|
This patch introduces an input filter for all of the servlets and jsp pages that quotes all of the html active characters in the parameters. This means that all of the cross site scripting attacks based on bad urls should be fixed.
I'll file a follow up jira to fix the vector where the values in the job need to be quoted. -1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12419937/h6151.patch  against trunk revision 815809. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified tests. -1 patch. The patch command could not apply the patch. Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/42/console This message is automatically generated. -1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12419959/h6151.patch against trunk revision 816409. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified tests. -1 javadoc. The javadoc tool appears to have generated 1 warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/46/testReport/ This message is automatically generated. [exec] -1 overall.
[exec]
[exec] +1 @author. The patch does not contain any @author tags.
[exec]
[exec] +1 tests included. The patch appears to include 2 new or modified tests.
[exec]
[exec] -1 javadoc. The javadoc tool appears to have generated 1 warning messages.
[exec]
[exec] +1 javac. The applied patch does not increase the total number of javac compiler warnings.
[exec]
[exec] +1 findbugs. The patch does not introduce any new Findbugs warnings.
[exec]
[exec] +1 release audit. The applied patch does not increase the total number of release audit warnings.
[javadoc] /snip/common/src/.../HtmlQuoting.java:145: warning - @return tag has no arguments.
[javadoc] /snip/common/src/.../HtmlQuoting.java:73: warning - @param argument "buffer" is not a parameter name.
[javadoc] /snip/common/src/.../HtmlQuoting.java:73: warning - @param argument "add" is not a parameter name.
Messed up the JavaDoc. Now fixed.
+1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12419969/h6151.patch against trunk revision 816409. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/7/testReport/ This message is automatically generated. This patch addresses Chris' comments.
+1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12419972/h6151.patch against trunk revision 816409. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/8/testReport/ This message is automatically generated. Integrated in Hadoop-Common-trunk-Commit #38 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/38/
). Added a input filter to all of the http servlets that quotes html characters in the parameters, to prevent cross site scripting attacks. (omalley) Integrated in Hadoop-Common-trunk #102 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/102/
). Added a input filter to all of the http servlets that quotes html characters in the parameters, to prevent cross site scripting attacks. (omalley) |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Bug
Resolved
Critical
The servlets should quote html characters
1. & -> &
2. < -> <
3. > -> >
4. ' -> '
5. "-> "
As long as we do those transforms, any html that the user includes in their data will just be treated as literal text rather than html commands.