-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HBASE-22467 UI fixes to enable Knox proxying #261
Conversation
} else { | ||
super.doGet(req, resp); | ||
} | ||
} | ||
|
||
static String sanitize(String input) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any particular rationale for this approach rather than using the existing org.apache.hadoop.hbase.http.HtmlQuoting.quoteHtmlChars(String)
method?
I guess the quoting approach doesn't protect against an attacker setting the Accept
header to javascript at the same time they include a query parameter that would cause the browser to execute said javascript in the echoed page.
I'm surprised there isn't already a utility method for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope! Just ignorant of that class.
@@ -37,6 +38,8 @@ | |||
private static final long serialVersionUID = 1L; | |||
private static final Logger LOG = LoggerFactory.getLogger(ProfileOutputServlet.class); | |||
private static final int REFRESH_PERIOD = 2; | |||
// Alphanumeric characters, plus percent (url-encoding), equals, and ampersand | |||
private static final Pattern ALPHA_NUMERIC = Pattern.compile("[a-zA-Z0-9\\%\\=\\&]*"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:should also accept a literal +
for spaces I think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree!
Pushed edaae03 which uses HtmlQuoting. Don't see a need to re-invent the wheel and I think the implementation of that method is fine. |
HBaseClassTestRule.forClass(TestProfileOutputServlet.class); | ||
|
||
@Test | ||
public void testSanitization() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
won't these tests fail now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ugh, yes.
Ripping out edaae03 -- doesn't work for what I'm trying to do here. Will leave a comment on commit. |
Closes #261 Signed-off-by: Sean Busbey <busbey@apache.org>
Closes #261 Signed-off-by: Sean Busbey <busbey@apache.org>
Closes #261 Signed-off-by: Sean Busbey <busbey@apache.org>
Closes apache#261 Signed-off-by: Sean Busbey <busbey@apache.org> (cherry picked from commit dbcf286) Change-Id: I4704a54d5933c61d412cfeb709a2284416283b94
No description provided.