Return-Path: Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: (qmail 99017 invoked from network); 17 Sep 2009 22:02:23 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 17 Sep 2009 22:02:23 -0000 Received: (qmail 47160 invoked by uid 500); 17 Sep 2009 22:02:23 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 47112 invoked by uid 500); 17 Sep 2009 22:02:23 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 47102 invoked by uid 99); 17 Sep 2009 22:02:23 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 Sep 2009 22:02:23 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 Sep 2009 22:02:20 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 2574D234C1EE for ; Thu, 17 Sep 2009 15:01:59 -0700 (PDT) Message-ID: <467649514.1253224919152.JavaMail.jira@brutus> Date: Thu, 17 Sep 2009 15:01:59 -0700 (PDT) From: "Owen O'Malley (JIRA)" To: common-issues@hadoop.apache.org Subject: [jira] Updated: (HADOOP-6151) The servlets should quote html characters In-Reply-To: <2103411870.1247675174858.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/HADOOP-6151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Owen O'Malley updated HADOOP-6151: ---------------------------------- Attachment: h6151.patch This patch introduces an input filter for all of the servlets and jsp pages that quotes all of the html active characters in the parameters. This means that all of the cross site scripting attacks based on bad urls should be fixed. I'll file a follow up jira to fix the vector where the values in the job need to be quoted. > The servlets should quote html characters > ----------------------------------------- > > Key: HADOOP-6151 > URL: https://issues.apache.org/jira/browse/HADOOP-6151 > Project: Hadoop Common > Issue Type: Bug > Components: security > Reporter: Owen O'Malley > Priority: Critical > Fix For: 0.21.0 > > Attachments: h6151.patch > > > We need to quote html characters that come from user generated data. Otherwise, all of the web ui's have cross site scripting attack, etc. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.