Daniel Barclay (Drill) created DRILL-3768:
---------------------------------------------
Summary: HTML- and JavaScript-injection vulnerability (lack of
HTML encoding)
Key: DRILL-3768
URL: https://issues.apache.org/jira/browse/DRILL-3768
Project: Apache Drill
Issue Type: Bug
Components: Client - HTTP
Reporter: Daniel Barclay (Drill)
Assignee: Jason Altekruse
Priority: Critical
The Web UI does not properly encode query text or error message text into HTML.
This makes the Web UI vulnerable to JavaScript-injection attacks.
Most importantly, the Web UI doesn't encode characters that are special in
HTML, e.g., encoding "<" in that plain text to "&lt;" in the HTML text.
This means that some queries containing a less-than character ("<") are
displayed wrong. For example, submit this query and then look at its profile
via the Web UI:
{noformat}
SELECT 1<B FROM (VALUES 2) AS T(B)
{noformat}
(The query currently show up as "{{SELECT 1}}".)
What's worse is that someone submitting a query can inject HTML, _including
JavaScript code_, into the Web UI's pages. Look at this query's profile in the
Web UI:
{noformat}
VALUES `<script> alert("Gotcha!") </script>
{noformat}
Another, though less serious, problem is that line breaks in plain text are not
encoded into HTML (e.g., as "<br />").
That means that separate lines of error messages are run together, making them
harder or impossible to parse correctly when see in the Web UI.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
