Hadoop Common
  1. Hadoop Common
  2. HADOOP-6151

The servlets should quote html characters

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.21.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      The input parameters for all of the servlets will have the 5 html meta characters quoted. The characters are '&', '<', '>', '"' and the apostrophe. The goal is to ensure that our web ui servlets can't be used for cross site scripting (XSS) attacks. In particular, it blocks the frequent (especially for errors) case where the servlet echos back the parameters to the user.
      Show
      The input parameters for all of the servlets will have the 5 html meta characters quoted. The characters are '&', '<', '>', '"' and the apostrophe. The goal is to ensure that our web ui servlets can't be used for cross site scripting (XSS) attacks. In particular, it blocks the frequent (especially for errors) case where the servlet echos back the parameters to the user.

      Description

      We need to quote html characters that come from user generated data. Otherwise, all of the web ui's have cross site scripting attack, etc.

      1. h6151.20.patch
        14 kB
        Devaraj Das
      2. h6151.patch
        14 kB
        Owen O'Malley
      3. h6151.patch
        14 kB
        Owen O'Malley
      4. h6151.patch
        14 kB
        Owen O'Malley
      5. h6151.patch
        14 kB
        Owen O'Malley

        Issue Links

          Activity

          No work has yet been logged on this issue.

            People

            • Assignee:
              Owen O'Malley
              Reporter:
              Owen O'Malley
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development