[jira] [Commented] (HBASE-7184) pre-check table name in table.jsp

["liang xie (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/HBASE-7184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13500081#comment-13500081 ] 

liang xie commented on HBASE-7184:
----------------------------------

Before applied the attached patch, if i access host:port/table.jsp?name=... , will get :

HTTP ERROR 500

Problem accessing /table.jsp. Reason:

    ...

Caused by:

org.apache.hadoop.hbase.TableNotFoundException: ...
	at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.locateRegionInMeta(HConnectionManager.java:999)
	at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.locateRegion(HConnectionManager.java:864)
	at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.locateRegion(HConnectionManager.java:821)
	at org.apache.hadoop.hbase.client.HTable.finishSetup(HTable.java:234)
	at org.apache.hadoop.hbase.client.HTable.<init>(HTable.java:174)
	at org.apache.hadoop.hbase.client.HTable.<init>(HTable.java:133)
	at org.apache.hadoop.hbase.generated.master.table_jsp._jspService(table_jsp.java:67)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1221)
	at org.apache.hadoop.http.lib.StaticUserWebFilter$StaticUserFilter.doFilter(StaticUserWebFilter.java:109)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
	at org.apache.hadoop.http.HttpServer$QuotingInputFilter.doFilter(HttpServer.java:1056)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:450)
	at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
	at org.mortbay.jetty.Server.handle(Server.java:326)
	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
	at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:928)
	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549)
	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
	at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)

Powered by Jetty://




After applied patch, i got :
"Illegal table name parameter!"
                
> pre-check table name in table.jsp
> ---------------------------------
>
>                 Key: HBASE-7184
>                 URL: https://issues.apache.org/jira/browse/HBASE-7184
>             Project: HBase
>          Issue Type: Improvement
>          Components: UI
>    Affects Versions: 0.94.2, 0.96.0
>            Reporter: liang xie
>            Assignee: liang xie
>         Attachments: HBASE-7184.txt
>
>
> Currently the (table)name parameter in table.jsp isn't checked, it brings two problems at least:
> 1) 500 error for invalid value
> 2) directly written to JSP output, giving reflected XSS vulnerability
> we can do a parameter-checking

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira