GitHub user ambauma opened a pull request:
https://github.com/apache/spark/pull/19538
[SPARK-20393][WEBU UI][2.0] Strengthen Spark to prevent XSS vulnerabilities
## What changes were proposed in this pull request?
This is the fix for the master branch applied to the 2.0 branch. My
(unnamed) company will be using Spark 1.6 probably for another year. We have
been blocked from having Spark 1.6 on our workstations until CVE-2017-7678 is
patched, which SPARK-20393 does. I was told I need to patch branch 2.0 before
branch 1.6 could be patched.
## How was this patch tested?
The patch came with unit tests. The test build passed. Manual testing on
one of the effected screens showed the newline character removed. Screen
display was the same regardless (html ignores newline characters).
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/ambauma/spark branch-2.0
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/spark/pull/19538.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #19538
----
commit 94918ea5e46ec1a1e8f12677bce51634efee6e35
Author: NICHOLAS T. MARION <[email protected]>
Date: 2017-05-10T09:59:57Z
[SPARK-20393][WEBU UI] Strengthen Spark to prevent XSS vulnerabilities
Add stripXSS and stripXSSMap to Spark Core's UIUtils. Calling these
functions at any point that getParameter is called against a HttpServletRequest.
Unit tests, IBM Security AppScan Standard no longer showing
vulnerabilities, manual verification of WebUI pages.
Author: NICHOLAS T. MARION <[email protected]>
Closes #17686 from n-marion/xss-fix.
commit 3e01302e8870c3193232463b03a734a0980be554
Author: ambauma <[email protected]>
Date: 2017-10-19T00:54:58Z
Changes based on code review.
----
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
