You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Na Li via Review Board <no...@reviews.apache.org> on 2018/01/12 22:23:23 UTC
Re: Review Request 65053: SENTRY-2120: Escape input string for error
response message in LogLevelServlet
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65053/
-----------------------------------------------------------
(Updated Jan. 12, 2018, 10:23 p.m.)
Review request for sentry, Brian Towles, kalyan kumar kalvagadda, and Sergio Pena.
Summary (updated)
-----------------
SENTRY-2120: Escape input string for error response message in LogLevelServlet
Repository: sentry
Description (updated)
-------
HTTP parameter is directly written to Servlet error page. Echoing this untrusted input is a bad practice for security purpose. Need to escape input string before adding into error response message.
Diffs
-----
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/LogLevelServlet.java fce41a8
Diff: https://reviews.apache.org/r/65053/diff/1/
Testing
-------
Thanks,
Na Li