[
https://issues.apache.org/jira/browse/OOZIE-2492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15216728#comment-15216728
]
Satish Subhashrao Saley commented on OOZIE-2492:
------------------------------------------------
+1
> JSON security issue in js code
> ------------------------------
>
> Key: OOZIE-2492
> URL: https://issues.apache.org/jira/browse/OOZIE-2492
> Project: Oozie
> Issue Type: Bug
> Components: client, security
> Affects Versions: 4.1.0
> Reporter: Ferenc Denes
> Assignee: Ferenc Denes
> Labels: security, web-console
> Fix For: trunk
>
> Attachments: OOZIE-2492-1.patch
>
>
> JSON parsing is done using the eval js method in several places in the
> oozie-console.js, which allows code injection.
> The project already contains a json parser library, which should be used all
> around the code.
> We are aware that most of the json documents parsed are from the oozie
> server, and not from the user directly. However fixing it all will make the
> code most robust and consistent.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
