[jira] [Commented] (SENTRY-2120) Potential cross-site scripting in LogLevelServlet

Fri, 12 Jan 2018 13:06:37 -0800 

    [ 
https://issues.apache.org/jira/browse/SENTRY-2120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16324551#comment-16324551
 ] 

Sergio Peña commented on SENTRY-2120:
-------------------------------------

[~lina.li] We couldn't verify the vulnerability of this issue. Seems this is 
fixed on the Jetty server version Sentry is used, and perhaps Jetty is already 
escaping the error messages to avoid old browsers exploit this vulnerability.

However, we would like to have a patch where we escape the level string from 
the code just to avoid other vulnerabilities in future browser and jetty 
versions. Can you change the title of this JIRA and the description that 
specifies the new change on the patch? This is not a vulnerability, so there is 
no potential cross-site scripting issues.

> Potential cross-site scripting in LogLevelServlet
> -------------------------------------------------
>
>                 Key: SENTRY-2120
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2120
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 2.0.0, 2.1.0
>            Reporter: Na Li
>            Assignee: Na Li
>         Attachments: SENTRY-2120.001.patch, SENTRY-2120.001.patch
>
>
> LogLevelServlet.java has the following code
> {code}
>   public void doGet(HttpServletRequest request, HttpServletResponse response)
>           throws ServletException, IOException {
>     String logName = getParameter(request, "log");
>     String level = getParameter(request, "level");
>     response.setContentType("text/html;charset=utf-8");
>     response.setStatus(HttpServletResponse.SC_OK);
>     PrintWriter out = response.getWriter();
>     if (logName != null) {
>       Logger logInstance = LogManager.getLogger(logName);
>       if (level == null) {
>         out.write(String.format(FORMS_GET,
>                 escapeHtml(logName),
>                 logInstance.getEffectiveLevel().toString()));
>       } else if (isLogLevelValid(level)) {
>         logInstance.setLevel(Level.toLevel(level));
>         out.write(String.format(FORMS_SET,
>                 escapeHtml(logName),
>                 level,
>                 level,
>                 logInstance.getEffectiveLevel().toString()));
>       } else {
>         response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log 
> level: " + level);
>         return;
>       }
>     }
>     out.write(FORMS_END);
>     out.close();
>     response.flushBuffer();
>   }
> {code}
> As a result HTTP parameter is directly written to Servlet error page. Echoing 
> this untrusted input allows for a reflected cross site scripting. See 
> http://en.wikipedia.org/wiki/Cross-site_scripting for more information.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to