hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Heng Chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-15329) Cross-Site Scripting: Reflected in table.jsp
Date Thu, 03 Mar 2016 04:19:18 GMT

    [ https://issues.apache.org/jira/browse/HBASE-15329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15177136#comment-15177136
] 

Heng Chen commented on HBASE-15329:
-----------------------------------

Actually,  it is not a problem.  If your url parameter 'name' is not a valid table name in
cluster, it will return 500 like below.  And the table's name is only valid with [a-zA-Z_0-9-.].
  But i will still push it just for unified code with XSS dealing.   

{code}
HTTP ERROR 500

Problem accessing /table.jsp. Reason:

    Illegal character code:38, <&> at 0. User-space table qualifiers can only contain
'alphanumeric characters': i.e. [a-zA-Z_0-9-.]: &lt;script&gt;cluster_test
Caused by:

java.lang.IllegalArgumentException: Illegal character code:38, <&> at 0. User-space
table qualifiers can only contain 'alphanumeric characters': i.e. [a-zA-Z_0-9-.]: &lt;script&gt;cluster_test
	at org.apache.hadoop.hbase.TableName.isLegalTableQualifierName(TableName.java:201)
	at org.apache.hadoop.hbase.TableName.isLegalTableQualifierName(TableName.java:149)
	at org.apache.hadoop.hbase.TableName.<init>(TableName.java:322)
	at org.apache.hadoop.hbase.TableName.createTableNameIfNecessary(TableName.java:358)
	at org.apache.hadoop.hbase.TableName.valueOf(TableName.java:445)
	at org.apache.hadoop.hbase.generated.master.table_jsp._jspService(table_jsp.java:117)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:109)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1221)
	at org.apache.hadoop.hbase.http.lib.StaticUserWebFilter$StaticUserFilter.doFilter(StaticUserWebFilter.java:113)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
	at org.apache.hadoop.hbase.http.ClickjackingPreventionFilter.doFilter(ClickjackingPreventionFilter.java:48)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
	at org.apache.hadoop.hbase.http.HttpServer$QuotingInputFilter.doFilter(HttpServer.java:1354)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
	at org.apache.hadoop.hbase.http.NoCacheFilter.doFilter(NoCacheFilter.java:49)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
	at org.apache.hadoop.hbase.http.NoCacheFilter.doFilter(NoCacheFilter.java:49)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:450)
	at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
	at org.mortbay.jetty.Server.handle(Server.java:326)
	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
	at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:928)
	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549)
	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
	at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
{code}

> Cross-Site Scripting: Reflected in table.jsp
> --------------------------------------------
>
>                 Key: HBASE-15329
>                 URL: https://issues.apache.org/jira/browse/HBASE-15329
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>            Reporter: stack
>            Assignee: Samir Ahmic
>            Priority: Minor
>             Fix For: 2.0.0
>
>         Attachments: HBASE-15329_v0.patch
>
>
> Minor issue where we write back table name in a few places. Should clean it up:
> {code}
>  } else { 
>       out.write("\n        <title>Table: ");
>       out.print( fqtn );
>       out.write("</title>\n    ");
>  } 
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message