[
https://issues.apache.org/jira/browse/HADOOP-6151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Owen O'Malley updated HADOOP-6151:
----------------------------------
Attachment: h6151.patch
This patch introduces an input filter for all of the servlets and jsp pages
that quotes all of the html active characters in the parameters. This means
that all of the cross site scripting attacks based on bad urls should be fixed.
I'll file a follow up jira to fix the vector where the values in the job need
to be quoted.
> The servlets should quote html characters
> -----------------------------------------
>
> Key: HADOOP-6151
> URL: https://issues.apache.org/jira/browse/HADOOP-6151
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Owen O'Malley
> Priority: Critical
> Fix For: 0.21.0
>
> Attachments: h6151.patch
>
>
> We need to quote html characters that come from user generated data.
> Otherwise, all of the web ui's have cross site scripting attack, etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
