[
https://issues.apache.org/jira/browse/HBASE-20339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wei-Chiu Chuang resolved HBASE-20339.
-------------------------------------
Resolution: Not A Problem
> A potential security issue in org.apache.hadoop.hbase.http.log.LogLevel.java
> ----------------------------------------------------------------------------
>
> Key: HBASE-20339
> URL: https://issues.apache.org/jira/browse/HBASE-20339
> Project: HBase
> Issue Type: Bug
> Components: hbase
> Affects Versions: 2.0.0-beta-2
> Reporter: andy zhou
> Priority: Major
>
> Our program analyzer has detected a potential security issue as follows
> {code:java}
> PrintWriter out = ServletUtil.initHTML(response, "Log Level");
> String logName = ServletUtil.getParameter(request, "log");
> String level = ServletUtil.getParameter(request, "level");
> if (logName != null) {
> out.println("<br /><hr /><h3>Results</h3>");
> out.println(MARKER
> + "Submitted Log Name: <b>" + logName + "</b><br />");
> ...
> }{code}
> Above is the code piece. Seems that the log name is directly collected from
> the web request, and only whether the data is null is checked. So an attacker
> may provide a "logName" with a piece of injected code, leading to cross-site
> attacks. And besides, the variable "level" may also have such vulnerability.
>
> (org.apache.hadoop.hbase.http.log.LogLevel.java Line 111/118)
> Linkage to the code is here:
> [https://github.com/apache/hbase/blob/9e9b347d667e1fc6165c9f8ae5ae7052147e8895/hbase-http/src/main/java/org/apache/hadoop/hbase/http/log/LogLevel.java#L111]
>
> SourceBrella inc.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
