[
https://issues.apache.org/jira/browse/HADOOP-7527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13081109#comment-13081109
]
Owen O'Malley commented on HADOOP-7527:
---------------------------------------
You're missing the point.
The reality is the developers miss cases of untrusted input. Let's take the 404
page that is built into jetty. It echos the parameters blindly. The jetty
developers, who should know better, missed it. Hadoop developers have missed it
many many more times. The only reliable way to fix the problem is on input. As
long as it is done consistently, it protects against the majority of attacks.
It isn't fool-proof, but it is far safer than assuming all uses in output will
be caught.
> Make URL encoding consistent
> ----------------------------
>
> Key: HADOOP-7527
> URL: https://issues.apache.org/jira/browse/HADOOP-7527
> Project: Hadoop Common
> Issue Type: Improvement
> Affects Versions: 0.23.0
> Reporter: Eli Collins
>
> URL encoding is currently handled in at least 4 different ways. We should
> make these consistent:
> # Parameters are encoded when a URI object is created
> # HttpServlet uses RequestQuoter to html escape parameter names and values
> # StringEscapeUtils is used to escape parameters in ReconfigurationServlet
> and DatanodeJspHelper
> # URLEncoder and URLDecoder are used in multiple places
> We should also be consistent about how we pass file names in URLs, some times
> they're passed in the path segment, sometimes they're passed in the query
> fragment as parameters.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
