Return-Path: 
 <notifications-return-20620-apmail-accumulo-notifications-archive=accumulo.apache.org@accumulo.apache.org>
X-Original-To: apmail-accumulo-notifications-archive@minotaur.apache.org
Delivered-To: apmail-accumulo-notifications-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 77C3E119E5
	for <apmail-accumulo-notifications-archive@minotaur.apache.org>;
 Wed, 23 Apr 2014 22:10:26 +0000 (UTC)
Received: (qmail 72727 invoked by uid 500); 23 Apr 2014 22:10:17 -0000
Delivered-To: apmail-accumulo-notifications-archive@accumulo.apache.org
Received: (qmail 72697 invoked by uid 500); 23 Apr 2014 22:10:17 -0000
Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:notifications-help@accumulo.apache.org>
List-Unsubscribe: <mailto:notifications-unsubscribe@accumulo.apache.org>
List-Post: <mailto:notifications@accumulo.apache.org>
List-Id: <notifications.accumulo.apache.org>
Reply-To: jira@apache.org
Delivered-To: mailing list notifications@accumulo.apache.org
Received: (qmail 72667 invoked by uid 99); 23 Apr 2014 22:10:16 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 23 Apr 2014 22:10:16 +0000
Date: Wed, 23 Apr 2014 22:10:16 +0000 (UTC)
From: "Christopher Tubbs (JIRA)" <jira@apache.org>
To: notifications@accumulo.apache.org
Message-ID: <JIRA.12709854.1398195668003.167490.1398291016580@arcas>
In-Reply-To: <JIRA.12709854.1398195668003@arcas>
References: <JIRA.12709854.1398195668003@arcas>
Subject: [jira] [Commented] (ACCUMULO-2720) [FindBugs] HTTP response
 splitting vulnerabilities in the OperationServlet
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/ACCUMULO-2720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13978993#comment-13978993 ] 

Christopher Tubbs commented on ACCUMULO-2720:
---------------------------------------------

This bug is fixed at FindBugs rank 5 checks, but comes back at rank 7. I'm not really sure it can be removed entirely, until the monitor is seriously refactored and we get rid of all the server-side refresh stuff.

> [FindBugs] HTTP response splitting vulnerabilities in the OperationServlet
> --------------------------------------------------------------------------
>
>                 Key: ACCUMULO-2720
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-2720
>             Project: Accumulo
>          Issue Type: Sub-task
>          Components: monitor
>            Reporter: Christopher Tubbs
>            Assignee: Christopher Tubbs
>              Labels: findbugs
>             Fix For: 1.6.0
>
>
> FindBugs rank 5 bugs found [HTTP response splitting|https://en.wikipedia.org/wiki/HTTP_response_splitting] vulnerabilities in OperationServlet. FindBugs explicitly notes that it does only minimal checking for these bugs, so if it finds them, there are almost certainly more that it did not find. This ticket will fix those it found. Any others will have to be found by another, more comprehensive tool.
> This takes us up through rank 6 findbugs validation in the build.



--
This message was sent by Atlassian JIRA
(v6.2#6252)