Repository: hbase Updated Branches: refs/heads/branch-1.2 3c7e96a6f -> 8b9455cd5
HBASE-17561 table status page should escape values that may contain arbitrary characters. Signed-off-by: Esteban Gutierrez <este...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/8b9455cd Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/8b9455cd Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/8b9455cd Branch: refs/heads/branch-1.2 Commit: 8b9455cd586728e71080da8804b0c0824d00cb2f Parents: 3c7e96a Author: Sean Busbey <bus...@apache.org> Authored: Thu Feb 9 20:36:58 2017 -0800 Committer: Sean Busbey <bus...@apache.org> Committed: Wed Feb 22 01:16:59 2017 -0600 ---------------------------------------------------------------------- .../resources/hbase-webapps/master/table.jsp | 41 ++++++++++++-------- 1 file changed, 24 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/8b9455cd/hbase-server/src/main/resources/hbase-webapps/master/table.jsp ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/resources/hbase-webapps/master/table.jsp b/hbase-server/src/main/resources/hbase-webapps/master/table.jsp index 32c8852..6c99ba7 100644 --- a/hbase-server/src/main/resources/hbase-webapps/master/table.jsp +++ b/hbase-server/src/main/resources/hbase-webapps/master/table.jsp @@ -19,8 +19,10 @@ --%> <%@ page contentType="text/html;charset=UTF-8" import="static org.apache.commons.lang.StringEscapeUtils.escapeXml" + import="java.net.URLEncoder" import="java.util.TreeMap" import="java.util.Map" + import="org.apache.commons.lang.StringEscapeUtils" import="org.apache.hadoop.conf.Configuration" import="org.apache.hadoop.hbase.client.HTable" import="org.apache.hadoop.hbase.client.Admin" @@ -44,6 +46,7 @@ Configuration conf = master.getConfiguration(); MetaTableLocator metaTableLocator = new MetaTableLocator(); String fqtn = request.getParameter("name"); + final String escaped_fqtn = StringEscapeUtils.escapeHtml(fqtn); HTable table = null; String tableHeader; boolean withReplica = false; @@ -67,9 +70,9 @@ <head> <meta charset="utf-8"> <% if ( !readOnly && action != null ) { %> - <title>HBase Master: <%= master.getServerName() %></title> + <title>HBase Master: <%= StringEscapeUtils.escapeHtml(master.getServerName().toString()) %></title> <% } else { %> - <title>Table: <%= fqtn %></title> + <title>Table: <%= escaped_fqtn %></title> <% } %> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content=""> @@ -163,7 +166,7 @@ if ( fqtn != null ) { <div class="container-fluid content"> <div class="row inner_header"> <div class="page-header"> - <h1>Table <small><%= fqtn %></small></h1> + <h1>Table <small><%= escaped_fqtn %></small></h1> </div> </div> <div class="row"> @@ -178,12 +181,13 @@ if ( fqtn != null ) { HRegionInfo.FIRST_META_REGIONINFO, j); ServerName metaLocation = metaTableLocator.waitMetaRegionLocation(master.getZooKeeper(), j, 1); for (int i = 0; i < 1; i++) { - String url = "//" + metaLocation.getHostname() + ":" + + // The host name portion should be safe, but I don't know how we handle IDNs so err on the side of failing safely. + String url = "//" + URLEncoder.encode(metaLocation.getHostname()) + ":" + master.getRegionServerInfoPort(metaLocation) + "/"; %> <tr> <td><%= escapeXml(meta.getRegionNameAsString()) %></td> - <td><a href="<%= url %>"><%= metaLocation.getHostname().toString() + ":" + master.getRegionServerInfoPort(metaLocation) %></a></td> + <td><a href="<%= url %>"><%= StringEscapeUtils.escapeHtml(metaLocation.getHostname().toString()) + ":" + master.getRegionServerInfoPort(metaLocation) %></a></td> <td><%= escapeXml(Bytes.toString(meta.getStartKey())) %></td> <td><%= escapeXml(Bytes.toString(meta.getEndKey())) %></td> <td>-</td> @@ -217,8 +221,10 @@ if ( fqtn != null ) { <%= compactionState %> <% } catch (Exception e) { - // Nothing really to do here - e.printStackTrace(); + // Nothing really to do here + for(StackTraceElement element : e.getStackTrace()) { + %><%= StringEscapeUtils.escapeHtml(element.toString()) %><% + } %> Unknown <% } %> @@ -244,7 +250,6 @@ if ( fqtn != null ) { ServerName addr = hriEntry.getValue(); long req = 0; float locality = 0.0f; - String urlRegionServer = null; if (addr != null) { ServerLoad sl = master.getServerManager().getLoad(addr); @@ -264,10 +269,10 @@ if ( fqtn != null ) { <td><%= escapeXml(Bytes.toStringBinary(regionInfo.getRegionName())) %></td> <% if (addr != null) { - String url = "//" + addr.getHostname() + ":" + master.getRegionServerInfoPort(addr) + "/rs-status"; + String url = "//" + URLEncoder.encode(addr.getHostname()) + ":" + master.getRegionServerInfoPort(addr) + "/rs-status"; %> <td> - <a href="<%= url %>"><%= addr.getHostname().toString() + ":" + addr.getPort() %></a> + <a href="<%= url %>"><%= StringEscapeUtils.escapeHtml(addr.getHostname().toString()) + ":" + master.getRegionServerInfoPort(addr) %></a> </td> <% } else { @@ -293,19 +298,21 @@ if ( fqtn != null ) { <h2>Regions by Region Server</h2> <table class="table table-striped"><tr><th>Region Server</th><th>Region Count</th></tr> <% - for (Map.Entry<ServerName, Integer> rdEntry : regDistribution.entrySet()) { - ServerName addr = rdEntry.getKey(); - String url = "//" + addr.getHostname() + ":" + master.getRegionServerInfoPort(addr) + "/rs-status"; + for (Map.Entry<ServerName, Integer> rdEntry : regDistribution.entrySet()) { + ServerName addr = rdEntry.getKey(); + String url = "//" + URLEncoder.encode(addr.getHostname()) + ":" + master.getRegionServerInfoPort(addr) + "/rs-status"; %> <tr> - <td><a href="<%= url %>"><%= addr.getHostname().toString() + ":" + addr.getPort() %></a></td> + <td><a href="<%= url %>"><%= StringEscapeUtils.escapeHtml(addr.getHostname().toString()) + ":" + master.getRegionServerInfoPort(addr) %></a></td> <td><%= rdEntry.getValue()%></td> </tr> <% } %> </table> <% } } catch(Exception ex) { - ex.printStackTrace(System.err); + for(StackTraceElement element : ex.getStackTrace()) { + %><%= StringEscapeUtils.escapeHtml(element.toString()) %><% + } } finally { admin.close(); } @@ -322,7 +329,7 @@ Actions: <tr> <form method="get"> <input type="hidden" name="action" value="compact"> - <input type="hidden" name="name" value="<%= fqtn %>"> + <input type="hidden" name="name" value="<%= escaped_fqtn %>"> <td style="border-style: none; text-align: center"> <input style="font-size: 12pt; width: 10em" type="submit" value="Compact" class="btn"></td> <td style="border-style: none" width="5%"> </td> @@ -336,7 +343,7 @@ Actions: <tr> <form method="get"> <input type="hidden" name="action" value="split"> - <input type="hidden" name="name" value="<%= fqtn %>"> + <input type="hidden" name="name" value="<%= escaped_fqtn %>"> <td style="border-style: none; text-align: center"> <input style="font-size: 12pt; width: 10em" type="submit" value="Split" class="btn"></td> <td style="border-style: none" width="5%"> </td>