[HBASE-16317] revert all ESAPI changes - ASF JIRA

XML

Word

Printable

JSON

Release Note:

Hide
This issue reverts fixes designed to prevent malicious content from rendering in HBase's UIs. Specifically, these changes shipped in 1.1.4+ and 1.2.0+. They were removed due to licensing issues discovered in the dependencies they introduced. Their implementation and those dependencies have been removed from HBase! Removal of these dependencies is against the strict definition of our version compatibility guidelines. However, inclusion of non-Apache approved licenses cannot be tolerated. Implementation of these fixes using an Apache-appropriate means is tracked in HBASE-16328.

Show
This issue reverts fixes designed to prevent malicious content from rendering in HBase's UIs. Specifically, these changes shipped in 1.1.4+ and 1.2.0+. They were removed due to licensing issues discovered in the dependencies they introduced. Their implementation and those dependencies have been removed from HBase! Removal of these dependencies is against the strict definition of our version compatibility guidelines. However, inclusion of non-Apache approved licenses cannot be tolerated. Implementation of these fixes using an Apache-appropriate means is tracked in HBASE-16328 .

to unblock releases, we'll start cleaning up the category-x problem by reverting all the ESAPI changes.

we should try to include a release note with what this means we'll be vulnerable to.

breaks

HBASE-16361 Revert of HBASE-16317, "revert all ESAPI..." broke TestLogLevel

relates to

PHOENIX-3659 Remove transitive OWASP esapi dependency