sentry git commit: SENTRY-1665: cross-site scripting vulnerability in ConfServlet (Brian Towles, reviewed by: Alex Kolbasov, Vamsee Yarlagadda and Na Li)

Sun, 09 Jul 2017 12:10:26 -0700 

Repository: sentry
Updated Branches:
  refs/heads/master 1e1499d8e -> b5fadbb1e


SENTRY-1665: cross-site scripting vulnerability in ConfServlet (Brian Towles, 
reviewed by: Alex Kolbasov, Vamsee Yarlagadda and Na Li)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/b5fadbb1
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/b5fadbb1
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/b5fadbb1

Branch: refs/heads/master
Commit: b5fadbb1ef754aa3ce844f4c6df23deae5642695
Parents: 1e1499d
Author: Alexander Kolbasov <[email protected]>
Authored: Sun Jul 9 21:09:30 2017 +0200
Committer: Alexander Kolbasov <[email protected]>
Committed: Sun Jul 9 21:09:30 2017 +0200

----------------------------------------------------------------------
 .../apache/sentry/provider/db/service/thrift/ConfServlet.java    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/b5fadbb1/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
----------------------------------------------------------------------
diff --git 
a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
 
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
index 9e7fca8..1233fbc 100644
--- 
a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
+++ 
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
@@ -28,6 +28,8 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.hadoop.conf.Configuration;
 
+import static org.apache.commons.lang.StringEscapeUtils.escapeHtml;
+
 /**
  * Servlet to print out all sentry configuration.
  */
@@ -62,7 +64,7 @@ public class ConfServlet extends HttpServlet {
     } else if (FORMAT_XML.equals(format)) {
       conf.writeXml(out);
     } else {
-      response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Bad format: " + 
format);
+      response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Bad format: " + 
escapeHtml(format));
     }
     out.close();
   }

Reply via email to