You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Na Li via Review Board <no...@reviews.apache.org> on 2018/01/09 23:17:32 UTC
Review Request 65053: SENTRY-2120: cross-site scripting vulnerability
in LogLevelServlet
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65053/
-----------------------------------------------------------
Review request for sentry, Brian Towles, kalyan kumar kalvagadda, and Sergio Pena.
Repository: sentry
Description
-------
HTTP parameter is directly written to Servlet error page. Echoing this untrusted input allows for a reflected cross site scripting vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.
Diffs
-----
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/LogLevelServlet.java fce41a8
Diff: https://reviews.apache.org/r/65053/diff/1/
Testing
-------
Thanks,
Na Li
Re: Review Request 65053: SENTRY-2120: Potential cross-site scripting
in LogLevelServlet
Posted by Colm O hEigeartaigh <co...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65053/#review195308
-----------------------------------------------------------
Ship it!
Ship It!
- Colm O hEigeartaigh
On Jan. 11, 2018, 12:26 a.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65053/
> -----------------------------------------------------------
>
> (Updated Jan. 11, 2018, 12:26 a.m.)
>
>
> Review request for sentry, Brian Towles, kalyan kumar kalvagadda, and Sergio Pena.
>
>
> Repository: sentry
>
>
> Description
> -------
>
> HTTP parameter is directly written to Servlet error page. Echoing this untrusted input allows for a reflected cross site scripting. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.
>
>
> Diffs
> -----
>
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/LogLevelServlet.java fce41a8
>
>
> Diff: https://reviews.apache.org/r/65053/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Na Li
>
>
Re: Review Request 65053: SENTRY-2120: Escape input string for error
response message in LogLevelServlet
Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65053/
-----------------------------------------------------------
(Updated Jan. 12, 2018, 10:23 p.m.)
Review request for sentry, Brian Towles, kalyan kumar kalvagadda, and Sergio Pena.
Summary (updated)
-----------------
SENTRY-2120: Escape input string for error response message in LogLevelServlet
Repository: sentry
Description (updated)
-------
HTTP parameter is directly written to Servlet error page. Echoing this untrusted input is a bad practice for security purpose. Need to escape input string before adding into error response message.
Diffs
-----
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/LogLevelServlet.java fce41a8
Diff: https://reviews.apache.org/r/65053/diff/1/
Testing
-------
Thanks,
Na Li
Re: Review Request 65053: SENTRY-2120: Potential cross-site scripting
in LogLevelServlet
Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65053/
-----------------------------------------------------------
(Updated Jan. 11, 2018, 12:26 a.m.)
Review request for sentry, Brian Towles, kalyan kumar kalvagadda, and Sergio Pena.
Summary (updated)
-----------------
SENTRY-2120: Potential cross-site scripting in LogLevelServlet
Repository: sentry
Description (updated)
-------
HTTP parameter is directly written to Servlet error page. Echoing this untrusted input allows for a reflected cross site scripting. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.
Diffs
-----
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/LogLevelServlet.java fce41a8
Diff: https://reviews.apache.org/r/65053/diff/1/
Testing
-------
Thanks,
Na Li