reggert opened a new pull request #1409: Corrected servlet parameter handling so that it does
not break things
URL: https://github.com/apache/accumulo/pull/1409
This resolves #1401.
I removed the previous implementation of string sanitization, replacing it with more specific
checks at the places where the parameters are used. As it turns out, the broken method was
only used in two places, `ListType` and `ShowTrace`. In the former case, sanitization was
only needed when including in the HTML output, so I used `StringEscapeUtils.escapeHtml` for
that. In the latter case, sanitization was needed prior to passing the string in an Accumulo
range, so I used a regular expression in `getTraceID` to validate that the string contains
exactly 16 hexadecimal digits, which is how trace IDs are represented in the trace table.
`BasicTest` was deleted because it was exclusively testing the broken
sanitization mechanism. No other tests exist for the servlets, which is a problem but out
of scope for what this patch is fixing.
As a more long term solution, the servlets really ought to be replaced by JSP or another
templating mechanism that can automatically handle escaping HTML content, rather that building
HTML by concatenating Java strings.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
|