db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kristian Waagan (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DERBY-5639) Minor code cleanup for NetServlet
Date Tue, 13 Mar 2012 09:31:38 GMT

     [ https://issues.apache.org/jira/browse/DERBY-5639?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kristian Waagan updated DERBY-5639:
-----------------------------------

    Attachment: derby-5639-4a-xss.diff

Attaching patch 4a, which should protect the servlet against basic XSS attacks. It also addresses
a few non-XSS issues.

Brief descriptions:
 o use a safer value for the form action attribute
 o write Integer instead of raw String in message
   (this was safe in the current implementation, but not good practice)
 o escaped strings passed to langUtil.getTextMessage
 o made error reporting less verbose when the form parameter is unknown
 o added missing ';' in escapeSingleQuotes
 o added esacpeHTML

There are no tests for NetServlet, so I have tested it manually.
Patch ready for review.
                
> Minor code cleanup for NetServlet
> ---------------------------------
>
>                 Key: DERBY-5639
>                 URL: https://issues.apache.org/jira/browse/DERBY-5639
>             Project: Derby
>          Issue Type: Sub-task
>          Components: Miscellaneous, Network Server, Tools
>    Affects Versions: 10.9.0.0
>            Reporter: Kristian Waagan
>            Assignee: Kristian Waagan
>            Priority: Minor
>         Attachments: derby-5639-1a-remove_request_param.diff, derby-5639-2a-misc.diff,
derby-5639-2a-misc.stat, derby-5639-3a-html.diff, derby-5639-4a-xss.diff
>
>
> The code in NetServlet has a few quality issues, some of which are easily addressed.
I plan to address the easy ones here, the main one will be removing unused variables.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message