hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Elliott Clark (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-5968) Proper html escaping for region names
Date Thu, 29 Nov 2012 02:33:00 GMT

    [ https://issues.apache.org/jira/browse/HBASE-5968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506165#comment-13506165

Elliott Clark commented on HBASE-5968:

Yep this is a pretty big security hole.
> Proper html escaping for region names
> -------------------------------------
>                 Key: HBASE-5968
>                 URL: https://issues.apache.org/jira/browse/HBASE-5968
>             Project: HBase
>          Issue Type: Bug
>          Components: util
>    Affects Versions: 0.96.0
>            Reporter: Enis Soztutar
>            Assignee: Enis Soztutar
> I noticed that we are not doing html escaping for the rs/master web interfaces, so you
can end up generating html like: 
> {code}
> <tr>
>   <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
>   <td>
>     <a href="hostname">hostname</a>
>   </td>
>   <td>,\xEEp/<T\xBE\xC0</td>
>   <td>-n\xA8\xE0\x15\xDD\x80!</td>
>   <td>2966724</td>
> </tr>
> {code}
> This obviously does not render properly. 
> Also, my crazy theory is that it can be a security risk. Since the region name is computed
from table rows, which are most of the time user input. Thus if  the rows contain a "<script
onload=" or similar, then that will be executed on the developer's browser having possibly
access to dev environment. 

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message