hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd Lipcon (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-7527) Make URL encoding consistent
Date Mon, 08 Aug 2011 16:58:27 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-7527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13081055#comment-13081055
] 

Todd Lipcon commented on HADOOP-7527:
-------------------------------------

The QuotingInputFilter is also totally misguided - yes, it prevents you from accidentally
forgetting to encode something, but it's done the wrong layer. Encoding is output-type dependent
-- just because we usually output to HTML doesn't mean that the parameters should be HTML-encoded
"on the way in".

The correct way to do this is to make sure all interpolation of user input escapes at interpolation
time -- the encoding should then be the proper context-dependent escaping scheme (eg URL escaping,
javascript escaping, or HTML escaping, which are all different and sometimes need to be layered)

> Make URL encoding consistent
> ----------------------------
>
>                 Key: HADOOP-7527
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7527
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 0.23.0
>            Reporter: Eli Collins
>
> URL encoding is currently handled in at least 4 different ways. We should make these
consistent:
> # Parameters are encoded when a URI object is created
> # HttpServlet uses RequestQuoter to html escape parameter names and values
> # StringEscapeUtils is used to escape parameters in ReconfigurationServlet and DatanodeJspHelper
> # URLEncoder and URLDecoder are used in multiple places 
> We should also be consistent about how we pass file names in URLs, some times they're
passed in the path segment, sometimes they're passed in the query fragment as parameters.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message