You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sentry.apache.org by Vamsee Yarlagadda <va...@cloudera.com> on 2017/07/06 19:24:34 UTC

Re: Review Request 60273: SENTRY-1665: cross-site scripting vulnerability in ConfServlet


> On June 21, 2017, 4:16 p.m., Alexander Kolbasov wrote:
> > The fix itself is fine, but can you check whether you need to add dependency to any of the -dist poms? Also, do we need to do anything special for Solr to include the dependency?
> 
> Brian Towles wrote:
>     This will only apply to the main Sentry server since ConfServlet is run by SentryWebServer which is only run by SentryService.  This many mean we need to break out the SentryWebService and other stuff if sentry-provider-db is being distributed in plugins.

Looks like this ConfServlet class gets only used by the Sentry server. If so, none of the other components like Solr, HDFS cannot directly interact with it so we don't have to worry about the dependency issues.


- Vamsee


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60273/#review178502
-----------------------------------------------------------


On June 21, 2017, 3:28 p.m., Brian Towles wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60273/
> -----------------------------------------------------------
> 
> (Updated June 21, 2017, 3:28 p.m.)
> 
> 
> Review request for sentry, Alexander Kolbasov, Hao Hao, kalyan kumar kalvagadda, Na Li, Sergio Pena, Vamsee Yarlagadda, and Vadim Spector.
> 
> 
> Bugs: SENTRY-1665
>     https://issues.apache.org/jira/browse/SENTRY-1665
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> SENTRY-1665: Applied commons-lang HTML escape to output string.
> 
> 
> Diffs
> -----
> 
>   sentry-provider/sentry-provider-db/pom.xml 14ad6a29f7f814ccc13482d78ccafd171568acc6 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java 9e7fca83e79e23c71559221ba9e5a97f79ec75eb 
> 
> 
> Diff: https://reviews.apache.org/r/60273/diff/1/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Brian Towles
> 
>