[jira] [Commented] (HADOOP-12711) Remove dependency on commons-httpclient for ServletUtil

Tue, 23 Feb 2016 18:59:38 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15160113#comment-15160113
 ] 

Masatake Iwasaki commented on HADOOP-12711:
-------------------------------------------

Thanks for the update, [~jojochuang].

{code}
103       public static String encodeQueryValue(final String value) {
104         String param = "";
105         List<NameValuePair> queryParams = new ArrayList<NameValuePair>();
106         queryParams.add(new BasicNameValuePair(param, value));
107         String encodedQuery = URLEncodedUtils.format(queryParams, 
Consts.UTF_8);
108         // remove the separator.
109         return encodedQuery.substring(1);
{code}

If only form value is concerned, It seems to be safe to use 
[java.net.URLEncoder#encode|http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/file/852c8effb528/src/share/classes/java/net/URLEncoder.java#l201].
 It is doing the same thing with 
[URLEncodedUtils#encodeFormFields|https://github.com/apache/httpclient/blob/4.5.x/httpclient/src/main/java/org/apache/http/client/utils/URLEncodedUtils.java#L616].
 Referring to URLEncodedUtils may have been misleading...

> Remove dependency on commons-httpclient for ServletUtil
> -------------------------------------------------------
>
>                 Key: HADOOP-12711
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12711
>             Project: Hadoop Common
>          Issue Type: Sub-task
>    Affects Versions: 2.8.0
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
>         Attachments: HADOOP-12711.001.patch, HADOOP-12711.002.patch
>
>
> This is a branch-2 only change, as ServletUtil for trunk removes the code 
> that depends on commons-httpclient.
> We need to retire the use of commons-httpclient in Hadoop to address the 
> security concern in CVE-2012-5783 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783.
> {noformat}
> import org.apache.commons.httpclient.URIException;
> import org.apache.commons.httpclient.util.URIUtil;
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to