hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Owen O'Malley (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-7527) Make URL encoding consistent
Date Mon, 08 Aug 2011 16:46:27 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-7527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13081045#comment-13081045

Owen O'Malley commented on HADOOP-7527:

The QuotingInputFilter has a very different purpose than the others. It is ensuring that parameters
that are echoed back to the user don't create XSS vulnerabilities. In particular, they are
using HTML quoting and not URL quoting.

> Make URL encoding consistent
> ----------------------------
>                 Key: HADOOP-7527
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7527
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 0.23.0
>            Reporter: Eli Collins
> URL encoding is currently handled in at least 4 different ways. We should make these
> # Parameters are encoded when a URI object is created
> # HttpServlet uses RequestQuoter to html escape parameter names and values
> # StringEscapeUtils is used to escape parameters in ReconfigurationServlet and DatanodeJspHelper
> # URLEncoder and URLDecoder are used in multiple places 
> We should also be consistent about how we pass file names in URLs, some times they're
passed in the path segment, sometimes they're passed in the query fragment as parameters.

This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message