soumitra-st commented on PR #14383: URL: https://github.com/apache/pinot/pull/14383#issuecomment-2484524862
> @soumitra-st Thanks for the example. You’re right that Pinot doesn’t support MatrixParam but instead relies on QueryParam. However, users may unintentionally or maliciously include special characters after matrix-style parameters (;) in URLs, which could pose security risks if not handled properly. cc : @siddharthteotia @praveenc7, I agree with the security issue. Did you discover this issue from a code/security review or pen testing? I see one issue. Now https://pinot.example.com/file.txt;param1=value1/blah will be checked as if it is https://pinot.example.com/file.txt and will be executed without AUTH. Is it desirable? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
