[OOZIE-2492] JSON security issue in js code - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.1.0
Fix Version/s: 4.3.0
Component/s: client, security
Labels:
- security
- web-console

Description

JSON parsing is done using the eval js method in several places in the oozie-console.js, which allows code injection.
The project already contains a json parser library, which should be used all around the code.
We are aware that most of the json documents parsed are from the oozie server, and not from the user directly. However fixing it all will make the code most robust and consistent.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OOZIE-2492-1.patch
24/Mar/16 18:16
6 kB
Ferenc Denes

Activity

People

Assignee:: Ferenc Denes

Reporter:: Ferenc Denes

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 23/Mar/16 11:10

Updated:: 02/Dec/16 21:04

Resolved:: 30/Mar/16 00:25