[ https://issues.apache.org/jira/browse/HBASE-15328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15872299#comment-15872299 ]
Esteban Gutierrez commented on HBASE-15328: ------------------------------------------- Just a quick comment: {code} + if(!Addressing.isLocalAddress(InetAddress.getByName(redirectHost))) { + LOG.warn("Couldn't resolve '" + redirectHost + "' as an address local to this node and '" + + REGION_SERVER_INFO_REDIRECT_HOST + "' is not set; client will get a HTTP 400 response. If " + + "your HBase deployment relies on client accessible names that the region server process " + + "can't resolve locally, then you should set the previously mentioned configuration variable " + + "to an appropriate hostname."); {code} When {{hbase.master.hostname}} or {{hbase.region.hostname}} is present shouldn't we use that for {{hbase.regionserver.info.redirect.hostname}}? > Unvalidated Redirect in HMaster > ------------------------------- > > Key: HBASE-15328 > URL: https://issues.apache.org/jira/browse/HBASE-15328 > Project: HBase > Issue Type: Bug > Components: security > Reporter: stack > Assignee: Sean Busbey > Priority: Minor > Attachments: HBASE-15328.0.patch > > > See OWASP page on why we should clean it up someday: > https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet > Here is where we do the redirect: > {code} > @Override > public void doGet(HttpServletRequest request, > HttpServletResponse response) throws ServletException, IOException { > String redirectUrl = request.getScheme() + "://" > + request.getServerName() + ":" + regionServerInfoPort > + request.getRequestURI(); > response.sendRedirect(redirectUrl); > } > } > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)