----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65053/ -----------------------------------------------------------
(Updated Jan. 12, 2018, 10:23 p.m.) Review request for sentry, Brian Towles, kalyan kumar kalvagadda, and Sergio Pena. Summary (updated) ----------------- SENTRY-2120: Escape input string for error response message in LogLevelServlet Repository: sentry Description (updated) ------- HTTP parameter is directly written to Servlet error page. Echoing this untrusted input is a bad practice for security purpose. Need to escape input string before adding into error response message. Diffs ----- sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/LogLevelServlet.java fce41a8 Diff: https://reviews.apache.org/r/65053/diff/1/ Testing ------- Thanks, Na Li
