Hadoop Common
  1. Hadoop Common
  2. HADOOP-6151

The servlets should quote html characters

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.21.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      The input parameters for all of the servlets will have the 5 html meta characters quoted. The characters are '&', '<', '>', '"' and the apostrophe. The goal is to ensure that our web ui servlets can't be used for cross site scripting (XSS) attacks. In particular, it blocks the frequent (especially for errors) case where the servlet echos back the parameters to the user.
      Show
      The input parameters for all of the servlets will have the 5 html meta characters quoted. The characters are '&', '<', '>', '"' and the apostrophe. The goal is to ensure that our web ui servlets can't be used for cross site scripting (XSS) attacks. In particular, it blocks the frequent (especially for errors) case where the servlet echos back the parameters to the user.

      Description

      We need to quote html characters that come from user generated data. Otherwise, all of the web ui's have cross site scripting attack, etc.

      1. h6151.patch
        14 kB
        Owen O'Malley
      2. h6151.patch
        14 kB
        Owen O'Malley
      3. h6151.patch
        14 kB
        Owen O'Malley
      4. h6151.patch
        14 kB
        Owen O'Malley
      5. h6151.20.patch
        14 kB
        Devaraj Das

        Issue Links

          Activity

          Hide
          Owen O'Malley added a comment - - edited

          I believe the transforms should be:
          1. & -> &amp;
          2. < -> &lt;
          3. > -> &gt;
          4. ' -> &apos;
          5. "-> &quot;

          As long as we do those transforms, any html that the user includes in their data will just be treated as literal text rather than html commands.

          Show
          Owen O'Malley added a comment - - edited I believe the transforms should be: 1. & -> &amp; 2. < -> &lt; 3. > -> &gt; 4. ' -> &apos; 5. "-> &quot; As long as we do those transforms, any html that the user includes in their data will just be treated as literal text rather than html commands.
          Hide
          Owen O'Malley added a comment -

          This patch introduces an input filter for all of the servlets and jsp pages that quotes all of the html active characters in the parameters. This means that all of the cross site scripting attacks based on bad urls should be fixed.

          I'll file a follow up jira to fix the vector where the values in the job need to be quoted.

          Show
          Owen O'Malley added a comment - This patch introduces an input filter for all of the servlets and jsp pages that quotes all of the html active characters in the parameters. This means that all of the cross site scripting attacks based on bad urls should be fixed. I'll file a follow up jira to fix the vector where the values in the job need to be quoted.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12419937/h6151.patch
          against trunk revision 815809.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 2 new or modified tests.

          -1 patch. The patch command could not apply the patch.

          Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/42/console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12419937/h6151.patch against trunk revision 815809. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified tests. -1 patch. The patch command could not apply the patch. Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/42/console This message is automatically generated.
          Hide
          Owen O'Malley added a comment -

          I forgot the --no-prefix..

          Show
          Owen O'Malley added a comment - I forgot the --no-prefix..
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12419959/h6151.patch
          against trunk revision 816409.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 2 new or modified tests.

          -1 javadoc. The javadoc tool appears to have generated 1 warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/46/testReport/
          Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/46/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/46/artifact/trunk/build/test/checkstyle-errors.html
          Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/46/console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12419959/h6151.patch against trunk revision 816409. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified tests. -1 javadoc. The javadoc tool appears to have generated 1 warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/46/testReport/ Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/46/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/46/artifact/trunk/build/test/checkstyle-errors.html Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/46/console This message is automatically generated.
          Hide
          Chris Douglas added a comment -
               [exec] -1 overall.  
               [exec] 
               [exec]     +1 @author.  The patch does not contain any @author tags.
               [exec] 
               [exec]     +1 tests included.  The patch appears to include 2 new or modified tests.
               [exec] 
               [exec]     -1 javadoc.  The javadoc tool appears to have generated 1 warning messages.
               [exec] 
               [exec]     +1 javac.  The applied patch does not increase the total number of javac compiler warnings.
               [exec] 
               [exec]     +1 findbugs.  The patch does not introduce any new Findbugs warnings.
               [exec] 
               [exec]     +1 release audit.  The applied patch does not increase the total number of release audit warnings.
          
