You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Owen O'Malley (JIRA)" <ji...@apache.org> on 2009/09/18 00:01:59 UTC
[jira] Updated: (HADOOP-6151) The servlets should quote html
characters
[ https://issues.apache.org/jira/browse/HADOOP-6151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6151:
----------------------------------
Attachment: h6151.patch
This patch introduces an input filter for all of the servlets and jsp pages that quotes all of the html active characters in the parameters. This means that all of the cross site scripting attacks based on bad urls should be fixed.
I'll file a follow up jira to fix the vector where the values in the job need to be quoted.
> The servlets should quote html characters
> -----------------------------------------
>
> Key: HADOOP-6151
> URL: https://issues.apache.org/jira/browse/HADOOP-6151
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Owen O'Malley
> Priority: Critical
> Fix For: 0.21.0
>
> Attachments: h6151.patch
>
>
> We need to quote html characters that come from user generated data. Otherwise, all of the web ui's have cross site scripting attack, etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.