[jira] [Commented] (HDFS-11441) Add escaping to error message in KMS web UI
[ https://issues.apache.org/jira/browse/HDFS-11441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16450578#comment-16450578 ] Hudson commented on HDFS-11441: --- SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #14057 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/14057/]) HDFS-11441. Add escaping to error message in KMS web UI. Contributed by (aengineer: rev a4c1fec7b5318c11fc09c05060f536c43256025e) * (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java > Add escaping to error message in KMS web UI > --- > > Key: HDFS-11441 > URL: https://issues.apache.org/jira/browse/HDFS-11441 > Project: Hadoop HDFS > Issue Type: Bug > Components: security >Affects Versions: 2.8.0 >Reporter: Aaron T. Myers >Assignee: Aaron T. Myers >Priority: Minor > Fix For: 2.9.0, 3.0.0-alpha4, 2.8.2 > > Attachments: HDFS-11441-branch-2.6.patch, HDFS-11441.patch, > HDFS-11441.patch > > > There's a handful of places where web UIs don't escape error messages. We > should add escaping in these places. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-11441) Add escaping to error message in KMS web UI
[ https://issues.apache.org/jira/browse/HDFS-11441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15897872#comment-15897872 ] Hudson commented on HDFS-11441: --- SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11354 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/11354/]) HDFS-11441. Add escaping to error message in KMS web UI. Contributed by (wang: rev ec839b94c0eb3f09e74f8a3b0bc9a08b3f5418b2) * (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java > Add escaping to error message in KMS web UI > --- > > Key: HDFS-11441 > URL: https://issues.apache.org/jira/browse/HDFS-11441 > Project: Hadoop HDFS > Issue Type: Bug > Components: security >Affects Versions: 2.8.0 >Reporter: Aaron T. Myers >Assignee: Aaron T. Myers >Priority: Minor > Fix For: 2.9.0, 3.0.0-alpha3, 2.8.1 > > Attachments: HDFS-11441-branch-2.6.patch, HDFS-11441.patch, > HDFS-11441.patch > > > There's a handful of places where web UIs don't escape error messages. We > should add escaping in these places. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-11441) Add escaping to error message in KMS web UI
[ https://issues.apache.org/jira/browse/HDFS-11441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15897869#comment-15897869 ] Andrew Wang commented on HDFS-11441: The threat here is if someone injects bad input into an exception message, which is then viewed in a browser. This seems pretty unlikely to me considering users do not interact with the KMS via a browser. I don't think it's a critical. Let's leave it to 2.8.1 then, thanks! > Add escaping to error message in KMS web UI > --- > > Key: HDFS-11441 > URL: https://issues.apache.org/jira/browse/HDFS-11441 > Project: Hadoop HDFS > Issue Type: Bug > Components: security >Affects Versions: 2.8.0 >Reporter: Aaron T. Myers >Assignee: Aaron T. Myers >Priority: Minor > Fix For: 2.9.0, 3.0.0-alpha3, 2.8.1 > > Attachments: HDFS-11441-branch-2.6.patch, HDFS-11441.patch, > HDFS-11441.patch > > > There's a handful of places where web UIs don't escape error messages. We > should add escaping in these places. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-11441) Add escaping to error message in KMS web UI
[ https://issues.apache.org/jira/browse/HDFS-11441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15897862#comment-15897862 ] Junping Du commented on HDFS-11441: --- How serious the issue here could be? If it belongs to minor as it claim to be, I would suggest better to leave it to 2.8.1. Otherwise, please bump up to critical and leave comments for justification. > Add escaping to error message in KMS web UI > --- > > Key: HDFS-11441 > URL: https://issues.apache.org/jira/browse/HDFS-11441 > Project: Hadoop HDFS > Issue Type: Bug > Components: security >Affects Versions: 2.8.0 >Reporter: Aaron T. Myers >Assignee: Aaron T. Myers >Priority: Minor > Fix For: 2.9.0, 3.0.0-alpha3, 2.8.1 > > Attachments: HDFS-11441-branch-2.6.patch, HDFS-11441.patch, > HDFS-11441.patch > > > There's a handful of places where web UIs don't escape error messages. We > should add escaping in these places. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org