hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Owen O'Malley (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-7527) Make URL encoding consistent
Date Mon, 08 Aug 2011 18:28:27 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-7527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13081109#comment-13081109

Owen O'Malley commented on HADOOP-7527:

You're missing the point.

The reality is the developers miss cases of untrusted input. Let's take the 404 page that
is built into jetty. It echos the parameters blindly. The jetty developers, who should know
better, missed it. Hadoop developers have missed it many many more times. The only reliable
way to fix the problem is on input. As long as it is done consistently, it protects against
the majority of attacks. It isn't fool-proof, but it is far safer than assuming all uses in
output will be caught.

> Make URL encoding consistent
> ----------------------------
>                 Key: HADOOP-7527
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7527
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 0.23.0
>            Reporter: Eli Collins
> URL encoding is currently handled in at least 4 different ways. We should make these
> # Parameters are encoded when a URI object is created
> # HttpServlet uses RequestQuoter to html escape parameter names and values
> # StringEscapeUtils is used to escape parameters in ReconfigurationServlet and DatanodeJspHelper
> # URLEncoder and URLDecoder are used in multiple places 
> We should also be consistent about how we pass file names in URLs, some times they're
passed in the path segment, sometimes they're passed in the query fragment as parameters.

This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message