInformation.getCurrentUser();
+     this.uri = URI.create(uri.getScheme() + "://" + uri.getAuthority());
+@@ -683,6 +686,11 @@ public class WebHdfsFileSystem extends FileSystem
+       //redirect hostname and port
+       redirectHost = null;
+ 
++      if (url.getProtocol().equals("http") &&
++        UserGroupInformation.isSecurityEnabled() &&
++        isTLSKrb) {
++        throw new IOException("Access denied: dfs.http.policy is HTTPS_ONLY.");
++      }
+ 
+       // resolve redirects for a DN operation unless already resolved
+       if (op.getRedirect() && !redirected) {
+-- 
+2.23.0
+

hadoop.spec

@@ -11,7 +11,7 @@
 %define _binaries_in_noarch_packages_terminate_build 0
 Name:   hadoop
 Version: 3.2.1
-Release: 7
+Release: 8
 Summary: A software platform for processing vast amounts of data
 # The BSD license file is missing
 # https://issues.apache.org/jira/browse/HADOOP-9849
@@ -31,6 +31,7 @@ Source10: %{name}-core-site.xml
 Source11: %{name}-hdfs-site.xml
 Source12: %{name}-mapred-site.xml
 Source13: %{name}-yarn-site.xml
+Patch0:  CVE-2020-9492.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: java-1.8.0-openjdk-devel maven hostname maven-local tomcat cmake snappy openssl-devel 
@@ -1108,10 +1109,13 @@ fi
 %config(noreplace) %{_sysconfdir}/%{name}/container-executor.cfg
 
 %changelog
-* Wed May 11 2021 Ge Wang <wangge20@huawei.com> -3.2.1-7
+* Fri May 14 2021 wangyue <wangyue92@huawei.com> - 3.2.1-8
-- Remove redundancy install requires
+- Fix CVE-2020-9492
 
-* Fri Apr 16 2021 Ge Wang <wangge20@huawei.com> -3.2.1-6
+* Wed May 11 2021 Ge Wang <wangge20@huawei.com> - 3.2.1-7
+- Remove reduncancy install requires
+
+* Fri Apr 16 2021 Ge Wang <wangge20@huawei.com> - 3.2.1-6
 - Build with local leveldbjni package instead of package in remote repository
 
 * Thu Apr 08 2021 Ge Wang <wangge20@huawei.com> - 3.2.1-5