[ https://issues.apache.org/jira/browse/HADOOP-12711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15160113#comment-15160113 ]
Masatake Iwasaki commented on HADOOP-12711: ------------------------------------------- Thanks for the update, [~jojochuang]. {code} 103 public static String encodeQueryValue(final String value) { 104 String param = ""; 105 List<NameValuePair> queryParams = new ArrayList<NameValuePair>(); 106 queryParams.add(new BasicNameValuePair(param, value)); 107 String encodedQuery = URLEncodedUtils.format(queryParams, Consts.UTF_8); 108 // remove the separator. 109 return encodedQuery.substring(1); {code} If only form value is concerned, It seems to be safe to use [java.net.URLEncoder#encode|http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/file/852c8effb528/src/share/classes/java/net/URLEncoder.java#l201]. It is doing the same thing with [URLEncodedUtils#encodeFormFields|https://github.com/apache/httpclient/blob/4.5.x/httpclient/src/main/java/org/apache/http/client/utils/URLEncodedUtils.java#L616]. Referring to URLEncodedUtils may have been misleading... > Remove dependency on commons-httpclient for ServletUtil > ------------------------------------------------------- > > Key: HADOOP-12711 > URL: https://issues.apache.org/jira/browse/HADOOP-12711 > Project: Hadoop Common > Issue Type: Sub-task > Affects Versions: 2.8.0 > Reporter: Wei-Chiu Chuang > Assignee: Wei-Chiu Chuang > Attachments: HADOOP-12711.001.patch, HADOOP-12711.002.patch > > > This is a branch-2 only change, as ServletUtil for trunk removes the code > that depends on commons-httpclient. > We need to retire the use of commons-httpclient in Hadoop to address the > security concern in CVE-2012-5783 > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783. > {noformat} > import org.apache.commons.httpclient.URIException; > import org.apache.commons.httpclient.util.URIUtil; > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)