[
https://issues.apache.org/jira/browse/SENTRY-1665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16077224#comment-16077224
]
Hadoop QA commented on SENTRY-1665:
-----------------------------------
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12873890/SENTRY-1665.001-sentry-ha-redesign.patch
against sentry-ha-redesign.
{color:green}Overall:{color} 1 all checks pass
{color:green}SUCCESS:{color} all tests passed
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/2957/console
This message is automatically generated.
> cross-site scripting vulnerability in ConfServlet
> -------------------------------------------------
>
> Key: SENTRY-1665
> URL: https://issues.apache.org/jira/browse/SENTRY-1665
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Affects Versions: 1.8.0
> Reporter: Alexander Kolbasov
> Assignee: Brian Towles
> Labels: bite-sized, newbie, security
> Attachments: SENTRY-1665.001-sentry-ha-redesign.patch
>
>
> The ConfServlet class has the following code:
> {code}
> String format = request.getParameter(FORMAT_PARAM);
> ...
> } else {
> response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Bad format: " +
> format);
> }
> {code}
> As a result HTTP parameter is directly written to Servlet error page.
> Echoing this untrusted input allows for a reflected cross site scripting
> vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more
> information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
