You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by GitBox <gi...@apache.org> on 2019/11/02 17:13:35 UTC
[GitHub] [accumulo] reggert opened a new pull request #1409: Corrected
servlet parameter handling so that it does not break things
reggert opened a new pull request #1409: Corrected servlet parameter handling so that it does not break things
URL: https://github.com/apache/accumulo/pull/1409
This resolves #1401.
I removed the previous implementation of string sanitization, replacing it with more specific checks at the places where the parameters are used. As it turns out, the broken method was only used in two places, `ListType` and `ShowTrace`. In the former case, sanitization was only needed when including in the HTML output, so I used `StringEscapeUtils.escapeHtml` for that. In the latter case, sanitization was needed prior to passing the string in an Accumulo range, so I used a regular expression in `getTraceID` to validate that the string contains exactly 16 hexadecimal digits, which is how trace IDs are represented in the trace table.
`BasicTest` was deleted because it was exclusively testing the broken
sanitization mechanism. No other tests exist for the servlets, which is a problem but out of scope for what this patch is fixing.
As a more long term solution, the servlets really ought to be replaced by JSP or another templating mechanism that can automatically handle escaping HTML content, rather that building HTML by concatenating Java strings.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services