hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Yu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
Date Wed, 10 Aug 2016 18:15:20 GMT

    [ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15415701#comment-15415701
] 

Ted Yu commented on HBASE-16267:
--------------------------------

bq. whats difference if included explicitly or implicitly?

When dependency is implicit, we would completely get rid of security vulnerability when hadoop
version is upgraded.
If dependency is explicit, hbase codebase would still be vulnerable even after upgrade.

bq. sun.net.www.protocol.http.HttpURLConnection.getInputStream defaults httpclient?

hbase doesn't import any sun.net.\* classes - hadoop does.


> Remove commons-httpclient dependency from hbase-rest module
> -----------------------------------------------------------
>
>                 Key: HBASE-16267
>                 URL: https://issues.apache.org/jira/browse/HBASE-16267
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>            Priority: Critical
>             Fix For: 2.0.0
>
>         Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, 16267.v13.txt, 16267.v14.txt,
16267.v2.txt, 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, 16267.v9.txt
>
>
> hbase-rest module still has imports from org.apache.commons.httpclient .
> There is more work to be done after HBASE-15767 was integrated.
> In master branch, there seems to be transitive dependency which allows the code to compile:
> {code}
> [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile
> [INFO] |  +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile
> [INFO] |  +- commons-cli:commons-cli:jar:1.2:compile
> [INFO] |  +- org.apache.commons:commons-math3:jar:3.1.1:compile
> [INFO] |  +- xmlenc:xmlenc:jar:0.52:compile
> [INFO] |  +- commons-httpclient:commons-httpclient:jar:3.1:compile
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message