accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [accumulo] reggert opened a new pull request #1409: Corrected servlet parameter handling so that it does not break things
Date Sat, 02 Nov 2019 17:13:35 GMT
reggert opened a new pull request #1409: Corrected servlet parameter handling so that it does
not break things
URL: https://github.com/apache/accumulo/pull/1409
 
 
   This resolves #1401.
   
   I removed the previous implementation of  string sanitization, replacing it with more specific
checks at the places where the parameters are used. As it turns out, the broken method was
only used in two places, `ListType` and `ShowTrace`. In the former case, sanitization was
only needed when including in the HTML output, so I used `StringEscapeUtils.escapeHtml` for
that. In the latter case, sanitization was needed prior to passing the string in an Accumulo
range, so I used a regular expression in `getTraceID` to validate that the string contains
exactly 16 hexadecimal digits, which is how trace IDs are represented in the trace table.
   
   `BasicTest` was deleted because it was exclusively testing the broken
   sanitization mechanism. No other tests exist for the servlets, which is a problem but out
of scope for what this patch is fixing.
   
   As a more long term solution, the servlets really ought to be replaced by JSP or another
templating mechanism that can automatically handle escaping HTML content, rather that building
HTML by concatenating Java strings.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message