You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sentry.apache.org by Na Li via Review Board <no...@reviews.apache.org> on 2018/01/12 22:23:23 UTC

Re: Review Request 65053: SENTRY-2120: Escape input string for error response message in LogLevelServlet

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65053/
-----------------------------------------------------------

(Updated Jan. 12, 2018, 10:23 p.m.)


Review request for sentry, Brian Towles, kalyan kumar kalvagadda, and Sergio Pena.


Summary (updated)
-----------------

SENTRY-2120: Escape input string for error response message in LogLevelServlet


Repository: sentry


Description (updated)
-------

HTTP parameter is directly written to Servlet error page. Echoing this untrusted input is a bad practice for security purpose. Need to escape input string before adding into error response message.


Diffs
-----

  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/LogLevelServlet.java fce41a8 


Diff: https://reviews.apache.org/r/65053/diff/1/


Testing
-------


Thanks,

Na Li