busbey commented on a change in pull request #261: HBASE-22467 UI fixes to
enable Knox proxying
URL: https://github.com/apache/hbase/pull/261#discussion_r288248769
##########
File path:
hbase-http/src/main/java/org/apache/hadoop/hbase/http/ProfileOutputServlet.java
##########
@@ -48,11 +51,25 @@ protected void doGet(final HttpServletRequest req, final
HttpServletResponse res
// will be <100 bytes (in all modes).
if (requestedFile.length() < 100) {
LOG.info(requestedFile + " is incomplete. Sending auto-refresh
header.");
- resp.setHeader("Refresh", REFRESH_PERIOD + "," + req.getRequestURI());
+ String refreshUrl = req.getRequestURI();
+ // Rebuild the query string (if we have one)
+ if (req.getQueryString() != null) {
+ refreshUrl += "?" + sanitize(req.getQueryString());
+ }
+ ProfileServlet.setResponseHeader(resp);
+ resp.setHeader("Refresh", REFRESH_PERIOD + ";" + refreshUrl);
resp.getWriter().write("This page will be auto-refreshed every " +
REFRESH_PERIOD +
- " seconds until the output file is ready.");
+ " seconds until the output file is ready. Redirecting to " +
refreshUrl);
} else {
super.doGet(req, resp);
}
}
+
+ static String sanitize(String input) {
Review comment:
Any particular rationale for this approach rather than using the existing
`org.apache.hadoop.hbase.http.HtmlQuoting.quoteHtmlChars(String)` method?
I guess the quoting approach doesn't protect against an attacker setting the
`Accept` header to javascript at the same time they include a query parameter
that would cause the browser to execute said javascript in the echoed page.
I'm surprised there isn't already a utility method for this.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
