[ https://issues.apache.org/jira/browse/DRILL-3768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Barclay (Drill) updated DRILL-3768: ------------------------------------------ Description: The Web UI does not properly encode query text or error message text into HTML. This makes the Web UI vulnerable to JavaScript-injection attacks. Most importantly, the Web UI doesn't encode characters that are special in HTML, e.g., encoding "<" in that plain text to "&lt;" in the HTML text. This means that some queries containing a less-than character ("<") are displayed wrong. For example, submit this query and then look at its profile via the Web UI: {noformat} SELECT 1<B FROM (VALUES 2) AS T(B) {noformat} (The query currently show up as "{{SELECT 1}}".) What's worse is that someone submitting a query can inject HTML, _including JavaScript code_, into the Web UI's pages. Look at this query's profile in the Web UI: {noformat} VALUES `<script> alert("Gotcha!") </script>` {noformat} Another, though less serious, problem is that line breaks in plain text are not encoded into HTML (e.g., as "<br />"). That means that separate lines of error messages are run together, making them harder or impossible to parse correctly when see in the Web UI. was: The Web UI does not properly encode query text or error message text into HTML. This makes the Web UI vulnerable to JavaScript-injection attacks. Most importantly, the Web UI doesn't encode characters that are special in HTML, e.g., encoding "<" in that plain text to "&lt;" in the HTML text. This means that some queries containing a less-than character ("<") are displayed wrong. For example, submit this query and then look at its profile via the Web UI: {noformat} SELECT 1<B FROM (VALUES 2) AS T(B) {noformat} (The query currently show up as "{{SELECT 1}}".) What's worse is that someone submitting a query can inject HTML, _including JavaScript code_, into the Web UI's pages. Look at this query's profile in the Web UI: {noformat} VALUES `<script> alert("Gotcha!") </script> {noformat} Another, though less serious, problem is that line breaks in plain text are not encoded into HTML (e.g., as "<br />"). That means that separate lines of error messages are run together, making them harder or impossible to parse correctly when see in the Web UI. > HTML- and JavaScript-injection vulnerability (lack of HTML encoding) > -------------------------------------------------------------------- > > Key: DRILL-3768 > URL: https://issues.apache.org/jira/browse/DRILL-3768 > Project: Apache Drill > Issue Type: Bug > Components: Client - HTTP > Reporter: Daniel Barclay (Drill) > Assignee: Jason Altekruse > Priority: Critical > > The Web UI does not properly encode query text or error message text into > HTML. This makes the Web UI vulnerable to JavaScript-injection attacks. > > Most importantly, the Web UI doesn't encode characters that are special in > HTML, e.g., encoding "<" in that plain text to "&lt;" in the HTML text. > This means that some queries containing a less-than character ("<") are > displayed wrong. For example, submit this query and then look at its profile > via the Web UI: > {noformat} > SELECT 1<B FROM (VALUES 2) AS T(B) > {noformat} > (The query currently show up as "{{SELECT 1}}".) > What's worse is that someone submitting a query can inject HTML, _including > JavaScript code_, into the Web UI's pages. Look at this query's profile in > the Web UI: > {noformat} > VALUES `<script> alert("Gotcha!") </script>` > {noformat} > > Another, though less serious, problem is that line breaks in plain text are > not encoded into HTML (e.g., as "<br />"). > That means that separate lines of error messages are run together, making > them harder or impossible to parse correctly when see in the Web UI. -- This message was sent by Atlassian JIRA (v6.3.4#6332)