[jira] [Updated] (OOZIE-2492) JSON security issue in js code

abhishek bafna (JIRA) Wed, 03 Aug 2016 00:13:32 -0700

     [ 
https://issues.apache.org/jira/browse/OOZIE-2492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


abhishek bafna updated OOZIE-2492:
----------------------------------
    Fix Version/s:     (was: trunk)
                   4.3.0

> JSON security issue in js code
> ------------------------------
>
>                 Key: OOZIE-2492
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2492
>             Project: Oozie
>          Issue Type: Bug
>          Components: client, security
>    Affects Versions: 4.1.0
>            Reporter: Ferenc Denes
>            Assignee: Ferenc Denes
>              Labels: security, web-console
>             Fix For: 4.3.0
>
>         Attachments: OOZIE-2492-1.patch
>
>
> JSON parsing is done using the eval js method in several places in the 
> oozie-console.js, which allows code injection.
> The project already contains a json parser library, which should be used all 
> around the code.
> We are aware that most of the json documents parsed are from the oozie 
> server, and not from the user directly. However fixing it all will make the 
> code most robust and consistent.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (OOZIE-2492) JSON security issue in js code

Reply via email to