[GitHub] spark pull request #19538: [SPARK-20393][WEBU UI][2.0] Strengthen Spark to p...

Thu, 19 Oct 2017 10:58:57 -0700 

GitHub user ambauma opened a pull request:

    https://github.com/apache/spark/pull/19538

    [SPARK-20393][WEBU UI][2.0] Strengthen Spark to prevent XSS vulnerabilities

    ## What changes were proposed in this pull request?
    
    This is the fix for the master branch applied to the 2.0 branch. My 
(unnamed) company will be using Spark 1.6 probably for another year. We have 
been blocked from having Spark 1.6 on our workstations until CVE-2017-7678 is 
patched, which SPARK-20393 does. I was told I need to patch branch 2.0 before 
branch 1.6 could be patched.
    
    ## How was this patch tested?
    
    The patch came with unit tests. The test build passed. Manual testing on 
one of the effected screens showed the newline character removed. Screen 
display was the same regardless (html ignores newline characters).
    ![screenshot from 2017-10-19 
12-54-01](https://user-images.githubusercontent.com/12421739/31786133-09ab7ea2-b4cd-11e7-88db-68c09e5b955b.png)
    


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ambauma/spark branch-2.0

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/spark/pull/19538.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #19538
    
----
commit 94918ea5e46ec1a1e8f12677bce51634efee6e35
Author: NICHOLAS T. MARION <nmar...@us.ibm.com>
Date:   2017-05-10T09:59:57Z

    [SPARK-20393][WEBU UI] Strengthen Spark to prevent XSS vulnerabilities
    
    Add stripXSS and stripXSSMap to Spark Core's UIUtils. Calling these 
functions at any point that getParameter is called against a HttpServletRequest.
    
    Unit tests, IBM Security AppScan Standard no longer showing 
vulnerabilities, manual verification of WebUI pages.
    
    Author: NICHOLAS T. MARION <nmar...@us.ibm.com>
    
    Closes #17686 from n-marion/xss-fix.

commit 3e01302e8870c3193232463b03a734a0980be554
Author: ambauma <andrew.m.baum...@gmail.com>
Date:   2017-10-19T00:54:58Z

    Changes based on code review.

----


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org

Reply via email to