[
https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15415701#comment-15415701
]
Ted Yu commented on HBASE-16267:
--------------------------------
bq. whats difference if included explicitly or implicitly?
When dependency is implicit, we would completely get rid of security
vulnerability when hadoop version is upgraded.
If dependency is explicit, hbase codebase would still be vulnerable even after
upgrade.
bq. sun.net.www.protocol.http.HttpURLConnection.getInputStream defaults
httpclient?
hbase doesn't import any sun.net.\* classes - hadoop does.
> Remove commons-httpclient dependency from hbase-rest module
> -----------------------------------------------------------
>
> Key: HBASE-16267
> URL: https://issues.apache.org/jira/browse/HBASE-16267
> Project: HBase
> Issue Type: Bug
> Reporter: Ted Yu
> Assignee: Ted Yu
> Priority: Critical
> Fix For: 2.0.0
>
> Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt,
> 16267.v13.txt, 16267.v14.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt,
> 16267.v8.txt, 16267.v9.txt
>
>
> hbase-rest module still has imports from org.apache.commons.httpclient .
> There is more work to be done after HBASE-15767 was integrated.
> In master branch, there seems to be transitive dependency which allows the
> code to compile:
> {code}
> [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile
> [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile
> [INFO] | +- commons-cli:commons-cli:jar:1.2:compile
> [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile
> [INFO] | +- xmlenc:xmlenc:jar:0.52:compile
> [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
