Sean Busbey created HBASE-17560: ----------------------------------- Summary: HMaster redirect should sanity check user input Key: HBASE-17560 URL: https://issues.apache.org/jira/browse/HBASE-17560 Project: HBase Issue Type: Bug Components: master, security, UI Reporter: Sean Busbey
We should do some sanity checking on the user provided data before we blindly pass it to a redirect. i.e. {code} public static class RedirectServlet extends HttpServlet { private static final long serialVersionUID = 2894774810058302472L; private static int regionServerInfoPort; @Override public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String redirectUrl = request.getScheme() + "://" + request.getServerName() + ":" + regionServerInfoPort + request.getRequestURI(); response.sendRedirect(redirectUrl); } } {code} e.g. * Are we reidrecting to a server that is ours? * Did we validate the path/query string? -- This message was sent by Atlassian JIRA (v6.3.4#6332)