You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Enis Soztutar (JIRA)" <ji...@apache.org> on 2012/05/09 04:35:49 UTC
[jira] [Created] (HBASE-5968) Proper html escaping for region names
Enis Soztutar created HBASE-5968:
------------------------------------
Summary: Proper html escaping for region names
Key: HBASE-5968
URL: https://issues.apache.org/jira/browse/HBASE-5968
Project: HBase
Issue Type: Bug
Components: util
Affects Versions: 0.96.0
Reporter: Enis Soztutar
Assignee: Enis Soztutar
I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like:
{code}
<tr>
<td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
<td>
<a href="http://hrt24n06.cc1.ygridcore.net:60030/">hrt24n06.cc1.ygridcore.net:60030</a>
</td>
<td>,\xEEp/<T\xBE\xC0</td>
<td>-n\xA8\xE0\x15\xDD\x80!</td>
<td>2966724</td>
</tr>
{code}
This obviously does not render properly.
Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (HBASE-5968) Proper html escaping for region
names
Posted by "Enis Soztutar (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Enis Soztutar resolved HBASE-5968.
----------------------------------
Resolution: Duplicate
Closing this in favor of HBASE-1299
> Proper html escaping for region names
> -------------------------------------
>
> Key: HBASE-5968
> URL: https://issues.apache.org/jira/browse/HBASE-5968
> Project: HBase
> Issue Type: Bug
> Components: util
> Affects Versions: 0.96.0
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
>
> I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like:
> {code}
> <tr>
> <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
>
> <td>
> <a href="hostname">hostname</a>
> </td>
>
> <td>,\xEEp/<T\xBE\xC0</td>
> <td>-n\xA8\xE0\x15\xDD\x80!</td>
> <td>2966724</td>
> </tr>
> {code}
> This obviously does not render properly.
> Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5968) Proper html escaping for region
names
Posted by "Enis Soztutar (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506150#comment-13506150 ]
Enis Soztutar commented on HBASE-5968:
--------------------------------------
{code}
hbase(main):007:0> split 'ci', "<script>alert('hello world');</script>"
{code}
Have fun!
> Proper html escaping for region names
> -------------------------------------
>
> Key: HBASE-5968
> URL: https://issues.apache.org/jira/browse/HBASE-5968
> Project: HBase
> Issue Type: Bug
> Components: util
> Affects Versions: 0.96.0
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
>
> I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like:
> {code}
> <tr>
> <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
>
> <td>
> <a href="hostname">hostname</a>
> </td>
>
> <td>,\xEEp/<T\xBE\xC0</td>
> <td>-n\xA8\xE0\x15\xDD\x80!</td>
> <td>2966724</td>
> </tr>
> {code}
> This obviously does not render properly.
> Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-5968) Proper html escaping for region names
Posted by "Enis Soztutar (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Enis Soztutar updated HBASE-5968:
---------------------------------
Description:
I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like:
{code}
<tr>
<td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
<td>
<a href="hostname">hostname</a>
</td>
<td>,\xEEp/<T\xBE\xC0</td>
<td>-n\xA8\xE0\x15\xDD\x80!</td>
<td>2966724</td>
</tr>
{code}
This obviously does not render properly.
Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment.
was:
I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like:
{code}
<tr>
<td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
<td>
<a href="http://hrt24n06.cc1.ygridcore.net:60030/">hrt24n06.cc1.ygridcore.net:60030</a>
</td>
<td>,\xEEp/<T\xBE\xC0</td>
<td>-n\xA8\xE0\x15\xDD\x80!</td>
<td>2966724</td>
</tr>
{code}
This obviously does not render properly.
Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment.
> Proper html escaping for region names
> -------------------------------------
>
> Key: HBASE-5968
> URL: https://issues.apache.org/jira/browse/HBASE-5968
> Project: HBase
> Issue Type: Bug
> Components: util
> Affects Versions: 0.96.0
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
>
> I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like:
> {code}
> <tr>
> <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
>
> <td>
> <a href="hostname">hostname</a>
> </td>
>
> <td>,\xEEp/<T\xBE\xC0</td>
> <td>-n\xA8\xE0\x15\xDD\x80!</td>
> <td>2966724</td>
> </tr>
> {code}
> This obviously does not render properly.
> Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5968) Proper html escaping for region
names
Posted by "Elliott Clark (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506165#comment-13506165 ]
Elliott Clark commented on HBASE-5968:
--------------------------------------
Yep this is a pretty big security hole.
> Proper html escaping for region names
> -------------------------------------
>
> Key: HBASE-5968
> URL: https://issues.apache.org/jira/browse/HBASE-5968
> Project: HBase
> Issue Type: Bug
> Components: util
> Affects Versions: 0.96.0
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
>
> I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like:
> {code}
> <tr>
> <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
>
> <td>
> <a href="hostname">hostname</a>
> </td>
>
> <td>,\xEEp/<T\xBE\xC0</td>
> <td>-n\xA8\xE0\x15\xDD\x80!</td>
> <td>2966724</td>
> </tr>
> {code}
> This obviously does not render properly.
> Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5968) Proper html escaping for region
names
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506226#comment-13506226 ]
stack commented on HBASE-5968:
------------------------------
Would fixing HBASE-1299 take care of this?
> Proper html escaping for region names
> -------------------------------------
>
> Key: HBASE-5968
> URL: https://issues.apache.org/jira/browse/HBASE-5968
> Project: HBase
> Issue Type: Bug
> Components: util
> Affects Versions: 0.96.0
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
>
> I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like:
> {code}
> <tr>
> <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
>
> <td>
> <a href="hostname">hostname</a>
> </td>
>
> <td>,\xEEp/<T\xBE\xC0</td>
> <td>-n\xA8\xE0\x15\xDD\x80!</td>
> <td>2966724</td>
> </tr>
> {code}
> This obviously does not render properly.
> Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5968) Proper html escaping for region
names
Posted by "Elliott Clark (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-5968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506598#comment-13506598 ]
Elliott Clark commented on HBASE-5968:
--------------------------------------
Yep
> Proper html escaping for region names
> -------------------------------------
>
> Key: HBASE-5968
> URL: https://issues.apache.org/jira/browse/HBASE-5968
> Project: HBase
> Issue Type: Bug
> Components: util
> Affects Versions: 0.96.0
> Reporter: Enis Soztutar
> Assignee: Enis Soztutar
>
> I noticed that we are not doing html escaping for the rs/master web interfaces, so you can end up generating html like:
> {code}
> <tr>
> <td>ci,,\xEEp/<T\xBE\xC0,1336471826990.fc5a943e75ce8521b1ccdaf72d2c96c8.</td>
>
> <td>
> <a href="hostname">hostname</a>
> </td>
>
> <td>,\xEEp/<T\xBE\xC0</td>
> <td>-n\xA8\xE0\x15\xDD\x80!</td>
> <td>2966724</td>
> </tr>
> {code}
> This obviously does not render properly.
> Also, my crazy theory is that it can be a security risk. Since the region name is computed from table rows, which are most of the time user input. Thus if the rows contain a "<script onload=" or similar, then that will be executed on the developer's browser having possibly access to dev environment.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira