Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-6151

The servlets should quote html characters

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.21.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      The input parameters for all of the servlets will have the 5 html meta characters quoted. The characters are '&', '<', '>', '"' and the apostrophe. The goal is to ensure that our web ui servlets can't be used for cross site scripting (XSS) attacks. In particular, it blocks the frequent (especially for errors) case where the servlet echos back the parameters to the user.
      Show
      The input parameters for all of the servlets will have the 5 html meta characters quoted. The characters are '&', '<', '>', '"' and the apostrophe. The goal is to ensure that our web ui servlets can't be used for cross site scripting (XSS) attacks. In particular, it blocks the frequent (especially for errors) case where the servlet echos back the parameters to the user.

      Description

      We need to quote html characters that come from user generated data. Otherwise, all of the web ui's have cross site scripting attack, etc.

        Attachments

        1. h6151.20.patch
          14 kB
          Devaraj Das
        2. h6151.patch
          14 kB
          Owen O'Malley
        3. h6151.patch
          14 kB
          Owen O'Malley
        4. h6151.patch
          14 kB
          Owen O'Malley
        5. h6151.patch
          14 kB
          Owen O'Malley

          Issue Links

            Activity

              People

              • Assignee:
                owen.omalley Owen O'Malley
                Reporter:
                owen.omalley Owen O'Malley
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: