HADOOP-13077. Handle special characters in passwords in httpfs.sh (Xiao Chen via aw)

hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh

@@ -2082,3 +2082,26 @@ function hadoop_parse_args
 
   hadoop_debug "hadoop_parse: asking caller to skip ${HADOOP_PARSE_COUNTER}"
 }
+
+## @description  XML-escapes the characters (&'"<>) in the given parameter.
+## @audience     private
+## @stability    evolving
+## @replaceable  yes
+## @param        string
+## @return       XML-escaped string
+function hadoop_xml_escape
+{
+  sed -e 's/&/\&amp;/g' -e 's/"/\\\&quot;/g' \
+    -e "s/'/\\\\\&apos;/g" -e 's/</\\\&lt;/g' -e 's/>/\\\&gt;/g' <<< "$1"
+}
+
+## @description  sed-escapes the characters (\/&) in the given parameter.
+## @audience     private
+## @stability    evolving
+## @replaceable  yes
+## @param        string
+## @return       sed-escaped string
+function hadoop_sed_escape
+{
+  sed -e 's/[\/&]/\\&/g' <<< "$1"
+}

hadoop-common-project/hadoop-common/src/test/scripts/hadoop_escape_chars.bats

@@ -0,0 +1,32 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+load hadoop-functions_test_helper
+
+@test "hadoop_escape_sed (positive 1)" {
+  ret="$(hadoop_sed_escape "\pass&&word\0#\$asdf/g  ><'\"~\`!@#$%^&*()_+-=")"
+  expected="\\\\pass\&\&word\\\0#\$asdf\/g  ><'\"~\`!@#$%^\&*()_+-="
+  echo "actual >${ret}<"
+  echo "expected >${expected}<"
+  [ "${ret}" = "${expected}" ]
+}
+
+@test "hadoop_escape_xml (positive 1)" {
+  ret="$(hadoop_xml_escape "\pass&&word\0#\$asdf/g  ><'\"~\`!@#$%^&*()_+-=")"
+  expected="\\pass&amp;&amp;word\0#\$asdf/g  \&gt;\&lt;\&apos;\&quot;~\`!@#\$%^&amp;*()_+-="
+  echo "actual >${ret}<"
+  echo "expected >${expected}<"
+  [ "${ret}" = "${expected}" ]
+}

hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh

@@ -29,14 +29,6 @@ function hadoop_usage
   hadoop_generate_usage "${MYNAME}" false
 }
 
-function hadoop_escape() {
-      # Escape special chars for the later sed which saves the text as xml attribute
-      local ret
-      ret=$(sed 's/[\/&]/\\&/g' <<< "$1" | sed 's/&/\&amp;/g' | sed 's/"/\\\&quot;/g' \
-          | sed "s/'/\\\\\&apos;/g" | sed 's/</\\\&lt;/g' | sed 's/>/\\\&gt;/g')
-      echo "$ret"
-}
-
 # let's locate libexec...
 if [[ -n "${HADOOP_HOME}" ]]; then
   HADOOP_DEFAULT_LIBEXEC_DIR="${HADOOP_HOME}/libexec"
@@ -104,8 +96,10 @@ fi
 if [[ -f "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml.conf" ]]; then
   if [[ -n "${KMS_SSL_KEYSTORE_PASS+x}" ]] || [[ -n "${KMS_SSL_TRUSTSTORE_PASS}" ]]; then
       export KMS_SSL_KEYSTORE_PASS=${KMS_SSL_KEYSTORE_PASS:-password}
-      KMS_SSL_KEYSTORE_PASS_ESCAPED=$(hadoop_escape "$KMS_SSL_KEYSTORE_PASS")
-      KMS_SSL_TRUSTSTORE_PASS_ESCAPED=$(hadoop_escape "$KMS_SSL_TRUSTSTORE_PASS")
+      KMS_SSL_KEYSTORE_PASS_ESCAPED=$(hadoop_xml_escape \
+        "$(hadoop_sed_escape "$KMS_SSL_KEYSTORE_PASS")")
+      KMS_SSL_TRUSTSTORE_PASS_ESCAPED=$(hadoop_xml_escape \
+        "$(hadoop_sed_escape "$KMS_SSL_TRUSTSTORE_PASS")")
       sed -e 's/"_kms_ssl_keystore_pass_"/'"\"${KMS_SSL_KEYSTORE_PASS_ESCAPED}\""'/g' \
           -e 's/"_kms_ssl_truststore_pass_"/'"\"${KMS_SSL_TRUSTSTORE_PASS_ESCAPED}\""'/g' \
         "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml.conf" \

hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh

@@ -96,8 +96,12 @@ fi
 if [[ -f "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml.conf" ]]; then
   if [[ -n "${HTTPFS_SSL_KEYSTORE_PASS+x}" ]] || [[ -n "${HTTPFS_SSL_TRUSTSTORE_PASS}" ]]; then
     export HTTPFS_SSL_KEYSTORE_PASS=${HTTPFS_SSL_KEYSTORE_PASS:-password}
-    sed -e 's/_httpfs_ssl_keystore_pass_/'${HTTPFS_SSL_KEYSTORE_PASS}'/g' \
-        -e 's/_httpfs_ssl_truststore_pass_/'${HTTPFS_SSL_TRUSTSTORE_PASS}'/g' \
+    HTTPFS_SSL_KEYSTORE_PASS_ESCAPED=$(hadoop_xml_escape \
+      "$(hadoop_sed_escape "$HTTPFS_SSL_KEYSTORE_PASS")")
+    HTTPFS_SSL_TRUSTSTORE_PASS_ESCAPED=$(hadoop_xml_escape \
+      "$(hadoop_sed_escape "$HTTPFS_SSL_TRUSTSTORE_PASS")")
+    sed -e 's/"_httpfs_ssl_keystore_pass_"/'"\"${HTTPFS_SSL_KEYSTORE_PASS_ESCAPED}\""'/g' \
+        -e 's/"_httpfs_ssl_truststore_pass_"/'"\"${HTTPFS_SSL_TRUSTSTORE_PASS_ESCAPED}\""'/g' \
       "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml.conf" \
       > "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml"
     chmod 700 "${HADOOP_CATALINA_HOME}/conf/ssl-server.xml" >/dev/null 2>&1