You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ak...@apache.org on 2017/07/06 22:04:54 UTC
sentry git commit: SENTRY-1665: cross-site scripting vulnerability in
ConfServlet (Brian Towles, reviewed by: Alex Kolbasov,
Vamsee Yarlagadda and Na Li)
Repository: sentry
Updated Branches:
refs/heads/sentry-ha-redesign 6164b2750 -> 1b3535ea4
SENTRY-1665: cross-site scripting vulnerability in ConfServlet (Brian Towles, reviewed by: Alex Kolbasov, Vamsee Yarlagadda and Na Li)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/1b3535ea
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/1b3535ea
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/1b3535ea
Branch: refs/heads/sentry-ha-redesign
Commit: 1b3535ea45fee98691c00ede39fb2df4a6375c39
Parents: 6164b27
Author: Alexander Kolbasov <ak...@cloudera.com>
Authored: Fri Jul 7 00:04:28 2017 +0200
Committer: Alexander Kolbasov <ak...@cloudera.com>
Committed: Fri Jul 7 00:04:28 2017 +0200
----------------------------------------------------------------------
sentry-provider/sentry-provider-db/pom.xml | 4 ++++
.../apache/sentry/provider/db/service/thrift/ConfServlet.java | 4 +++-
2 files changed, 7 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/1b3535ea/sentry-provider/sentry-provider-db/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml
index 14ad6a2..10dae4a 100644
--- a/sentry-provider/sentry-provider-db/pom.xml
+++ b/sentry-provider/sentry-provider-db/pom.xml
@@ -33,6 +33,10 @@ limitations under the License.
<artifactId>commons-cli</artifactId>
</dependency>
<dependency>
+ <groupId>commons-lang</groupId>
+ <artifactId>commons-lang</artifactId>
+ </dependency>
+ <dependency>
<groupId>com.jolbox</groupId>
<artifactId>bonecp</artifactId>
</dependency>
http://git-wip-us.apache.org/repos/asf/sentry/blob/1b3535ea/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
index 9e7fca8..1233fbc 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
@@ -28,6 +28,8 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.conf.Configuration;
+import static org.apache.commons.lang.StringEscapeUtils.escapeHtml;
+
/**
* Servlet to print out all sentry configuration.
*/
@@ -62,7 +64,7 @@ public class ConfServlet extends HttpServlet {
} else if (FORMAT_XML.equals(format)) {
conf.writeXml(out);
} else {
- response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Bad format: " + format);
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Bad format: " + escapeHtml(format));
}
out.close();
}