From 1e6e4dca64e3eeaf31ef788993eeda10f6f19d59 Mon Sep 17 00:00:00 2001 From: Sean Busbey Date: Thu, 9 Feb 2017 20:36:58 -0800 Subject: [PATCH] HBASE-17561 table status page should escape values that may contain arbitrary characters. --- .../main/resources/hbase-webapps/master/table.jsp | 52 +++++++++++++--------- 1 file changed, 31 insertions(+), 21 deletions(-) diff --git a/hbase-server/src/main/resources/hbase-webapps/master/table.jsp b/hbase-server/src/main/resources/hbase-webapps/master/table.jsp index 575bd10..897dad7 100644 --- a/hbase-server/src/main/resources/hbase-webapps/master/table.jsp +++ b/hbase-server/src/main/resources/hbase-webapps/master/table.jsp @@ -21,6 +21,7 @@ <%@ page contentType="text/html;charset=UTF-8" import="static org.apache.commons.lang.StringEscapeUtils.escapeXml" import="org.apache.hadoop.hbase.shaded.com.google.protobuf.ByteString" + import="java.net.URLEncoder" import="java.util.ArrayList" import="java.util.TreeMap" import="java.util.List" @@ -30,6 +31,7 @@ import="java.util.Collection" import="java.util.Collections" import="java.util.Comparator" + import="org.apache.commons.lang.StringEscapeUtils" import="org.apache.hadoop.conf.Configuration" import="org.apache.hadoop.util.StringUtils" import="org.apache.hadoop.hbase.HRegionInfo" @@ -67,6 +69,7 @@ MetaTableLocator metaTableLocator = new MetaTableLocator(); String fqtn = request.getParameter("name"); + final String escaped_fqtn = StringEscapeUtils.escapeHtml(fqtn); String sortKey = request.getParameter("sort"); String reverse = request.getParameter("reverse"); final boolean reverseOrder = (reverse==null||!reverse.equals("false")); @@ -116,9 +119,9 @@ <% if ( !readOnly && action != null ) { %> - HBase Master: <%= master.getServerName() %> + HBase Master: <%= StringEscapeUtils.escapeHtml(master.getServerName().toString()) %> <% } else { %> - Table: <%= fqtn %> + Table: <%= escaped_fqtn %> <% } %> @@ -226,7 +229,7 @@ if ( fqtn != null ) {
@@ -251,7 +254,8 @@ if ( fqtn != null ) { if (metaLocation != null) { ServerLoad sl = master.getServerManager().getLoad(metaLocation); - url = "//" + metaLocation.getHostname() + ":" + master.getRegionServerInfoPort(metaLocation) + "/"; + // The host name portion should be safe, but I don't know how we handle IDNs so err on the side of failing safely. + url = "//" + URLEncoder.encode(metaLocation.getHostname()) + ":" + master.getRegionServerInfoPort(metaLocation) + "/"; if (sl != null) { Map map = sl.getRegionsLoad(); if (map.containsKey(meta.getRegionName())) { @@ -268,7 +272,7 @@ if ( fqtn != null ) { %> <%= escapeXml(meta.getRegionNameAsString()) %> - <%= metaLocation.getHostname().toString() + ":" + master.getRegionServerInfoPort(metaLocation) %> + <%= StringEscapeUtils.escapeHtml(metaLocation.getHostname().toString()) + ":" + master.getRegionServerInfoPort(metaLocation) %> <%= readReq%> <%= writeReq%> <%= fileSize%> @@ -307,8 +311,10 @@ if ( fqtn != null ) { <%= compactionState %> <% } catch (Exception e) { - // Nothing really to do here - e.printStackTrace(); + // Nothing really to do here + for(StackTraceElement element : e.getStackTrace()) { + %><%= StringEscapeUtils.escapeHtml(element.toString()) %><% + } %> Unknown <% } %> @@ -334,7 +340,7 @@ if ( fqtn != null ) { for (HColumnDescriptor family: families) { %> - <%= family.getNameAsString() %> + <%= StringEscapeUtils.escapeHtml(family.getNameAsString()) %> @@ -347,10 +353,10 @@ if ( fqtn != null ) { %> <% } %> @@ -623,7 +629,7 @@ ShowDetailName&Start/End Key"><%= addr.getHostname().toString() + ":" + master.getRegionServerInfoPort(addr) %> + <%= StringEscapeUtils.escapeHtml(addr.getHostname().toString()) + ":" + master.getRegionServerInfoPort(addr) %> <% } else { @@ -673,7 +679,7 @@ ShowDetailName&Start/End Key

This table has <%= numRegions %> regions in total, in order to improve the page load time, only <%= numRegionsRendered %> regions are displayed here, click @@ -694,10 +700,10 @@ if (withReplica) { <% for (Map.Entry rdEntry : regDistribution.entrySet()) { ServerName addr = rdEntry.getKey(); - String url = "//" + addr.getHostname() + ":" + master.getRegionServerInfoPort(addr) + "/"; + String url = "//" + URLEncoder.encode(addr.getHostname()) + ":" + master.getRegionServerInfoPort(addr) + "/"; %>

- + <% if (withReplica) { @@ -711,7 +717,9 @@ if (withReplica) {
- <%= familyKey %> + <%= StringEscapeUtils.escapeHtml(familyKey.toString()) %> - <%= familyValues.get(familyKey) %> + <%= StringEscapeUtils.escapeHtml(familyValues.get(familyKey).toString()) %>
<%= addr.getHostname().toString() + ":" + master.getRegionServerInfoPort(addr) %><%= StringEscapeUtils.escapeHtml(addr.getHostname().toString()) + ":" + master.getRegionServerInfoPort(addr) %> <%= rdEntry.getValue()%>
<% } } catch(Exception ex) { - ex.printStackTrace(System.err); + for(StackTraceElement element : ex.getStackTrace()) { + %><%= StringEscapeUtils.escapeHtml(element.toString()) %><% + } } finally { admin.close(); } @@ -741,7 +749,7 @@ Actions:
- +   @@ -755,7 +763,7 @@ Actions: - +   @@ -769,7 +777,7 @@ Actions: - +   @@ -828,7 +836,7 @@ Actions: