You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sentry.apache.org by Na Li via Review Board <no...@reviews.apache.org> on 2018/01/11 00:26:11 UTC

Re: Review Request 65053: SENTRY-2120: Potential cross-site scripting in LogLevelServlet

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65053/
-----------------------------------------------------------

(Updated Jan. 11, 2018, 12:26 a.m.)


Review request for sentry, Brian Towles, kalyan kumar kalvagadda, and Sergio Pena.


Summary (updated)
-----------------

SENTRY-2120: Potential cross-site scripting in LogLevelServlet


Repository: sentry


Description (updated)
-------

HTTP parameter is directly written to Servlet error page. Echoing this untrusted input allows for a reflected cross site scripting. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.


Diffs
-----

  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/LogLevelServlet.java fce41a8 


Diff: https://reviews.apache.org/r/65053/diff/1/


Testing
-------


Thanks,

Na Li

Re: Review Request 65053: SENTRY-2120: Potential cross-site scripting in LogLevelServlet

Posted by Colm O hEigeartaigh <co...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65053/#review195308
-----------------------------------------------------------


Ship it!




Ship It!

- Colm O hEigeartaigh


On Jan. 11, 2018, 12:26 a.m., Na Li wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65053/
> -----------------------------------------------------------
> 
> (Updated Jan. 11, 2018, 12:26 a.m.)
> 
> 
> Review request for sentry, Brian Towles, kalyan kumar kalvagadda, and Sergio Pena.
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> HTTP parameter is directly written to Servlet error page. Echoing this untrusted input allows for a reflected cross site scripting. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.
> 
> 
> Diffs
> -----
> 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/LogLevelServlet.java fce41a8 
> 
> 
> Diff: https://reviews.apache.org/r/65053/diff/1/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Na Li
> 
>

Re: Review Request 65053: SENTRY-2120: Escape input string for error response message in LogLevelServlet

Posted by Na Li via Review Board <no...@reviews.apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65053/
-----------------------------------------------------------

(Updated Jan. 12, 2018, 10:23 p.m.)


Review request for sentry, Brian Towles, kalyan kumar kalvagadda, and Sergio Pena.


Summary (updated)
-----------------

SENTRY-2120: Escape input string for error response message in LogLevelServlet


Repository: sentry


Description (updated)
-------

HTTP parameter is directly written to Servlet error page. Echoing this untrusted input is a bad practice for security purpose. Need to escape input string before adding into error response message.


Diffs
-----

  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/LogLevelServlet.java fce41a8 


Diff: https://reviews.apache.org/r/65053/diff/1/


Testing
-------


Thanks,

Na Li