          [javadoc] /snip/common/src/.../HtmlQuoting.java:145: warning - @return tag has no arguments.
          [javadoc] /snip/common/src/.../HtmlQuoting.java:73: warning - @param argument "buffer" is not a parameter name.
          [javadoc] /snip/common/src/.../HtmlQuoting.java:73: warning - @param argument "add" is not a parameter name.
          
          • The unit test should use JUnit4 test annotations instead of JUnit3 TestCase
          • HttpServer::printRequest looks useful for debugging, but should probably be left out
          • The static *Bytes fields should be final
          • The @return docs for "needsQuoting" could be more explicit
          Show
          Chris Douglas added a comment - [exec] -1 overall. [exec] [exec] +1 @author. The patch does not contain any @author tags. [exec] [exec] +1 tests included. The patch appears to include 2 new or modified tests. [exec] [exec] -1 javadoc. The javadoc tool appears to have generated 1 warning messages. [exec] [exec] +1 javac. The applied patch does not increase the total number of javac compiler warnings. [exec] [exec] +1 findbugs. The patch does not introduce any new Findbugs warnings. [exec] [exec] +1 release audit. The applied patch does not increase the total number of release audit warnings. [javadoc] /snip/common/src/.../HtmlQuoting.java:145: warning - @return tag has no arguments. [javadoc] /snip/common/src/.../HtmlQuoting.java:73: warning - @param argument "buffer" is not a parameter name. [javadoc] /snip/common/src/.../HtmlQuoting.java:73: warning - @param argument "add" is not a parameter name. The unit test should use JUnit4 test annotations instead of JUnit3 TestCase HttpServer::printRequest looks useful for debugging, but should probably be left out The static *Bytes fields should be final The @return docs for "needsQuoting" could be more explicit
          Hide
          Owen O'Malley added a comment -

          Messed up the JavaDoc. Now fixed.

          Show
          Owen O'Malley added a comment - Messed up the JavaDoc. Now fixed.
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12419969/h6151.patch
          against trunk revision 816409.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 2 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/7/testReport/
          Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/7/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/7/artifact/trunk/build/test/checkstyle-errors.html
          Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/7/console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12419969/h6151.patch against trunk revision 816409. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/7/testReport/ Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/7/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/7/artifact/trunk/build/test/checkstyle-errors.html Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/7/console This message is automatically generated.
          Hide
          Owen O'Malley added a comment -

          This patch addresses Chris' comments.

          Show
          Owen O'Malley added a comment - This patch addresses Chris' comments.
          Hide
          Chris Douglas added a comment -

          +1

          Show
          Chris Douglas added a comment - +1
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12419972/h6151.patch
          against trunk revision 816409.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 2 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/8/testReport/
          Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/8/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/8/artifact/trunk/build/test/checkstyle-errors.html
          Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/8/console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12419972/h6151.patch against trunk revision 816409. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/8/testReport/ Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/8/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/8/artifact/trunk/build/test/checkstyle-errors.html Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/8/console This message is automatically generated.
          Hide
          Owen O'Malley added a comment -

          I just committed this.

          Show
          Owen O'Malley added a comment - I just committed this.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk-Commit #38 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/38/)
          . Added a input filter to all of the http servlets that quotes
          html characters in the parameters, to prevent cross site scripting
          attacks. (omalley)

          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #38 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/38/ ) . Added a input filter to all of the http servlets that quotes html characters in the parameters, to prevent cross site scripting attacks. (omalley)
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk #102 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/102/)
          . Added a input filter to all of the http servlets that quotes
          html characters in the parameters, to prevent cross site scripting
          attacks. (omalley)

          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk #102 (See http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/102/ ) . Added a input filter to all of the http servlets that quotes html characters in the parameters, to prevent cross site scripting attacks. (omalley)
          Hide
          Devaraj Das added a comment -

          This patch is for 0.20. (not to be committed)

          Show
          Devaraj Das added a comment - This patch is for 0.20. (not to be committed)

            People

            • Assignee:
              Owen O'Malley
              Reporter:
              Owen O'Malley
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development