Repository: sentry Updated Branches: refs/heads/master b7e4906a0 -> a6b0b42db
SENTRY-1665: cross-site scripting vulnerability in ConfServlet (Brian Towles, reviewed by: Alex Kolbasov, Vamsee Yarlagadda and Na Li) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/1b3535ea Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/1b3535ea Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/1b3535ea Branch: refs/heads/master Commit: 1b3535ea45fee98691c00ede39fb2df4a6375c39 Parents: 6164b27 Author: Alexander Kolbasov <[email protected]> Authored: Fri Jul 7 00:04:28 2017 +0200 Committer: Alexander Kolbasov <[email protected]> Committed: Fri Jul 7 00:04:28 2017 +0200 ---------------------------------------------------------------------- sentry-provider/sentry-provider-db/pom.xml | 4 ++++ .../apache/sentry/provider/db/service/thrift/ConfServlet.java | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/1b3535ea/sentry-provider/sentry-provider-db/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml index 14ad6a2..10dae4a 100644 --- a/sentry-provider/sentry-provider-db/pom.xml +++ b/sentry-provider/sentry-provider-db/pom.xml @@ -33,6 +33,10 @@ limitations under the License. <artifactId>commons-cli</artifactId> </dependency> <dependency> + <groupId>commons-lang</groupId> + <artifactId>commons-lang</artifactId> + </dependency> + <dependency> <groupId>com.jolbox</groupId> <artifactId>bonecp</artifactId> </dependency> http://git-wip-us.apache.org/repos/asf/sentry/blob/1b3535ea/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java index 9e7fca8..1233fbc 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java @@ -28,6 +28,8 @@ import javax.servlet.http.HttpServletResponse; import org.apache.hadoop.conf.Configuration; +import static org.apache.commons.lang.StringEscapeUtils.escapeHtml; + /** * Servlet to print out all sentry configuration. */ @@ -62,7 +64,7 @@ public class ConfServlet extends HttpServlet { } else if (FORMAT_XML.equals(format)) { conf.writeXml(out); } else { - response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Bad format: " + format); + response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Bad format: " + escapeHtml(format)); } out.close(); }
