[ https://issues.apache.org/jira/browse/OOZIE-2492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
abhishek bafna updated OOZIE-2492: ---------------------------------- Fix Version/s: (was: trunk) 4.3.0 > JSON security issue in js code > ------------------------------ > > Key: OOZIE-2492 > URL: https://issues.apache.org/jira/browse/OOZIE-2492 > Project: Oozie > Issue Type: Bug > Components: client, security > Affects Versions: 4.1.0 > Reporter: Ferenc Denes > Assignee: Ferenc Denes > Labels: security, web-console > Fix For: 4.3.0 > > Attachments: OOZIE-2492-1.patch > > > JSON parsing is done using the eval js method in several places in the > oozie-console.js, which allows code injection. > The project already contains a json parser library, which should be used all > around the code. > We are aware that most of the json documents parsed are from the oozie > server, and not from the user directly. However fixing it all will make the > code most robust and consistent. -- This message was sent by Atlassian JIRA (v6.3.4#6332)