hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Owen O'Malley (JIRA)" <j...@apache.org>
Subject [jira] Updated: (HADOOP-6151) The servlets should quote html characters
Date Thu, 17 Sep 2009 22:01:59 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-6151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Owen O'Malley updated HADOOP-6151:
----------------------------------

    Attachment: h6151.patch

This patch introduces an input filter for all of the servlets and jsp pages that quotes all
of the html active characters in the parameters. This means that all of the cross site scripting
attacks based on bad urls should be fixed.

I'll file a follow up jira to fix the vector where the values in the job need to be quoted.

> The servlets should quote html characters
> -----------------------------------------
>
>                 Key: HADOOP-6151
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6151
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Owen O'Malley
>            Priority: Critical
>             Fix For: 0.21.0
>
>         Attachments: h6151.patch
>
>
> We need to quote html characters that come from user generated data. Otherwise, all of
the web ui's have cross site scripting attack, etc.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message