[jira] [Commented] (HBASE-8811) REST service ignores misspelled "check=" parameter, causing unexpected mutations

[Hudson (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HBASE-8811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13694512#comment-13694512
 ] 

Hudson commented on HBASE-8811:
-------------------------------

Integrated in HBase-0.94-security #183 (See 
[https://builds.apache.org/job/HBase-0.94-security/183/])
    HBASE-8811. REST service ignores misspelled 'check' parameter, causing 
unexpected mutations (Chip Salzenberg and Andrew Purtell) (Revision 1497211)

     Result = SUCCESS
apurtell : 
Files : 
* 
/hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/rest/RowResource.java
* 
/hbase/branches/0.94/src/test/java/org/apache/hadoop/hbase/rest/TestRowResource.java

                
> REST service ignores misspelled "check=" parameter, causing unexpected 
> mutations
> --------------------------------------------------------------------------------
>
>                 Key: HBASE-8811
>                 URL: https://issues.apache.org/jira/browse/HBASE-8811
>             Project: HBase
>          Issue Type: Bug
>          Components: REST
>    Affects Versions: 0.98.0, 0.95.2, 0.94.9
>            Reporter: Chip Salzenberg
>            Assignee: Chip Salzenberg
>            Priority: Critical
>             Fix For: 0.98.0, 0.95.2, 0.94.9
>
>         Attachments: 8811-0.94.patch, 8811.patch
>
>
> In rest.RowResource.update(), this code keeps executing a request if a 
> misspelled check= parameter is provided.
> {noformat}
>     if (CHECK_PUT.equalsIgnoreCase(check)) {
>       return checkAndPut(model);
>     } else if (CHECK_DELETE.equalsIgnoreCase(check)) {
>       return checkAndDelete(model);
>     } else if (check != null && check.length() > 0) {
>       LOG.warn("Unknown check value: " + check + ", ignored");
>     }
> {noformat}
> By my reading of the code, this results in the provided cell value that was 
> intended as a check instead being treated as a mutation, which is sure to 
> destroy user data.  Thus the priority of this bug, as it can cause corruption.
> I suggest that a better reaction than a warning would be, approximately:
> {noformat}
> return Response.status(Response.Status.BAD_REQUEST)
>         .type(MIMETYPE_TEXT).entity("Invalid check value '" + check + "'")
>         .build();
> {noformat}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira