drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Altekruse (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DRILL-3768) HTML- and JavaScript-injection vulnerability (lack of HTML encoding)
Date Fri, 11 Sep 2015 21:56:45 GMT

     [ https://issues.apache.org/jira/browse/DRILL-3768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Jason Altekruse updated DRILL-3768:
    Fix Version/s: 1.3.0

> HTML- and JavaScript-injection vulnerability (lack of HTML encoding)
> --------------------------------------------------------------------
>                 Key: DRILL-3768
>                 URL: https://issues.apache.org/jira/browse/DRILL-3768
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Client - HTTP
>            Reporter: Daniel Barclay (Drill)
>            Assignee: Jason Altekruse
>            Priority: Critical
>              Labels: security
>             Fix For: 1.3.0
> The Web UI does not properly encode query text or error message text into HTML.  This
makes the Web UI vulnerable to JavaScript-injection attacks.
> &nbsp;
> Most importantly, the Web UI doesn't encode characters that are special in HTML, e.g.,
encoding "<" in that plain text to "&amp;lt;" in the HTML text.
> This means that some queries containing a less-than character ("<") are displayed
wrong.  For example, submit this query and then look at its profile via the Web UI:
> {noformat}
> {noformat}
> (The query currently show up as "{{SELECT 1}}".)
> What's worse is that someone submitting a query can inject HTML, _including JavaScript
code_, into the Web UI's pages.  Look at this query's profile in the Web UI:
> {noformat}
> VALUES `<script> alert("Gotcha!") </script>`
> {noformat}
> &nbsp;
> Another, though less serious, problem is that line breaks in plain text are not encoded
into HTML (e.g., as "<br />").
> That means that separate lines of error messages are run together, making them harder
or impossible to parse correctly when see in the Web UI.

This message was sent by Atlassian JIRA

View raw message