[
https://issues.apache.org/jira/browse/HDFS-11441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15893221#comment-15893221
]
Andrew Wang commented on HDFS-11441:
------------------------------------
I checked the failed unit tests, and they're unrelated to this patch. It looks
like branch-2.6 precommit and test suite is pretty broken.
I applied the patch and poked around. Looks like we get double escaping on the
logLevel endpoint:
{noformat}
Submitted Log Name: <>'";
Log Class: org.apache.commons.logging.impl.Log4JLogger
Submitted Level: <>"';
Bad Level : <>"';
Effective level: INFO
{noformat}
I also tried browseDirectory.jsp with a directory named "<>" and "abc" and it
seems to be escaping the entire link:
{noformat}
<a
href="http://localhost:50075/browseDirectory.jsp?dir=%2F%3C%3E&namenodeInfoPort=50070&nnaddr=127.0.0.1:8020";><></a>
<a
href="http://localhost:50075/browseDirectory.jsp?dir=%2Fabc&namenodeInfoPort=50070&nnaddr=127.0.0.1:8020";>abc</a>
{noformat}
Didn't check the others, but I think we need to do manual verification of these
to make sure they're escaping correctly.
> Add escaping to error messages in web UIs
> -----------------------------------------
>
> Key: HDFS-11441
> URL: https://issues.apache.org/jira/browse/HDFS-11441
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Priority: Minor
> Attachments: HDFS-11441-branch-2.6.patch, HDFS-11441.patch
>
>
> There's a handful of places where web UIs don't escape error messages. We
> should add escaping in these places.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
