[
https://issues.apache.org/jira/browse/HDFS-11441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15897869#comment-15897869
]
Andrew Wang commented on HDFS-11441:
------------------------------------
The threat here is if someone injects bad input into an exception message,
which is then viewed in a browser. This seems pretty unlikely to me considering
users do not interact with the KMS via a browser. I don't think it's a critical.
Let's leave it to 2.8.1 then, thanks!
> Add escaping to error message in KMS web UI
> -------------------------------------------
>
> Key: HDFS-11441
> URL: https://issues.apache.org/jira/browse/HDFS-11441
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Priority: Minor
> Fix For: 2.9.0, 3.0.0-alpha3, 2.8.1
>
> Attachments: HDFS-11441-branch-2.6.patch, HDFS-11441.patch,
> HDFS-11441.patch
>
>
> There's a handful of places where web UIs don't escape error messages. We
> should add escaping in these places.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
