accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-2720) [FindBugs] HTTP response splitting vulnerabilities in the OperationServlet
Date Wed, 23 Apr 2014 21:00:26 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-2720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13978890#comment-13978890
] 

ASF subversion and git services commented on ACCUMULO-2720:
-----------------------------------------------------------

Commit 9621701fd6d930952f82523b52c428dcf89a18dd in accumulo's branch refs/heads/1.6.0-SNAPSHOT
from [~ctubbsii]
[ https://git-wip-us.apache.org/repos/asf?p=accumulo.git;h=9621701 ]

ACCUMULO-2720 Address some HTTP response splitting

  URLEncode some parameters, and do some validation on redirects in the monitor
  to mitigate HTTP response splitting vulnerabilities identified by FindBugs.


> [FindBugs] HTTP response splitting vulnerabilities in the OperationServlet
> --------------------------------------------------------------------------
>
>                 Key: ACCUMULO-2720
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-2720
>             Project: Accumulo
>          Issue Type: Sub-task
>          Components: monitor
>            Reporter: Christopher Tubbs
>            Assignee: Christopher Tubbs
>              Labels: findbugs
>             Fix For: 1.6.1, 1.7.0
>
>
> FindBugs rank 5 bugs found [HTTP response splitting|https://en.wikipedia.org/wiki/HTTP_response_splitting]
vulnerabilities in OperationServlet. FindBugs explicitly notes that it does only minimal checking
for these bugs, so if it finds them, there are almost certainly more that it did not find.
This ticket will fix those it found. Any others will have to be found by another, more comprehensive
tool.
> This takes us up through rank 6 findbugs validation in the build.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message