hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enis Soztutar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-5968) Proper html escaping for region names
Date Thu, 29 Nov 2012 02:08:58 GMT

    [ https://issues.apache.org/jira/browse/HBASE-5968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506150#comment-13506150
] 

Enis Soztutar commented on HBASE-5968:
--------------------------------------

{code}
hbase(main):007:0> split 'ci', "<script>alert('hello world');</script>"
{code}
Have fun! 
                
> Proper html escaping for region names
> -------------------------------------
>
>                 Key: HBASE-5968
>                 URL: https://issues.apache.org/jira/browse/HBASE-5968
>             Project: HBase
>          Issue Type: Bug
>          Components: util
>    Affects Versions: 0.96.0
>            Reporter: Enis Soztutar
>            Assignee: Enis Soztutar
>
> I noticed that we are not doing html escaping for the rs/master web interfaces, so you
can end up generating html like: 
> {code}
> <tr>
>   <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
>   
>   <td>
>     <a href="hostname">hostname</a>
>   </td>
>   
>   <td>,\xEEp/<T\xBE\xC0</td>
>   <td>-n\xA8\xE0\x15\xDD\x80!</td>
>   <td>2966724</td>
> </tr>
> {code}
> This obviously does not render properly. 
> Also, my crazy theory is that it can be a security risk. Since the region name is computed
from table rows, which are most of the time user input. Thus if  the rows contain a "<script
onload=" or similar, then that will be executed on the developer's browser having possibly
access to dev environment. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message