accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ctubbsii <...@git.apache.org>
Subject [GitHub] accumulo issue #289: ACCUMULO-4677 Sanitizing PathParam values in REST-based...
Date Fri, 04 Aug 2017 01:29:17 GMT
Github user ctubbsii commented on the issue:

    https://github.com/apache/accumulo/pull/289
  
    Oh, nice! Thanks for working on this @glitch ; I took a brief look and I think this is
basically what we need. I didn't do a thorough review, though. I'll try to get to that soon,
if nobody else does.
    
    I think the main concern is that we don't allow input to be put back into the returned
page in a way that poses a security risk. If a table can't be found, or a range of minutes
doesn't work because it was input incorrectly, that's not so much a big deal, as long as it
only breaks that particular HTTP request, and not Accumulo itself or the monitor state.
    
    The main concern is probably being able to click a link to the monitor which causes the
monitor to start executing javascript or something which was in the query or path parameters.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message