[
https://issues.apache.org/jira/browse/DRILL-3768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Barclay (Drill) updated DRILL-3768:
------------------------------------------
Description:
The Web UI does not properly encode query text or error message text into HTML.
This makes the Web UI vulnerable to JavaScript-injection attacks.
Most importantly, the Web UI doesn't encode characters that are special in
HTML, e.g., encoding "<" in that plain text to "&lt;" in the HTML text.
This means that some queries containing a less-than character ("<") are
displayed wrong. For example, submit this query and then look at its profile
via the Web UI:
{noformat}
SELECT 1<B FROM (VALUES 2) AS T(B)
{noformat}
(The query currently show up as "{{SELECT 1}}".)
What's worse is that someone submitting a query can inject HTML, _including
JavaScript code_, into the Web UI's pages. Look at this query's profile in the
Web UI:
{noformat}
VALUES `<script> alert("Gotcha!") </script>`
{noformat}
Another, though less serious, problem is that line breaks in plain text are not
encoded into HTML (e.g., as "<br />").
That means that separate lines of error messages are run together, making them
harder or impossible to parse correctly when see in the Web UI.
was:
The Web UI does not properly encode query text or error message text into HTML.
This makes the Web UI vulnerable to JavaScript-injection attacks.
Most importantly, the Web UI doesn't encode characters that are special in
HTML, e.g., encoding "<" in that plain text to "&lt;" in the HTML text.
This means that some queries containing a less-than character ("<") are
displayed wrong. For example, submit this query and then look at its profile
via the Web UI:
{noformat}
SELECT 1<B FROM (VALUES 2) AS T(B)
{noformat}
(The query currently show up as "{{SELECT 1}}".)
What's worse is that someone submitting a query can inject HTML, _including
JavaScript code_, into the Web UI's pages. Look at this query's profile in the
Web UI:
{noformat}
VALUES `<script> alert("Gotcha!") </script>
{noformat}
Another, though less serious, problem is that line breaks in plain text are not
encoded into HTML (e.g., as "<br />").
That means that separate lines of error messages are run together, making them
harder or impossible to parse correctly when see in the Web UI.
> HTML- and JavaScript-injection vulnerability (lack of HTML encoding)
> --------------------------------------------------------------------
>
> Key: DRILL-3768
> URL: https://issues.apache.org/jira/browse/DRILL-3768
> Project: Apache Drill
> Issue Type: Bug
> Components: Client - HTTP
> Reporter: Daniel Barclay (Drill)
> Assignee: Jason Altekruse
> Priority: Critical
>
> The Web UI does not properly encode query text or error message text into
> HTML. This makes the Web UI vulnerable to JavaScript-injection attacks.
>
> Most importantly, the Web UI doesn't encode characters that are special in
> HTML, e.g., encoding "<" in that plain text to "&lt;" in the HTML text.
> This means that some queries containing a less-than character ("<") are
> displayed wrong. For example, submit this query and then look at its profile
> via the Web UI:
> {noformat}
> SELECT 1<B FROM (VALUES 2) AS T(B)
> {noformat}
> (The query currently show up as "{{SELECT 1}}".)
> What's worse is that someone submitting a query can inject HTML, _including
> JavaScript code_, into the Web UI's pages. Look at this query's profile in
> the Web UI:
> {noformat}
> VALUES `<script> alert("Gotcha!") </script>`
> {noformat}
>
> Another, though less serious, problem is that line breaks in plain text are
> not encoded into HTML (e.g., as "<br />").
> That means that separate lines of error messages are run together, making
> them harder or impossible to parse correctly when see in the Web UI.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
