db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kristian Waagan (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DERBY-5639) Minor code cleanup for NetServlet
Date Tue, 13 Mar 2012 09:31:38 GMT

     [ https://issues.apache.org/jira/browse/DERBY-5639?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Kristian Waagan updated DERBY-5639:

    Attachment: derby-5639-4a-xss.diff

Attaching patch 4a, which should protect the servlet against basic XSS attacks. It also addresses
a few non-XSS issues.

Brief descriptions:
 o use a safer value for the form action attribute
 o write Integer instead of raw String in message
   (this was safe in the current implementation, but not good practice)
 o escaped strings passed to langUtil.getTextMessage
 o made error reporting less verbose when the form parameter is unknown
 o added missing ';' in escapeSingleQuotes
 o added esacpeHTML

There are no tests for NetServlet, so I have tested it manually.
Patch ready for review.
> Minor code cleanup for NetServlet
> ---------------------------------
>                 Key: DERBY-5639
>                 URL: https://issues.apache.org/jira/browse/DERBY-5639
>             Project: Derby
>          Issue Type: Sub-task
>          Components: Miscellaneous, Network Server, Tools
>    Affects Versions:
>            Reporter: Kristian Waagan
>            Assignee: Kristian Waagan
>            Priority: Minor
>         Attachments: derby-5639-1a-remove_request_param.diff, derby-5639-2a-misc.diff,
derby-5639-2a-misc.stat, derby-5639-3a-html.diff, derby-5639-4a-xss.diff
> The code in NetServlet has a few quality issues, some of which are easily addressed.
I plan to address the easy ones here, the main one will be removing unused variables.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message