HBASE-22467 UI fixes to enable Knox proxying #261
Conversation
| } else { | ||
| super.doGet(req, resp); | ||
| } | ||
| } | ||
|
|
||
| static String sanitize(String input) { |
There was a problem hiding this comment.
Any particular rationale for this approach rather than using the existing org.apache.hadoop.hbase.http.HtmlQuoting.quoteHtmlChars(String) method?
I guess the quoting approach doesn't protect against an attacker setting the Accept header to javascript at the same time they include a query parameter that would cause the browser to execute said javascript in the echoed page.
I'm surprised there isn't already a utility method for this.
There was a problem hiding this comment.
Nope! Just ignorant of that class.
| @@ -37,6 +38,8 @@ | |||
| private static final long serialVersionUID = 1L; | |||
| private static final Logger LOG = LoggerFactory.getLogger(ProfileOutputServlet.class); | |||
| private static final int REFRESH_PERIOD = 2; | |||
| // Alphanumeric characters, plus percent (url-encoding), equals, and ampersand | |||
| private static final Pattern ALPHA_NUMERIC = Pattern.compile("[a-zA-Z0-9\\%\\=\\&]*"); | |||
There was a problem hiding this comment.
nit:should also accept a literal + for spaces I think?
|
Pushed edaae03 which uses HtmlQuoting. Don't see a need to re-invent the wheel and I think the implementation of that method is fine. |
| HBaseClassTestRule.forClass(TestProfileOutputServlet.class); | ||
|
|
||
| @Test | ||
| public void testSanitization() { |
There was a problem hiding this comment.
won't these tests fail now?
|
Ripping out edaae03 -- doesn't work for what I'm trying to do here. Will leave a comment on commit. |
Closes #261 Signed-off-by: Sean Busbey <busbey@apache.org>
Closes #261 Signed-off-by: Sean Busbey <busbey@apache.org>
Closes #261 Signed-off-by: Sean Busbey <busbey@apache.org>
Closes apache#261 Signed-off-by: Sean Busbey <busbey@apache.org> (cherry picked from commit dbcf286) Change-Id: I4704a54d5933c61d412cfeb709a2284416283b94
No description provided.